Rails application resources not getting rendered over https

0
votes

I am using ruby 2.4.0p0 and Rails 5.2.3

In the production.rb file I have done the following setting:

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = true
  if Rails.application.config.force_ssl
    Rails.application.routes.default_url_options[:protocol] = 'https'
  end

But still the resource are getting rendered on http rather then https do I need to do any thing extra, please provide the desired thing to be done to get all assets getting loaded from s3 loads over https.

The website is live here at: https://tukaweb.com/asset/garments The s3 resources are at http ex: http://tukaweb.s3.amazonaws.com/uploads/three_d_garment/thumbnail/7/Womens_Dress_35-41_Thumbnail.png?X-Amz-Expires=600&X-Amz-Date=20200918T060705Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIRDA3IQIVTEPMN6Q%2F20200918%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=1792bd4cc2437abd950b7d16d360d09e64423bdef89f41c24a5386d35e982dfa need them over https.

2
ruby-on-railsamazon-s3ruby-on-rails-5

2 Answers

0
votes

The required change should be done inside the carrierwave.rb inside the webapp/config/initializers directory modified the settings as:

CarrierWave.configure do |config|
  config.fog_provider = 'fog/aws'
  config.fog_credentials = {
      provider:              'AWS',               
      aws_access_key_id:     'XXXXXXXXXX',        
      aws_secret_access_key: 'xxxxxxxxxx',        
      use_iam_profile:       false,               
      region:                'us-west-2',   #  optional, defaults to 'us-east-1'
      # host:                  'ec2-xx-xxx-xx-xx.us-west-2.compute.amazonaws.com',             # optional, defaults to nil
      :endpoint => 'https://s3.amazonaws.com',
  }
  config.fog_directory  = 'tukaweb'                                      # required
  config.fog_public     = false                                                 # optional, defaults to true
  # config.fog_attributes = { cache_control: "public, max-age=#{365.days.to_i}" } # optional, defaults to {}
end

The line which is responsible for changing s3 resource to be downloaded from https instead of http

  :endpoint => 'https://s3.amazonaws.com'  ## earlier it was 'http://s3.amazonaws.com'
0
votes

Force SSL only works for the incoming requests to the rail's routes. If you have an image link set to http://image-domain.com/image it's going to use the http, and you'll get a mixed content warning. You need to ensure anything external to the app's routes is going to be using SSL or a secure connection as well.

First thing I do when I see a mixed content warning is to do a global search of the codebase for http:// to find everywhere that isn't using https://. I may or may not do a global find + replace depending on what I see, there are cases where it needs to be http:// or it won't work right (if the site doesn't have an https:// version).

Next thing is to work out what is causing the insecure url, here it is S3, so I would be looking at what uses S3, and working out how I can tell it to use SSL or a secure connection.

Note: The other answer does well explaining what your actual issue is, but this may be more useful to others for general troubleshooting of mixed content issues, and would lead to the same result.