Rails 5 - Invalid Authenticity - SSL

Today I introduced SSL to my latest app Homes in Asia and suddenly I wasn’t able to login. I was greeted by an ActionController::InvalidAuthenticityToken error.

Surprised I did some digging. I found out that there is an issue with the new way CSRF tokens are handled by ActionController when it comes to SSL (hmm… need to dig in to it tomorrow). This requires Nginx to send some extra headers.

In my Nginx config file for the site…

location @homesapp {
    ...
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Forwarded-Host homesin.asia;
    ...
}

Make sure to replace homesin.asia from above with your host name.

Then restart Nginx using sudo service nginx restart and you should be good to go!

Extra Details

This all happened when I configured LetsEncrypt Wild Card SSL on the domain. Any form submission might have resulted the ActionController::InvalidAuthenticityToken error but I only checked the login form (Devise).