Enable assume_ssl for reverse proxy HTTPS callback URLs #155

Closed

ldraney wants to merge 1 commit from 154-enable-assume-ssl into main

pull from: 154-enable-assume-ssl

merge into: ldraney:main

ldraney:main

ldraney:docs/update-app-architecture

ldraney:revert-213

ldraney:move-other-crew-bottom-remove-schedule

ldraney:feature/today-view-improvements

ldraney:revert-145-person-icon

ldraney:docs/user-stories-auth

ldraney:docs/update-infra-pipeline-post-incident

ldraney:fix-cache-step-blocking-deploy

ldraney:fix-kaniko-registry-pull

ldraney:deactivate-from-today

ldraney:feature/quick-address-entry

Conversation 1 Commits 1 Files changed 1 +1 -1

ldraney commented 2026-06-07 04:19:29 +00:00

Owner

Copy link

Summary

• Enable config.assume_ssl so Rails trusts X-Forwarded-Proto from the Tailscale funnel reverse proxy
• Without this, OmniAuth builds http:// callback URLs which Keycloak rejects as invalid_redirect_uri

Closes #154

Changes

• config/environments/production.rb: Uncomment config.assume_ssl = true (line 28)

Test Plan

• Click "Sign in with Keycloak" shows Keycloak login form (not grey error page)
• Successful login redirects back to app as authenticated user
• Super admin sees admin tabs after login

Review Checklist

• One-line config change, no new dependencies
• No test changes needed (production config only)

Related Notes

• Forgejo issue: #154

## Summary - Enable `config.assume_ssl` so Rails trusts X-Forwarded-Proto from the Tailscale funnel reverse proxy - Without this, OmniAuth builds `http://` callback URLs which Keycloak rejects as invalid_redirect_uri Closes #154 ## Changes - `config/environments/production.rb`: Uncomment `config.assume_ssl = true` (line 28) ## Test Plan - [ ] Click "Sign in with Keycloak" shows Keycloak login form (not grey error page) - [ ] Successful login redirects back to app as authenticated user - [ ] Super admin sees admin tabs after login ## Review Checklist - [x] One-line config change, no new dependencies - [x] No test changes needed (production config only) ## Related Notes - Forgejo issue: #154

ldraney added 1 commit 2026-06-07 04:19:29 +00:00

Enable assume_ssl for reverse proxy HTTPS callback URLs ... 589df81bfb

The app runs behind a Tailscale funnel that terminates TLS. Without
assume_ssl, Rails ignores X-Forwarded-Proto and OmniAuth builds
http:// callback URLs. Keycloak rejects these as invalid_redirect_uri.

Enabling assume_ssl makes Rails trust the forwarded proto header so
callback URLs use https:// as Keycloak expects.

Closes #154

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldraney commented 2026-06-07 04:20:10 +00:00

Author

Owner

Copy link

PR Review: #155 — Enable assume_ssl for reverse proxy HTTPS callback URLs

Parent issue: #154

Diff Analysis

Single-line change in config/environments/production.rb: uncomments config.assume_ssl = true.

Findings

Correctness: The change is correct. config.assume_ssl is the standard Rails 7.1+ mechanism for apps behind SSL-terminating reverse proxies. It makes Rails trust X-Forwarded-Proto and X-Forwarded-Port headers, ensuring request.ssl? returns true and URL helpers generate https:// URLs. This directly fixes the OmniAuth invalid_redirect_uri error where callback URLs were being built with http:// instead of https://.

Scope: Minimal and appropriate. One line, production config only. No test changes needed since this is infrastructure configuration, not application logic.

Risk: Very low. The app is confirmed to run behind a Tailscale funnel (SSL-terminating proxy), so enabling this setting matches the actual deployment topology.

No issues found.

VERDICT: APPROVED

## PR Review: #155 — Enable assume_ssl for reverse proxy HTTPS callback URLs **Parent issue:** #154 ### Diff Analysis Single-line change in `config/environments/production.rb`: uncomments `config.assume_ssl = true`. ### Findings **Correctness:** The change is correct. `config.assume_ssl` is the standard Rails 7.1+ mechanism for apps behind SSL-terminating reverse proxies. It makes Rails trust `X-Forwarded-Proto` and `X-Forwarded-Port` headers, ensuring `request.ssl?` returns true and URL helpers generate `https://` URLs. This directly fixes the OmniAuth `invalid_redirect_uri` error where callback URLs were being built with `http://` instead of `https://`. **Scope:** Minimal and appropriate. One line, production config only. No test changes needed since this is infrastructure configuration, not application logic. **Risk:** Very low. The app is confirmed to run behind a Tailscale funnel (SSL-terminating proxy), so enabling this setting matches the actual deployment topology. **No issues found.** ### VERDICT: APPROVED

ldraney referenced this pull request 2026-06-07 04:23:55 +00:00

Enable assume_ssl for reverse proxy HTTPS callbacks #156

ldraney referenced this pull request 2026-06-07 04:25:06 +00:00

Enable assume_ssl for reverse proxy HTTPS callbacks #156

ldraney referenced this pull request 2026-06-07 04:26:12 +00:00

Enable assume_ssl for reverse proxy HTTPS callbacks #156

ldraney closed this pull request 2026-06-07 04:27:25 +00:00

Some checks failed

Hide all checks

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

CI / scan_ruby (pull_request) Has been cancelled

Details

CI / scan_js (pull_request) Has been cancelled

Details

CI / lint (pull_request) Has been cancelled

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/landscaping-assistant!155

No description provided.