Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

include Rack::SSL to upgrade all requests to ssl

  • Loading branch information...
commit 18e895c2475c65148c4086361e49e6a07428d7f7 1 parent ff61584
@maxwell maxwell authored
Showing with 7 additions and 0 deletions.
  1. +1 −0  Gemfile
  2. +3 −0  Gemfile.lock
  3. +3 −0  config/environments/production.rb
View
1  Gemfile
@@ -32,6 +32,7 @@ group :production do # we don't install these on travis to speed up test runs
gem 'newrelic_rpm'
gem 'rack-google-analytics', :require => 'rack/google-analytics'
gem 'rack-piwik', :require => 'rack/piwik'
+ gem 'rack-ssl', :require => 'rack/ssl'
end
# configuration
View
3  Gemfile.lock
@@ -293,6 +293,8 @@ GEM
rack-mount (0.6.14)
rack (>= 1.0.0)
rack-piwik (0.1.2)
+ rack-ssl (1.3.2)
+ rack
rack-test (0.5.7)
rack (>= 1.0)
rails (3.0.11)
@@ -473,6 +475,7 @@ DEPENDENCIES
pg
rack-google-analytics
rack-piwik
+ rack-ssl
rails (= 3.0.11)
rails-i18n
redcarpet (= 2.0.1)
View
3  config/environments/production.rb
@@ -37,6 +37,9 @@
# In production, Apache or nginx will already do this
config.serve_static_assets = false
+ #force ssl in production
+ config.middleware.insert_before ActionDispatch::Static, "Rack::SSL"
+
# Enable serving of images, stylesheets, and javascripts from an asset server
# config.action_controller.asset_host = "http://assets.example.com"

7 comments on commit 18e895c

@dmorley

Will this throw the non-ssl pods offline?

@maxwell
Owner

hrm it might, but much of cubbies(and all other future apps), webfinger, and other features require ssl to be working. I guess we should add an option a http pod runner must set in order for the pod to run without this middleware.

@dmorley

Or just throw a warning about going all ssl and a note about startssl.. the pods without ssl could go and grab a free cert.

@maxwell
Owner

Good thinking about the warning.

@jhass
Owner

I don't really like this either. It should be done by the reverse proxy.

@sarahmei
Owner

That's what the setting is for. On Heroku you can't do it through a reverse proxy, and we want to be able to support Heroku.

@maxwell
Owner

Also, it is simplier setup for new pod runners, as SSL is required. If you want the optimization of doing it via reverse proxy, you can enable it in the settings, but this is about creating the right defaults for Diaspora in a domain we can control.

Please sign in to comment.
Something went wrong with that request. Please try again.