On AWS OpsWorks. I'm using an ELB, which has my CA's SSL certificate.
The first point of access is always the load balancer (ELB). The ELB directs traffic to the instances. The instances each have a copy of the Rails app, Unicorn, etc.
One thing to note. The instances behind the ELB cannot be accessed directly.
At this point, do I need to force_ssl in Rails? I hear it's common enough to terminate SSL at the border (ELB).
As far as I've read, force_ssl gives the following:
force_sslautomatically redirects traffic from http to https.- Flagging cookies as secure and some added protection (i.e. against MITM attacks).
http://ift.tt/1FsU3Oi only indicates http to https redirection.
What does force_ssl do in Rails? second answer suggests that force_ssl does more than redirection.
Without force_ssl, I can manage redirects by writing Nginx definitions.
I feel like forcing SSL via Rails seems obsolete, since the SSL negotiation is already happening in the ELB. Is it still necessary to force_ssl? Are there any added benefits?
Aucun commentaire:
Enregistrer un commentaire