My setup looks like following: CloudFront CDN with https only and a EC2 Instnace orign http-only (all requests made to CloudFront are https, all requests made from CloudFront to ec2 are http)
If I set secure to true in my applications, sessions and cookies are not saved anymore in any browser. If I set it to false it works in most browsers, but does not work in Safari.
Rails.application.config.session_store :cookie_store, key: '_K_session', secure: trueMy goal is to get session working for all the browsers. I don't really need the secure session setting.
Here is my simplified Terraform setup:
resource "aws_cloudfront_distribution""main_rails_app" { origin { domain_name = "${aws_elastic_beanstalk_environment.main_rails_app.cname}" origin_id = "${var.cf_main_rails_app_origin_id}" custom_origin_config { http_port = "80" https_port = "443" origin_protocol_policy = "http-only" origin_ssl_protocols = ["TLSv1.1"] } } default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD", "OPTIONS"] target_origin_id = "${var.cf_main_rails_app_origin_id}" forwarded_values { query_string = true headers = ["*"] cookies { forward = "all" } } min_ttl = 0 default_ttl = 0 max_ttl = 0 compress = true viewer_protocol_policy = "redirect-to-https" } viewer_certificate { # cloudfront_default_certificate = true acm_certificate_arn = "${data.aws_acm_certificate.some_domain.arn}" minimum_protocol_version = "TLSv1.1_2016" ssl_support_method = "sni-only" } restrictions { geo_restriction { restriction_type = "none" } }}