I had roughly the same problem and in my case it was because the
proper headers weren't being set. Rails uses certain headers to
determine if the current request is using SSL and thus if it should
use https:// when generating URLs with url_for(). I had to add the
following line to my Apache configuration for the secure virtualhost
to get it to work:

    RequestHeader set X_FORWARDED_PROTO 'https'

A quick glance at the ActionController source reveals this method:

    # Is this an SSL request?
    def ssl?
      @env['HTTPS'] == 'on' || @env['HTTP_X_FORWARDED_PROTO'] ==

I'm not sure why I didn't need to append "HTTP_" to the request header
name, but it works (probably because somewhere along the line it gets
appended automatically.)

Try setting any of these headers in your web server's configuration.

Best of luck.


If you use the ssl_requirement plugin, then you can just declare the
action to which your form is submitting as requiring ssl in the
controller, and you don't need the protocol specification in the

Michael Slater

The real problem is that his application isn't recognizing that it's
currently being accessed via SSL, so all the URLs are being generated
with http:// instead of https://. If he used the ssl_requirement plug-
in without addressing the matter of the environment variable, that
plug-in would cause an infinite loop of redirects, as it would
continuously think it wasn't being access via SSL even though it was.