AWS EC2, Nginx SSL Issue

Dennis asked:

I’m running a rails app on an AWS EC2 instance with Nginx 1.4.6 acting as a reverse proxy and serving SSL certificates.

I’m pretty sure my issue is with my Nginx config. Here it is:

upstream puma {
  server unix:///home/deploy/apps/appname/shared/tmp/sockets/appname-puma.sock;

server {
  listen 443;

  ssl on;
  ssl_certificate /etc/nginx/ssl/appname.chained.crt;
  ssl_certificate_key /etc/nginx/ssl/appname.key;

  root /home/deploy/apps/appname/current/public;
  access_log /home/deploy/apps/appname/current/log/nginx.access.log;
  error_log /home/deploy/apps/appname/current/log/nginx.error.log info;

  try_files $uri/index.html $uri @puma;
  location @puma {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    proxy_pass http://puma;

  error_page 500 502 503 504 /500.html;
  client_max_body_size 10M;
  keepalive_timeout 10;

server {
  listen 80;
  return 301 https://$host$request_uri;

When I try running curl -v, curl returns:

* Rebuilt URL to:
*   Trying
* found 187 certificates in /etc/ssl/certs/ca-certificates.crt
* found 758 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*    server certificate verification OK
*    server certificate status verification SKIPPED
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: OU=Domain Control Validated,
*    start date: Mon, 21 Dec 2015 16:31:38 GMT
*    expire date: Wed, 21 Dec 2016 16:31:38 GMT
*    issuer: C=US,ST=Arizona,L=Scottsdale,\, Inc.,OU=,CN=Go Daddy Secure     Certificate Authority - G2
*    compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> User-Agent: curl/7.43.0
> Accept: */*
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.4.6 (Ubuntu)
< Date: Sat, 26 Dec 2015 15:51:14 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive

This should show the homepage of my rails app. Is the * ALPN, server did not agree to a protocol line significant? Why is Nginx returning 301 Moved Permanently?

Many thanks, let me know if any more information could be of use.

My answer:

Your nginx configuration doesn’t show any redirects on port 443, and you claim not to have a load balancer in front of nginx, so the only other place the redirect could be coming from is … your application.

I see that you are running the app on https, but you have not told Rails about this. In particular, your nginx configuration is missing:

        proxy_set_header X-Forwarded-Proto $scheme;

I suspect that your app knows its own intended URL and is trying to redirect to it, since the URL that it thinks came in is not canonical.

Add this in and see if the redirects stop.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.