https for rails 2

Posted by Joel Jensen Tue, 28 Aug 2007 05:27:00 GMT

Heres some tips for rails https.

First – use the plugin SslRequirement. But REMEMBER this ONLY works on controllers that are listed in the routes.rb file as RESOURCES

map.resources :blahblah

IE they only work on resources. Period. For non resource controllers, you will have to stick it in the links.

<%= button_to "Checkout", {:action => :checkout,:controller=>"catalog",:protocol=>"https://",:only_path=>false },{}%>

Here is how to use the ssl plugin

ruby script/plugin install ssl_requirement


class ApplicationController < ActiveRecord::Base
    include SslRequirement
end


class AccountController < ApplicationController
    ssl_required :signup, :payment
    ssl_allowed :index

    def signup
      # Non-SSL access will be redirected to SSL
    end

    def payment
      # Non-SSL access will be redirected to SSL
    end

    def index
      # This action will work either with or without SSL
    end

    def other
      # SSL access will be redirected to non-SSL
    end
end

Next Here is a working apache / mongrel config for a https ssl virtualhost. REMEMBER enable proxy, rewrite, and headers in the apache modules stanza

<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost 192.168.1.42:443>
    DocumentRoot /srv/www/site-name/current/public
    ServerName www.site-name.com:443
    ServerAdmin webmaster@site-name.com
    ErrorLog /var/log/apache2/site-name.com-error_log
    CustomLog  /var/log/apache2/site-name.com-access_log combined
    HostnameLookups Off
    UseCanonicalName Off
    ServerSignature Off

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
    SSLCertificateFile    /etc/apache2/site-name-ssl/www.site-name.com.crt
    SSLCertificateKeyFile /etc/apache2/site-name-ssl/site-name.key
    SSLCertificateChainFile  /etc/apache2/site-name-ssl/gd_intermediate_bundle.crt
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

    <Directory "/srv/www/site-name/current/public">
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    RewriteEngine On


    # Don't do forward proxying
    ProxyRequests Off

    # Enable reverse proxying
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>


    RequestHeader set X_FORWARDED_PROTO 'https'

    RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
    RewriteCond %{SCRIPT_FILENAME} !maintenance.html
    RewriteRule ^.*$ /system/maintenance.html [L]

    RewriteRule ^/$ /index.html [QSA] 
    RewriteRule ^([^.]+)$ $1.html [QSA]


    # Redirect all non-static requests to cluster
    RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
    RewriteRule .* http://127.0.0.1:3000%{REQUEST_URI} [L,P,QSA]

    # Deflate
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/xml application/xhtml+xml text/javascript 
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

</VirtualHost>                                  

</IfDefine>
</IfDefine>

My pain is your gain.

Comments

Leave a comment

  1. Chris Cera 10 months later:

    I’d like to point out that this line in the apache configuration is critical for certain installations:

    RequestHeader set XFORWARDEDPROTO ‘https’

    Without this, the CgiRequest’s ssl?() method will not know that you are in https. I don’t know the exact reason for this, but I heard it has something to do with how mod_rewrite and mongrel interact with each other.

    Thanks for the post.

  2. proxy sites over 2 years later:

    Going to play with it, right away. Will post updates. Cool bit.

Comments