on aws opsworks. i'm using elb, has ca's ssl certificate.
the first point of access load balancer (elb). elb directs traffic instances. instances each have copy of rails app, unicorn, etc.
one thing note. instances behind elb cannot accessed directly.
at point, need force_ssl in rails? hear it's common enough terminate ssl @ border (elb).
as far i've read, force_ssl gives following:
- automatic redirect traffic http https.
- flagging cookies secure , added protection (i.e. against mitm attacks).
http://api.rubyonrails.org/classes/actioncontroller/forcessl/classmethods.html indicates http https redirection.
what force_ssl in rails? second answer suggests force_ssl more redirection.
if decide not use force_ssl, can manage redirects writing nginx definitions.
given scenario, feel forcing ssl via rails obsolete, since ssl negotiation happening in elb. still necessary force_ssl? there added benefits?
if you're terminating ssl @ elb level don't want it. (you want take http traffic , not redirected).
bear in mind in case traffic between elb , backend instances on http (i.e. not encrypted). fine cases.
Comments
Post a Comment