Refactor #30122
Tracker #28570: Rails 6.1 Tracker
Remove usage of force_ssl in controller
Description
`force_ssl` has been deprecated and will be removed in Rails 6.1:
https://github.com/rails/rails/commit/03351cd5410b3ad3d3e51f44ce60aa553ddeef14
Related issues
Associated revisions
History
#1
Updated by The Foreman Bot about 1 year ago
- Assignee set to Ondřej Ezr
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/9011 added
#2
Updated by Ondřej Ezr about 1 year ago
- Related to Refactor #34234: Do not warn on HTTP connection from Smart proxy added
#3
Updated by The Foreman Bot about 1 year ago
- Fixed in Releases 3.3.0 added
#4
Updated by Ondřej Ezr about 1 year ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|221d255d9963bee7bd2054d179f394b1c73f7b91.
#5
Updated by Amit Upadhye 11 months ago
- Subject changed from remove usage of force_ssl in controller to Remove usage of force_ssl in controller
Fixes #30122 - remove usage of controller level force_ssl
Foreman's use case for HTTP-only is provisioning. Many installers, like Red
Hat's Anaconda or Debian Preseed, either do not support it or make it very hard
to use HTTPS. This is especially hard since often a custom CA is used so the
establishing the trust chain is hard.
Rails 6.1 drops support for controller level force_ssl. This implements our
use-case as options for the ssl middleware. Our use-case is valid, but it is
better to rely on supported features and not to pull a 3rd party gem.
This does not implement a mechanism for plugins to run HTTP-only. This is
because designing a good API proved to be hard and we didn't see a scenario
where it would be needed.