Recently we moved our Rails 3 application into a new datacenter and as part of that move it was placed behind a F5, a proxy and then another F5. Love that security.

As a result the our certs were moved to the outer F5 and everything inside the datacenter ran on port 80. This actually required a few configuration changes, some of which required me to dig through the rails code to find.

First off. We do some IP whitelisting in parts of our application so we needed X-Forwarded-For (XFF) set in the F5 and proxy. This was not on by default. Now when we got the XFF header there is a string of IP addresses representing the machines that have forwarded it along with the client IP address we needed. Turns out request.remote_ip was returning the proxy or F5 IP instead of the client IP.

To fix this I needed to mark our proxy/F5 IP addresses as trusted.

config.action_dispatch.trusted_proxies='^12.34'

ex: if our datacenter machines were all on 12.34.x.x

See actionpack-3.2.6/lib/action_dispatch/middleware/remote_ip.rb

Next, I discovered that my application links were all http instead of https because the server was running on port 80 now. After digging around the rails code I found the HTTP header I needed the F5 to send that would tell rails to act like it was running on 443.

X-Forwarded-SSL on

Not true, not 1. It must be on. See rack-1.4.1/lib/rack/request.rb

That's all. Hope I save someone some time. :-)