Update production.rb template to provide example to exclude healthcheck from force_ssl redirect

bensheldon · web-flow · commit 20ef7c3b73fb · 2024-04-28T08:46:41.000-07:00
Instructions for disabling specific endpoints from http-to-https redirects live in the SSL middleware: https://github.com/rails/rails/blob/fc4407eed00ed172e92798ae2a5d415b1134c26b/actionpack/lib/action_dispatch/middleware/ssl.rb#L20 The change follows the path-matching pattern already present for ignoring the healthcheck endpoint for config.host_authorization: https://github.com/rails/rails/blob/fc4407eed00ed172e92798ae2a5d415b1134c26b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt#L110
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
@@ -58,6 +58,8 @@ Rails.application.configure do
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = true
+  # Skip http-to-https redirect for the default health check endpoint.
+  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
 
   # Log to STDOUT by default
   config.logger = ActiveSupport::Logger.new(STDOUT)
