Browse files

include Rack::SSL to upgrade all requests to ssl

  • Loading branch information...
1 parent ff61584 commit 18e895c2475c65148c4086361e49e6a07428d7f7 @maxwell maxwell committed Jan 18, 2012
Showing with 7 additions and 0 deletions.
  1. +1 −0 Gemfile
  2. +3 −0 Gemfile.lock
  3. +3 −0 config/environments/production.rb
1 Gemfile
@@ -32,6 +32,7 @@ group :production do # we don't install these on travis to speed up test runs
gem 'newrelic_rpm'
gem 'rack-google-analytics', :require => 'rack/google-analytics'
gem 'rack-piwik', :require => 'rack/piwik'
+ gem 'rack-ssl', :require => 'rack/ssl'
# configuration
3 Gemfile.lock
@@ -293,6 +293,8 @@ GEM
rack-mount (0.6.14)
rack (>= 1.0.0)
rack-piwik (0.1.2)
+ rack-ssl (1.3.2)
+ rack
rack-test (0.5.7)
rack (>= 1.0)
rails (3.0.11)
@@ -473,6 +475,7 @@ DEPENDENCIES
+ rack-ssl
rails (= 3.0.11)
redcarpet (= 2.0.1)
3 config/environments/production.rb
@@ -37,6 +37,9 @@
# In production, Apache or nginx will already do this
config.serve_static_assets = false
+ #force ssl in production
+ config.middleware.insert_before ActionDispatch::Static, "Rack::SSL"
# Enable serving of images, stylesheets, and javascripts from an asset server
# config.action_controller.asset_host = ""

7 comments on commit 18e895c


Will this throw the non-ssl pods offline?

diaspora* social network member

hrm it might, but much of cubbies(and all other future apps), webfinger, and other features require ssl to be working. I guess we should add an option a http pod runner must set in order for the pod to run without this middleware.


Or just throw a warning about going all ssl and a note about startssl.. the pods without ssl could go and grab a free cert.

diaspora* social network member

Good thinking about the warning.

diaspora* social network member

I don't really like this either. It should be done by the reverse proxy.

diaspora* social network member

That's what the setting is for. On Heroku you can't do it through a reverse proxy, and we want to be able to support Heroku.

diaspora* social network member

Also, it is simplier setup for new pod runners, as SSL is required. If you want the optimization of doing it via reverse proxy, you can enable it in the settings, but this is about creating the right defaults for Diaspora in a domain we can control.

Please sign in to comment.