在我的Rails 4应用程序中,我有before_action要求用户登录,如下所示:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
before_action :require_login
def require_login
unless logged_in?
flash[:alert] = "You must be logged in to access this section."
redirect_to login_path
end
end
def logged_in?
# more logic
end
end
当我在未登录的情况下访问example.com时,我会按预期重定向到example.com/login。但是,我在控制台中看到了这个错误:
The page at 'https://example.com/login' was loaded over HTTPS, but displayed
insecure content from 'http://example.com/login': this content should also
be loaded over HTTPS.
网络标签显示表明我的redirect_to指向的是HTTP,而不是HTTPS。当它到达HTTP时,它会自动重定向到HTTPS。
Request URL:http://example.com/login
Request Method:GET
Status Code:301 Moved Permanently
# In the response headers:
Location:https://example.com/login
有没有办法告诉redirect_to它应该使用HHTPS而不是HTTP,还是这是一个nginx配置?我认为使用login_path而不是login_url会解决问题,因为它应该是相对于基础的,但这似乎不起作用。
更新
我也考虑过使用force_ssl,但我担心我会用锤子敲针。如果我弄错了,请随意纠正我。
答案 0 :(得分:6)
在application.rb(或environment.rb)中,您可以设置
config.force_ssl = true
这将使Rails始终使用安全端点。
答案 1 :(得分:1)
使用#force_ssl:
class ApplicationController < ActionController::Base
force_ssl # use HTTPS for all actions
protect_from_forgery with: :exception
before_action :require_login
def require_login
unless logged_in?
flash[:alert] = "You must be logged in to access this section."
redirect_to login_path
end
end
def logged_in?
# more logic
end
end