I am deploying an app on Heroku and trying to determine whether the request coming in is secure (request.secure). This is initially returning false on heroku because nginx handles the SSL work and communicates over plain http to the app server. So to let play read the headers that let is know it's a secure request I add:
XForwardedSupport=127.0.0.1
To application.conf as recommended in the play message boards. However, then all requests (except for images) fail with no error. It seems to be something fundamental happening before it hits the play logs. Has anyone experienced this?
I don't think Play supports the way that requests are forwarded (proxied) on Heroku via the XForwardedSupport
configuration parameter. That would need to be set to the address of the Heroku load balancer and there isn't a way to configure that pre-runtime. Instead, you should just look at the x-forwarded-proto
request header to determine if the request to the Heorku load balancer was via http
or https
. Maybe something like:
Boolean secure = false;
if (request.headers.get("x-forwarded-proto") != null) {
secure = request.headers.get("x-forwarded-proto").values.contains("https");
}
System.out.println("secure = " + secure);
BTW: Heroku's cedar stack doesn't use Nginx. It uses MochiWeb, an Erlang-based web server.