Permalink
Browse files

include Rack::SSL to upgrade all requests to ssl

  • Loading branch information...
1 parent ff61584 commit 18e895c2475c65148c4086361e49e6a07428d7f7 @maxwell maxwell committed Jan 18, 2012
Showing with 7 additions and 0 deletions.
  1. +1 −0 Gemfile
  2. +3 −0 Gemfile.lock
  3. +3 −0 config/environments/production.rb
View
1 Gemfile
@@ -32,6 +32,7 @@ group :production do # we don't install these on travis to speed up test runs
gem 'newrelic_rpm'
gem 'rack-google-analytics', :require => 'rack/google-analytics'
gem 'rack-piwik', :require => 'rack/piwik'
+ gem 'rack-ssl', :require => 'rack/ssl'
end
# configuration
View
3 Gemfile.lock
@@ -293,6 +293,8 @@ GEM
rack-mount (0.6.14)
rack (>= 1.0.0)
rack-piwik (0.1.2)
+ rack-ssl (1.3.2)
+ rack
rack-test (0.5.7)
rack (>= 1.0)
rails (3.0.11)
@@ -473,6 +475,7 @@ DEPENDENCIES
pg
rack-google-analytics
rack-piwik
+ rack-ssl
rails (= 3.0.11)
rails-i18n
redcarpet (= 2.0.1)
View
3 config/environments/production.rb
@@ -37,6 +37,9 @@
# In production, Apache or nginx will already do this
config.serve_static_assets = false
+ #force ssl in production
+ config.middleware.insert_before ActionDispatch::Static, "Rack::SSL"
+
# Enable serving of images, stylesheets, and javascripts from an asset server
# config.action_controller.asset_host = "http://assets.example.com"

7 comments on commit 18e895c

@dmorley

Will this throw the non-ssl pods offline?

@maxwell
diaspora* social network member

hrm it might, but much of cubbies(and all other future apps), webfinger, and other features require ssl to be working. I guess we should add an option a http pod runner must set in order for the pod to run without this middleware.

@dmorley

Or just throw a warning about going all ssl and a note about startssl.. the pods without ssl could go and grab a free cert.

@maxwell
diaspora* social network member

Good thinking about the warning.

@jhass
diaspora* social network member

I don't really like this either. It should be done by the reverse proxy.

@sarahmei
diaspora* social network member

That's what the setting is for. On Heroku you can't do it through a reverse proxy, and we want to be able to support Heroku.

@maxwell
diaspora* social network member

Also, it is simplier setup for new pod runners, as SSL is required. If you want the optimization of doing it via reverse proxy, you can enable it in the settings, but this is about creating the right defaults for Diaspora in a domain we can control.

Please sign in to comment.