Shelby.tv/blog

Getting Rails SSL right on Nginx w/ Passenger

danspinosa:

400 Bad Request

The plain HTTP request was sent to HTTPS port

It bugged me for an entire day.  ”Please send HTTPS stuff to HTTPS and I’ll be perfectly happy,” said nginx.  ”Fuck you, I do what I want,” said the oAuth callback from Twitter.  So I started digging…

Maybe I could just tell nginx to re-direct the request.  It knows what it wants; it should be able to satisfy itself…

error_page 497 https://$host$request_uri;

Nope.  But if this did work, it would only treat a symptom, not the problem itself.

So I needed to find out *why* the oAuth callback_url was being set to “http://shelby.tv:443” instead of “https://shelby.tv”.  A little digging into OmniAuth and I found the full_host method which ultimately makes this determination based on request.url.  An additional line of logging and I discovered that reqeust.url had the http scheme, not https.

I’m running Rails w/ Passenger on nginx.  But nginx likes to keeps secrets from Rails (specifically, it doesn’t let on about SSL).  So you just ask nginx to let Rails in on the secret and boom, everything “just works” (thanks to the excellent work on the Rails core team and OmniAuth, behind the scenes).

passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;

That’s it.  Threw that one liner into my ssl-enabled server{} block and Rails’ request.url was fixed, allowing OmniAuth correctly built the callback_url.  :-]

—-

FYI: I spent almost a full day researching this problem (to no avail), during which time I learned a shit tonne about these technologies and code bases.  I then made a smart move: document my progress and go home.  Came in the next morning and hit the fix in 20 minutes.  

Work is a much better version of school.