Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 55 lines (29 sloc) 2.25 kb
2ad93af Christian Meier first import
authored
1 h1. Enforce SSL for you controllers
2
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
3 p. this is derived from the "rails/ssl_requirement":http://github.org/rails/ssl_requirement and adopted a more strict approach: *secure everything and open it when and where needed*.
2ad93af Christian Meier first import
authored
4
5 h2. usage
6
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
7 p. it requires rails3. for installation add the gem in _Gemfile_
2ad93af Christian Meier first import
authored
8
9 bc. gem 'enforce-ssl'
10
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
11 p. this activates the *enforce-ssl* before_filter for all controllers, i.e.
2ad93af Christian Meier first import
authored
12 all requests which comes in as http will be redirected to the https url obeying the configured ssl port.
13
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
14 h3. configure the ssl/no_ssl port
2ad93af Christian Meier first import
authored
15
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
16 p. configure the enforced ssl port with (default => { development => 8080/8443, production => 80/443)
2ad93af Christian Meier first import
authored
17
18 bc. config.ssl_port = 8443
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
19 config.no_ssl_port = 8080
20
21 p. for development you can do that in _config/environments/development.rb_.
22
23 h3. configure HSTS - HTTP Strict Transport Security
24
25 p. there are two config parameters for HSTS: hsts_include_sub_domain (default false) and hsts_max_age (default 31536000 which is one year in seconds).
26
27 p. these configuration is *only used during production* so it sufficient to configure it in _config/environments/production.rb_
2ad93af Christian Meier first import
authored
28
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
29 bc. config.hsts_include_sub_domain = false
30 config.hsts_max_age = 31536000
2ad93af Christian Meier first import
authored
31
32 h3. using a webserver which listens to http + https
33
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
34 p. if your Gemfile allows to use JRuby as interpreter then you can use the *jetty-run* from the *ruby-maven* gem (jruby only) to have both an http and an https port listing for requests. that is how the defaults are set up.
2ad93af Christian Meier first import
authored
35
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
36 p. webrick can handle ssl as well. here a blog which explains how to get ssl working for "webrick and rails3":http://www.nearinfinity.com/blogs/chris_rohr/configuring_webrick_to_use_ssl.html. but you have *only* ssl then and you need to configure the ssl_port correctly.
2ad93af Christian Meier first import
authored
37
2274193 Christian Meier add pom and Mavenfile and revised readme
authored
38 p. maybe other servers can offer both ssl and none-ssl . . .
2ad93af Christian Meier first import
authored
39
a02dfbc Christian Meier more little docu fixes
authored
40 p. *NOTE*: use *https://* in your url when using the ssl port or webrick with ssl
668054f Christian Meier more little docu fixes
authored
41
2ad93af Christian Meier first import
authored
42 h3. allow http for some controllers or some actions
43
44 p. use the *skip_before_filter* declaration with its *:only* and *:except* options to controll where you want to allow http along side https.
45
46 bc. skip_before_filter :enforce_ssl
47
48 p. or
49
50 bc. skip_before_filter :enforce_ssl, :only => :index
51
52 p. or
53
54 bc. skip_before_filter :enforce_ssl, :except => :show
Something went wrong with that request. Please try again.