New Rails 8.1.0 apps deployed with Kamal do not fully work out of the box #56011
Description
Steps to reproduce
-
Create and deploy a Rails app with Kamal like so:
rails -v # => Rails 8.1.0 rails new myapp; cd myapp bin/rails generate scaffold Banana name sed -i '' 's/192.168.0.1/your_server_ip_here/' config/deploy.yml git add --all && git commit -m "Initial commit" bin/kamal setup
-
If the app deployed successfully, go to
http://your_server_ip_here/bananas/new, fill in a name, and click on "Create Banana".
Expected behavior
App deploy is successful, and you should be redirected to the http://your_server_ip_here/bananas index page.
Actual behavior
1. Default behavior
You are not redirected to the index page because of a HTTP Origin header (http://<redacted_ip>) didn't match request.base_url (https://<redacted_ip>) error.
Details according to bin/kamal logs -n 1000:
^L2025-10-26T01:29:18.061589870Z [b3c26d1f-105e-4d61-918c-3ff2139b0784] Started POST "/bananas" for 70.181.179.63 at 2025-10-26 01:29:18 +0000
2025-10-26T01:29:18.065376048Z [b3c26d1f-105e-4d61-918c-3ff2139b0784] Processing by BananasController#create as TURBO_STREAM
2025-10-26T01:29:18.065394623Z [b3c26d1f-105e-4d61-918c-3ff2139b0784] Parameters: {"authenticity_token" => "[FILTERED]", "banana" => {"name" => "aaa"}, "commit" => "Create Banana"}
2025-10-26T01:29:18.066183467Z [b3c26d1f-105e-4d61-918c-3ff2139b0784] HTTP Origin header (http://<redacted_ip>) didn't match request.base_url (https://<redacted_ip>)
2025-10-26T01:29:18.067836134Z [b3c26d1f-105e-4d61-918c-3ff2139b0784] Completed 422 Unprocessable Content in 2ms (ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.0ms)
2025-10-26T01:29:18.070152157Z [b3c26d1f-105e-4d61-918c-3ff2139b0784]
2025-10-26T01:29:18.070169480Z [b3c26d1f-105e-4d61-918c-3ff2139b0784] ActionController::InvalidAuthenticityToken (HTTP Origin header (http://<redacted_ip>) didn't match request.base_url (https://<redacted_ip>)):
2. Behavior if you comment out config.assume_ssl = true in config/environments/production.rb, but keep config.force_ssl = true
App deploy eventually fails with the following error message:
Releasing the deploy lock...
Finished all in 115.7 seconds
ERROR (SSHKit::Command::Failed): Exception while executing on host 5.78.111.110: docker exit status: 1
docker stdout: Nothing written
docker stderr: Error: target failed to become healthy within configured timeout (30s)
3. Behavior if you keep config.assume_ssl = true in config/environments/production.rb, but comment out config.force_ssl = true
Same as 1. You are not redirected to the index page because of a HTTP Origin header (http://<redacted_ip>) didn't match request.base_url (https://<redacted_ip>) error.
Details according to bin/kamal logs -n 1000:
^L2025-10-26T01:49:42.724978982Z [3489b80f-3565-4893-97a3-b4deb11746c1] Started POST "/bananas" for 70.181.179.63 at 2025-10-26 01:49:42 +0000
2025-10-26T01:49:42.726951163Z [3489b80f-3565-4893-97a3-b4deb11746c1] Processing by BananasController#create as TURBO_STREAM
2025-10-26T01:49:42.726964689Z [3489b80f-3565-4893-97a3-b4deb11746c1] Parameters: {"authenticity_token" => "[FILTERED]", "banana" => {"name" => "test"}, "commit" => "Create Banana"}
2025-10-26T01:49:42.727887622Z [3489b80f-3565-4893-97a3-b4deb11746c1] HTTP Origin header (http://<redacted_ip>) didn't match request.base_url (https://<redacted_ip>)
2025-10-26T01:49:42.728315444Z [3489b80f-3565-4893-97a3-b4deb11746c1] Completed 422 Unprocessable Content in 1ms (ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.0ms)
2025-10-26T01:49:42.732193103Z [3489b80f-3565-4893-97a3-b4deb11746c1]
2025-10-26T01:49:42.732233999Z [3489b80f-3565-4893-97a3-b4deb11746c1] ActionController::InvalidAuthenticityToken (HTTP Origin header (http://<redacted_ip>) didn't match request.base_url (https://<redacted_ip>)):
Additional notes
Commenting out both config.assume_ssl = true and config.force_ssl = true works. Here is a PR to make this the default when Kamal is enabled: #56010.
System configuration
Rails version: 8.1.0
Ruby version: 3.4.5