Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ActiveStorage redirects attachment URLs from HTTPS to HTTP during service.url call #32255

Closed
omnilord opened this issue Mar 15, 2018 · 3 comments
Closed

ActiveStorage redirects attachment URLs from HTTPS to HTTP during service.url call #32255

omnilord opened this issue Mar 15, 2018 · 3 comments

Comments

@omnilord
Copy link

I setup a self-signed SSL and configured in Puma, was working fine for most things but does not get applied to the disk service url in ActiveStorage. This occurs for both the original upload files and their variants. I have not checked this behavior on other services.

Here is the log revealing the redirect does not apply the SSL (I have truncated the file keys for brevity):

=> Booting Puma
=> Rails 5.2.0.rc1 application starting in development
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Version 3.11.3 (ruby 2.5.0-p0), codename: Love Song
* Min threads: 5, max threads: 5
* Environment: development
* Listening on ssl://127.0.0.1:3000?cert=/path/to/cert&key=/path/to/key&verify_mode=none

...

Started GET "/rails/active_storage/variants/eyJfcmFp...32794.jpg" for 127.0.0.1 at 2018-03-14 01:57:00 -0400

Processing by ActiveStorage::VariantsController#show as JPEG
  Parameters: {"signed_blob_id"=>"eyJfcmFp...c1d1e", "variation_key"=>"eyJfcmFp...269bb", "filename"=>"12765b837e699d5a2d9d009128c32794"}
  ActiveStorage::Blob Load (0.4ms)  SELECT  "active_storage_blobs".* FROM "active_storage_blobs" WHERE "active_storage_blobs"."id" = $1 LIMIT $2  [["id", 5], ["LIMIT", 1]]
  Disk Storage (0.0ms) Checked if file exists at key: variants/neBLD9bQ...3850b (yes)
  Disk Storage (0.6ms) Generated URL for file at key: variants/neBLD9bQ...3850b (http://localhost:3000/rails/active_storage/disk/eyJfcmFp...32794.jpg?content_type=image%2Fjpeg&disposition=inline%3B+filename%3D%2212765b837e699d5a2d9d009128c32794.jpg%22%3B+filename%2A%3DUTF-8%27%2712765b837e699d5a2d9d009128c32794.jpg)

Redirected to http://localhost:3000/rails/active_storage/disk/eyJfcmFp...32794.jpg?content_type=image%2Fjpeg&disposition=inline%3B+filename%3D%2212765b837e699d5a2d9d009128c32794.jpg%22%3B+filename%2A%3DUTF-8%27%2712765b837e699d5a2d9d009128c32794.jpg

Completed 302 Found in 4ms (ActiveRecord: 0.4ms)

I am fairly confident (not 100%) the redirect is occurring On line ~12 of the Representations_Controller which is using a URL generated by the disk_service but I lost the trail with the call to url_helpers.rails_disk_service_path. Doing a search for "rails_disk_service_path" yields one result, the line in question. This issue may be a defect in url_helpers.rails_disk_service_path, but I cannot find where this method is defined to attempt a patch.

Steps to reproduce

  1. Generate and setup a self-signed ssl certificate for localhost and store the paths to your ssl key and ssl certificate in the environment variables LOCALHOST_SSL_KEY and LOCALHOST_SSL_CERT respectively.
  2. Add config.force_ssl = true to config/environments/development.rb
  3. In config/puma.rb, comment out port ENV.fetch("PORT") { 3000 } and add this block:
ssl_bind '127.0.0.1', 3000, {
  key: ENV.fetch('LOCALHOST_SSL_KEY'),
  cert: ENV.fetch('LOCALHOST_SSL_CERT'),
  verify_mode: 'none'
}
  1. Run the Rails server
  2. Visit a page with an image or variant using Chrome.

Expected behavior

Page should load over HTTPS and the image should load over HTTPS.

Actual behavior

Page loads as normal, image URLs are redirect from HTTPS to HTTP which will not load locally when running with SSL with disk service storage.

System configuration

Rails version: 5.2.0.rc1
Ruby version: 2.5.0p0 (2017-12-25 revision 61468) [x86_64-darwin15]
Chrome version: 64.0.3282.186 (Official Build) (64-bit)
Safari version: 11.0.3 (11604.5.6.1.1)
@georgeclaghorn
Copy link
Contributor

georgeclaghorn commented Mar 15, 2018
edited

Your disk service is configured with an HTTP host (the default is http://localhost:3000). Configure it to use HTTPS instead:

local:
  service: Disk
  root: <%= Rails.root.join("storage") %>
  host: https://localhost:3000

(The host option will be removed in RC2 in favor of automatically detecting the correct host.)

@edufolly edufolly mentioned this issue Jun 19, 2018
Closed
@diaksid
Copy link

diaksid commented Aug 18, 2018
edited

as a palliative:

#lib\active_storage\service\no_protocol_disk_service.rb
require "active_storage/service/disk_service"
module ActiveStorage
  class Service::NoProtocolDiskService < Service::DiskService
    def url(key, *options)
      super(key, *options).gsub /http(s)?:/, ''
    end
  end
end

#\config\storage.yml
local:
  service: NoProtocolDisk
  root: <%= Rails.root.join("storage") %>

@colorfulfool
Copy link
Contributor

I am using activestorage (= 6.0.0) and this is still happening.

~ $ http https://estreias.net/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBHdz09IiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--c288ffa46e59e8ac436245887b07e01792224bcd/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VY21WemFYcGxYM1J2WDJ4cGJXbDBXd2RwQWl3QmFRSXNBUT09IiwiZXhwIjpudWxsLCJwdXIiOiJ2YXJpYXRpb24ifX0=--5fc8499e3ccc27d79b7ab0d943847989a94d1df6/bomba_ompuff-300x300.jpg
HTTP/1.1 302 Found
Cache-Control: max-age=300, private
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Date: Tue, 19 Nov 2019 00:36:46 GMT
Location: http://estreias.net/rails/active_storage/disk/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdDRG9JYTJWNVNTSnJkbUZ5YVdGdWRITXZkakk1WjJoM2NUQnROSFkyTjNaNGJtSjVPWFI2TXpkcGR6YzNOQzlrT1RWallUTm1OV013WTJWbU1HSm1PR1kwT1dVMU5XVXhORFEyWTJabVlqSXhNVEZqTW1FNVlqQmhNV1ZoWTJGaVpETmpOR0l4Tm1KbVlqRmhPRGN3QmpvR1JWUTZFR1JwYzNCdmMybDBhVzl1U1NKYmFXNXNhVzVsT3lCbWFXeGxibUZ0WlQwaVltOXRZbUZmYjIxd2RXWm1MVE13TUhnek1EQXVhbkJuSWpzZ1ptbHNaVzVoYldVcVBWVlVSaTA0SnlkaWIyMWlZVjl2YlhCMVptWXRNekF3ZURNd01DNXFjR2NHT3daVU9oRmpiMjUwWlc1MFgzUjVjR1ZKSWc5cGJXRm5aUzlxY0dWbkJqc0dWQT09IiwiZXhwIjoiMjAxOS0xMS0xOVQwMDo0MTo0Ni4wOTZaIiwicHVyIjoiYmxvYl9rZXkifX0=--dbb235875c4ca91b738c43d2ce2aeb463be416bf/bomba_ompuff-300x300.jpg?content_type=image%2Fjpeg&disposition=inline%3B+filename%3D%22bomba_ompuff-300x300.jpg%22%3B+filename%2A%3DUTF-8%27%27bomba_ompuff-300x300.jpg
Referrer-Policy: strict-origin-when-cross-origin
Server: nginx/1.14.0 (Ubuntu)
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: c6a2b1d7-ede2-4768-b744-b3991c349efa
X-Runtime: 0.009339
X-XSS-Protection: 1; mode=block

<html><body>You are being <a href="http://estreias.net/rails/active_storage/disk/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdDRG9JYTJWNVNTSnJkbUZ5YVdGdWRITXZkakk1WjJoM2NUQnROSFkyTjNaNGJtSjVPWFI2TXpkcGR6YzNOQzlrT1RWallUTm1OV013WTJWbU1HSm1PR1kwT1dVMU5XVXhORFEyWTJabVlqSXhNVEZqTW1FNVlqQmhNV1ZoWTJGaVpETmpOR0l4Tm1KbVlqRmhPRGN3QmpvR1JWUTZFR1JwYzNCdmMybDBhVzl1U1NKYmFXNXNhVzVsT3lCbWFXeGxibUZ0WlQwaVltOXRZbUZmYjIxd2RXWm1MVE13TUhnek1EQXVhbkJuSWpzZ1ptbHNaVzVoYldVcVBWVlVSaTA0SnlkaWIyMWlZVjl2YlhCMVptWXRNekF3ZURNd01DNXFjR2NHT3daVU9oRmpiMjUwWlc1MFgzUjVjR1ZKSWc5cGJXRm5aUzlxY0dWbkJqc0dWQT09IiwiZXhwIjoiMjAxOS0xMS0xOVQwMDo0MTo0Ni4wOTZaIiwicHVyIjoiYmxvYl9rZXkifX0=--dbb235875c4ca91b738c43d2ce2aeb463be416bf/bomba_ompuff-300x300.jpg?content_type=image%2Fjpeg&amp;disposition=inline%3B+filename%3D%22bomba_ompuff-300x300.jpg%22%3B+filename%2A%3DUTF-8%27%27bomba_ompuff-300x300.jpg">redirected</a>.</body></html>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@georgeclaghorn @colorfulfool @omnilord @diaksid