use_redirect always forcing redirect, even for HTTPS

[aripollak]

Currently, I have the following configuration:

use Rack::SslEnforcer, hsts: true, redirect_to: 'https://www.example.com'

I'm using redirect_to because the site is behind a reverse proxy that routes different paths to different hosts, so the Host header that gets passed to this particular server is something totally different and not user-friendly, like ec2-1234.aws.amazon.com. I really only want Rack::SslEnforcer to redirect if the protocol is http instead of https. But currently because of redirect_required?, this actually causes a redirect loop. Is this behavior intentional? It seems like it's beyond the scope of this gem to always canonicalize the hostname.

I can work around the problem like this: ignore: -> (request) { request.env['HTTP_X_FORWARDED_PROTO'] == 'https' }

[tobmatth]

Hi,

seems like your reverse proxy does not set X-Forwarded* headers properly, maybe this helps:

https://github.com/tobmatth/rack-ssl-enforcer#nginx
#82

[aripollak]

Which header in particular? It does seem to be setting those correctly, it just doesn't set Host to be the external-facing hostname.