Web Service behind https


I'm trying to create a web service that runs on https (i.e ssl). I have install the ssl_requirement plugin and in my webservice controller I have the lines

ssl_required :method_name

In development I had this commented out, as I wasn't running https locally. When I called MethodName it worked fine (in development).

But in production with ssl when I call the method. It returns a 302

When I check the production logs I see the following:

Redirected to http://…myurl… Filter chain halted as [#<ActionController::Filters::ClassMethods::SymbolFilter:0xb759fb34 @filter=:ensure_proper_protocol>] returned false. Completed in 0.00029 (3506 reqs/sec) | DB: 0.00000 (0%) | 302 Found [https://…myurl…]

Am I doing somethign horribly wrong? Any suggestions?

Just in case it helps I am also using ssl_required in some other controllers and it's working as I'd expect there.

Thanks (in advance) for any help




We'd need to know more about your production environment to help further, but a very common problem is between the https server and your application. The https server usually needs to include some kind of header so Rails knows that it's talking https. If you're using Apache to talk to a Mongrel server (for example), you need to include the X_FORWARDED_PROTO header in the virtual host directive for your production server (and make sure your SSLEngine is turned on).

Below is a snippet of configuration I use on my development machine. In production you probably wouldn't want to use ProxyPass -- it would be better to use something like mod_balance against a cluster of Mongrels.

<VirtualHost *:443> SSLEngine On ServerName localhost ServerAlias

ProxyPass / http://localhost:3000/ ProxyPassReverse / http://localhost:3000 ProxyPreserveHost on RequestHeader set X_FORWARDED_PROTO 'https' </VirtualHost>

By the way, it's pretty easy to set up your own https server in development, which is better than commenting things out. I wrote up a quick article about it here:


Also helpful were these articles, which have lots of good information even if you're not using Mongrel:

http://blog.innerewut.de/2006/06/21/mongrel-and-rails-behind-apache-2-2-and-ssl http://mongrel.rubyforge.org/docs/apache.html

-Mike Subelsky subelsky.com