XForwardedSupport for https play! support on Heroku failing

Asked 14/12, 2011 at 22:50 Answered 6/9, 2012 at 0:37

I am deploying an app on Heroku and trying to determine whether the request coming in is secure (request.secure). This is initially returning false on heroku because nginx handles the SSL work and communicates over plain http to the app server. So to let play read the headers that let is know it's a secure request I add:

XForwardedSupport=127.0.0.1

To application.conf as recommended in the play message boards. However, then all requests (except for images) fail with no error. It seems to be something fundamental happening before it hits the play logs. Has anyone experienced this?

Oxa answered 14/12, 2011 at 22:50 Comment(2)

I assume the issue is because the way heroku manages the routing. Create a support ticket, they are really quick answering and I'm really happy on how well they solve issues. – Documentary 15/12, 2011 at 10:57

Will do, I'll post back here with any resolution. – Oxa 15/12, 2011 at 12:32

I don't think Play supports the way that requests are forwarded (proxied) on Heroku via the XForwardedSupport configuration parameter. That would need to be set to the address of the Heroku load balancer and there isn't a way to configure that pre-runtime. Instead, you should just look at the x-forwarded-proto request header to determine if the request to the Heorku load balancer was via http or https. Maybe something like:

    Boolean secure = false;
    if (request.headers.get("x-forwarded-proto") != null) {
      secure = request.headers.get("x-forwarded-proto").values.contains("https");
    }
    System.out.println("secure = " + secure);

BTW: Heroku's cedar stack doesn't use Nginx. It uses MochiWeb, an Erlang-based web server.

Eagleeyed answered 17/12, 2011 at 14:36 Comment(3)

This definitely seems to be the problem, as confirmed by a heroku support engineer. I'm worried that if play doesn't know the request is secure then it will do things like perform redirects back to non-ssl urls by default and stuff like that. Anyway, I'll give it a try and see what else goes wrong and report back. Thanks! – Oxa 18/12, 2011 at 4:32

So far so good on this solution! For certain annotated handlers I am forcing a redirect onto SSL so the action can never be viewed over regular http. If anyone's interested I'll post some code on how it's done, we find it really useful (more so now that this fix works for heroku). – Oxa 19/12, 2011 at 23:17

I've added some thoughts about making this more useful in the upstream Play code. I'd be interested to hear from more people in this ticket: Play bug #1406 – Tighten 8/2, 2012 at 12:1

thnx big time! you saved hours of struggling with heroku+play! I can confirm that when you set this in application.conf

XForwardedSupport=all

heroku stops complaining with SIGTERM

Serviette answered 6/9, 2012 at 0:37 Comment(0)

As pointed by @Dan Carley ticket on https://play.lighthouseapp.com/projects/57987/tickets/1406-play-123-124-playmvcrouter-does-not-fully-support-proxied-ssl#ticket-1406-4

When hosting on Heroku, (as pointed by Mirko) setting XForwardedSupport=all in application.conf works.

Apology answered 19/6, 2012 at 17:44 Comment(0)

Recommended topics

Hot tags