Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 55 lines (29 sloc) 2.25 kb
2ad93af9 »
2010-10-29 first import
1 h1. Enforce SSL for you controllers
2
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
3 p. this is derived from the "rails/ssl_requirement":http://github.org/rails/ssl_requirement and adopted a more strict approach: *secure everything and open it when and where needed*.
2ad93af9 »
2010-10-29 first import
4
5 h2. usage
6
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
7 p. it requires rails3. for installation add the gem in _Gemfile_
2ad93af9 »
2010-10-29 first import
8
9 bc. gem 'enforce-ssl'
10
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
11 p. this activates the *enforce-ssl* before_filter for all controllers, i.e.
2ad93af9 »
2010-10-29 first import
12 all requests which comes in as http will be redirected to the https url obeying the configured ssl port.
13
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
14 h3. configure the ssl/no_ssl port
2ad93af9 »
2010-10-29 first import
15
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
16 p. configure the enforced ssl port with (default => { development => 8080/8443, production => 80/443)
2ad93af9 »
2010-10-29 first import
17
18 bc. config.ssl_port = 8443
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
19 config.no_ssl_port = 8080
20
21 p. for development you can do that in _config/environments/development.rb_.
22
23 h3. configure HSTS - HTTP Strict Transport Security
24
25 p. there are two config parameters for HSTS: hsts_include_sub_domain (default false) and hsts_max_age (default 31536000 which is one year in seconds).
26
27 p. these configuration is *only used during production* so it sufficient to configure it in _config/environments/production.rb_
2ad93af9 »
2010-10-29 first import
28
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
29 bc. config.hsts_include_sub_domain = false
30 config.hsts_max_age = 31536000
2ad93af9 »
2010-10-29 first import
31
32 h3. using a webserver which listens to http + https
33
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
34 p. if your Gemfile allows to use JRuby as interpreter then you can use the *jetty-run* from the *ruby-maven* gem (jruby only) to have both an http and an https port listing for requests. that is how the defaults are set up.
2ad93af9 »
2010-10-29 first import
35
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
36 p. webrick can handle ssl as well. here a blog which explains how to get ssl working for "webrick and rails3":http://www.nearinfinity.com/blogs/chris_rohr/configuring_webrick_to_use_ssl.html. but you have *only* ssl then and you need to configure the ssl_port correctly.
2ad93af9 »
2010-10-29 first import
37
22741938 »
2011-03-15 add pom and Mavenfile and revised readme
38 p. maybe other servers can offer both ssl and none-ssl . . .
2ad93af9 »
2010-10-29 first import
39
a02dfbc0 »
2010-10-29 more little docu fixes
40 p. *NOTE*: use *https://* in your url when using the ssl port or webrick with ssl
668054f0 »
2010-10-29 more little docu fixes
41
2ad93af9 »
2010-10-29 first import
42 h3. allow http for some controllers or some actions
43
44 p. use the *skip_before_filter* declaration with its *:only* and *:except* options to controll where you want to allow http along side https.
45
46 bc. skip_before_filter :enforce_ssl
47
48 p. or
49
50 bc. skip_before_filter :enforce_ssl, :only => :index
51
52 p. or
53
54 bc. skip_before_filter :enforce_ssl, :except => :show
Something went wrong with that request. Please try again.