Force https links in iframe

[paul-mesnilgrente]

I am currently using refinery 4 with rails 5.1 and the application is leaving under CloudFront -> AWS load balancers -> Nginx.

My problem is that CloudFront terminates SSL and the stack doesn't let the header X-Fowarded-Proto: https to come through. This has the consequence that iframes in refinery have links in http when the main page is https, browsers don't allow that and blocks the links.

So I am trying to find a way to force links to be https in the iframe but I can't find a way to do it without monkey patching something. I know that the last line being called by Refinery is that one: https://github.com/refinery/refinerycms/blob/master/core/config/initializers/will_paginate_monkeypatch.rb#L16

Is there any settings I can use to force https links in production?

I already tried Rails.application.routes.default_url_options[:protocol] = 'https' but it didn't work. Do you know why maybe?

[bricesanchez]

Hi @paul-mesnilgrente !

Did you set the Rails config force_ssl = true in config/environments/production.rb ?

[paul-mesnilgrente]

force_ssl = true causes an infinite loop in our case. The rails application is getting http requests because CloudFront is terminating SSL. This setting also has a lot of side effects that I'd like to avoid. Do you think there is something a bit more specific to what I want?

[parndt]

Did you ever figure this out?

[paul-mesnilgrente]

I've done this very monkey patch:

# frozen_string_literal: true

return unless Rails.env == 'production'

module ActionDispatch
  class Request
    def ssl?
      Rails.logger.info('SSL TRUE')
      true
    end
  end
end

I believe we found a nicer fix in another project but I can't remember what it is.

[fabriazza]

@paul-mesnilgrente Do you remember which file you placed this block of code in?

[parndt]

you could probably put code like that in config/initializers/patch_action_dispatch_request.rb