Here’s another one for the books. I was using the ssl_requirement plugin for for the order section of the Outlandish product site. The concept is pretty simple. This pretty much sums it up:

def ensure_proper_protocol
return true if ssl_allowed?
if ssl_required? && !request.ssl?
redirect_to "https://" + request.host + request.request_uri
return false
elsif request.ssl? && !ssl_required?
redirect_to "http://" + request.host + request.request_uri
return false
end
end

The problem I was having is it would redirect to the https:// protocol, but be received as http:// in the logs. This would cause an infinite loop of redirects until it finally got tired and broke.

SSL on Apache vs. Lighttpd

When you have Apache set up as a proxy to lighttpd, you have 2 options for SSL . You can either set up SSL on Apache, or Lighttpd. Others have already done a good job of explaining this, so I won’t get into it. Just know that our SSL is setup on Apache.

The problem is that in this scenario, lighttpd is completely unaware of the SSL request and handles everything as a standard request with the http:// protocol.

The Solution

What I needed was a way for Apache somehow tell Rails that the request was indeed an SSL request. Turns out that’s very easy to do. All you have to do is add the following line to Apache’s vhost entry:

RequestHeader set X_FORWARDED_PROTO 'https'

That’s it! The magic happens automatically (as I’m finding to be common with Rails) thanks to this little snippet in request.rb:

def ssl?
@env['HTTPS']  'on' || @env['HTTP_X_FORWARDED_PROTO']  ‘https’