Force Redirect HTTP to HTTPS


(Alex Rothberg) #1

I would to redirect users that access the discourse site on port http to port https. I have checked force https but that does not seem to be causing a redirect to happen. The SSL termination is being done external to discourse (discourse always listens on 80).


(Rafael dos Santos Silva) #2

So add a HSTS header there.


(Alex Rothberg) #3

What does the force https setting do if it doesnt set HSTS and it doesnt do a 3xx redirect?


(Rafael dos Santos Silva) #4

Add the SSL-only cookies among other things.

In our recommended way to setting SSL, this is all handled automatically:


(Alex Rothberg) #5

That template seeks to handle the SSL termination entirely. Would be nice to have a simpler template for cases where termination is handled by eg the load balancer. Also ,I think that even with that flag set, I a seeing cookies with out the secure flag set.


(Michael Coelho) #6

Hey @Falco, let me get into this conversation…

I’ve the same proble as @arothberg described. I am using a AWS Load Balancer with an Amazon Issued Certificate. When i was accessing my forum by https://www.forum.com.br it worked fine, but when accessing by forum.com.br , as the default is http, not working.

I tried adding:

  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /server.+{/
     to: |
       server {
         listen 80;
         return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
       }
       server {

But i received a Too Many Request error. I tried also:

  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /server.+{/
     to: |
       server {
         listen 80;
         server_name forum.com.br www.forum.com.br;
         rewrite ^/(.*) https://$$ENV_DISCOURSE_HOSTNAME$request_uri permanent;
       }
       server {

But with no success…

Do you guys can help me? My forum is down…

Thanks in advance.


(Michael Coelho) #7

I’ve replace the entire web.ssl.template.yml with both snippets as i said above.


(Mindaugas Bartusevičius) #8

Did you solved that problem ? geting same bug …


(Jose Zamudio) #9

For people who use AWS Classic Load Balancer still trying to solve this.

You should read this page: Redirect HTTP Traffic to HTTPS Using ELB

Basically, Ngnix should redirect to https if X-Forwarded-Proto: http . This header is set by the load balancer. Thus the communication between web server and load balancer is always http. That means that Ngnix serves only http and the load balancer through https.

So, what I did, was to add the following to my container configuration (web.yml):

run:
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: /server.+{/
       to: |
         server {
           if ($http_x_forwarded_proto = 'http'){
            return 301 https://$host$request_uri;
           }