My team just deployed a feature on ActionCable and when we attempted to push the changes we had a couple odd issues.
- It doesn’t seem that Rails treats the “wss” protocol as “https” when
.force_ssl = true. I narrowed this down to being a Rack issue which is fixed in this PR for Rack, but Rack hasn’t seen a release in over a year. This problem was reasonably easily fixed by monkey patching Rack in the app. - ActionCable doesn’t respect the “X-Forwarded-Host” header as “Host”. This caused some confusion as most (all?) of the “X-Forwarded-” headers are respected. Setting the app up behind Traefik worked out of the box aside of the Rack problem, but trying to set it up on Apache wouldn’t work until I figured out cable was ignoring “X-Forwarded-Host”
So two questions.
- Would it make sense if rails/cable itself “knew” that “wss” is actually “https”, or is waiting on Rack or munging the header at the proxy preferred?
- Is it intentional that cable doesn’t respect “X-Forwarded-Host” in the check for
allow_same_origin_as_host? If not, would that be a PR that would be considered?
