I am trying to get my app to always use HTTPS in production, so I have added this package: https://atmospherejs.com/meteor/force-ssl
However, I’m not seeing it work correctly.
The readme for the force-ssl says the following:
Application bundles (meteor bundle) do not include an HTTPS server or certificate. A proxy server that terminates SSL in front of a Meteor bundle must set the standard x-forwarded-proto header for the force-ssl package to work.
I am deploying to ElasticBeanstalk on AWS and we are in fact using x-forwarded-proto. So I’m not sure why the force-ssl package is not working. I’m also not sure if this note means I should just be using x-forwarded-proto, or whether I should change how it is being used.
From the AWS docs I read the following:
The X-Forwarded-Proto request header helps you identify the protocol (HTTP or HTTPS) that a client used to connect to your server. Your server access logs contain only the protocol used between the server and the load balancer; they contain no information about the protocol used between the client and the load balancer. To determine the protocol used between the client and the load balancer, use the X-Forwarded-Proto request header. Elastic Load Balancing stores the protocol used between the client and the load balancer in the X-Forwarded-Proto request header and passes the header along to your server.
Your application or website can use the protocol stored in the X-Forwarded-Proto request header to render a response that redirects to the appropriate URL.
The X-Forwarded-Proto request header takes the following form:
The following example contains an X-Forwarded-Proto request header for a request that originated from the client as an HTTPS request:
I don’t think I can just force x-forwarded-proto to always send
https – can I?
Also – is it possible that the “flag” on this package means it is broken in some other way? If so, any ideas?