Heroku app坚持使用HTTPS - 为什么? [英] Heroku app insisting on HTTPS - why?
问题描述
我有一个有趣的小问题 - Heroku上的一个应用程序被配置为使用 Heroku SSL(测试版) ,但它似乎想要为所有事情使用HTTPS,而不是我所做的事情。
浏览器错误:
我有 redirect_to:protocol => 'http://',:status => :在一个控制器上移动永久。对此控制器的请求会得到:
www.mysite.com重定向您太多次了。
ERR_TOO_MANY_REDIRECTS
相关代码:
< DNS设置:
ftp:www.mysite.com.herokudns.com
www:www.mysite。 com.herokudns.com
Gemfile:
gem'rack-ssl-enforcer'
gem'rack-cors'
production.rb:
**不生效**
#config.force_ssl = true
application.rb:
#注意:没有为rack-ssl-enforcer插入代码pre>
config.middleware.insert_before 0,'Rack :: Cors'do
allow do
原始'*'
资源'*',标题:: any,方法:[:get]
结束
结束
我试图在一个控制器上避开HTTPS:
requests_controller.rb:
before_action:avoid_ssl
def avoid_ssl
if request.ssl? &安培;&安培; Rails.env.production?
redirect_to:protocol => 'http://',:status => :moved_permanently
end
end
我最近添加到
requests_controller.rb发起了这个错误。 Heroku支持告诉我: b
$ bHeroku SSL没有什么特别之处,重定向必须在应用程序内执行 - 跳过'为给定的控制器强制SSL'这是一个代码更改。
什么可能导致所有事情都直接指向HTTPS? 解决方案
检查浏览器是否因为以前的 HSTS标题。
当您启用 force_ssl 在Rails上,中间件会自动附加头文件:
Strict-Transport-Security
,过期1年。如果你禁用了它,你的浏览器会保存这些信息直到过期,并会拒绝连接到HTTP版本的网站。
你可以删除设置从您的浏览器。然而,请注意,之前访问您网站的任何用户都将受到与HSTS标头的用途相同的行为影响。因此,为了维护与之前访问网站的用户的兼容性,您仍应提供HTTPS版本并避免发送HSTS标头(或将其设置为非常短的到期时间)。
I have an interesting little problem - an app on Heroku is configured to use Heroku SSL (beta) but it seems to want to use HTTPS for everything, nomatter what I do.
Browser Error:
I have redirect_to :protocol => 'http://', :status => :moved_permanently on one controller. Requests to this controller get:
www.mysite.com redirected you too many times.
ERR_TOO_MANY_REDIRECTS
Relevant code:
DNS settings:
ftp: www.mysite.com.herokudns.com
www: www.mysite.com.herokudns.com
Gemfile:
gem 'rack-ssl-enforcer'
gem 'rack-cors'
production.rb:
** Not in effect**
#config.force_ssl = true
application.rb:
# Note: no code inserted for rack-ssl-enforcer
config.middleware.insert_before 0, 'Rack::Cors' do
allow do
origins '*'
resource '*', headers: :any, methods: [:get]
end
end
My attempt to avoid HTTPS on one controller:
requests_controller.rb:
before_action :avoid_ssl
def avoid_ssl
if request.ssl? && Rails.env.production?
redirect_to :protocol => 'http://', :status => :moved_permanently
end
end
The code I most recently added to requests_controller.rb has initiated this error. Something in my app is wanting everything to be HTTPS, but Heroku support told me:
"There's nothing special about Heroku SSL, redirects have to be performed inside your application - to skip 'force SSL' for a given controller it's a code change".
What could possibly be causing everything to direct to HTTPS? Thank you very much.
Check that your browser is not redirecting because of a previous HSTS header.
When you enable force_ssl on Rails, the middleware automatically appends the header:
Strict-Transport-Security
with an expiration of 1 year. If you then disable it, your browser will keep the information stored until the expiration and will refuse to connect to the HTTP version of the site anyway.
You can remove the setting from your browser. However, please note that any user that previously accessed your website will be affected by the same behavior as this is the purpose of the HSTS header.
Therefore, in order to maintain compatibility with users who visited the site previously, you should still provide the HTTPS version and avoid sending the HSTS header (or setting it to a very short expiration).
这篇关于Heroku app坚持使用HTTPS - 为什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
