Our Set Up
Discourse is installed on Google Compute VM machine with no SSL certificates on this server.
Force_https discourse setting is set to true (checked to force https).
We have the front end running with ‘Google Load Balancer’ with HTTPS certificate attached at Load balancer level.
Google Oauth credentials settings has both http and https callback URL’s set up.
User Request HTTPS.www.truvisa.com -> Google Load balancer -> HTTP Discourse on Google Compute engine.
- The https://www.truvisa.com URL works fine.
- User tries to log-in with Google OAuth. Works fine and user is logged in.
User Request HTTP -> Google Load balancer -> HTTP Discourse on Google Compute engine.
The http://www.truvisa.com url works fine. We actually expected this to be redirected to HTTPs (as we have force https enabled), but it did not work.
- User tries to log-in with Google OAuth. User cannot log-in.
- CSRF error is thrown by Google o-Auth
What we think is happening:
I searched through the discourse forum for a solution and understand that Google load balancer (a proxy in our case) need to send the X-Forwarded-Proto header for discourse to redirect the http request to https version.
Google load balancer does send this X-Forwarded-Proto to discourse installation server.
Is there anything that needs to be changed in Discourse set up anywhere to make this work?
Are we missing any kind of redirection from http to https setting in default discourse install?