Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

add pom and Mavenfile and revised readme

  • Loading branch information...
commit 22741938ee36d546725e1c1267937b0bfd4b9070 1 parent cf167a7
Christian Meier authored March 15, 2011
2  .gitignore
... ...
@@ -1,2 +1,4 @@
1 1
 target
  2
+*.files
2 3
 *.pom
  4
+*~
14  README.textile
Source Rendered
... ...
@@ -1,8 +1,8 @@
1 1
 h1. Enforce SSL for you controllers
2 2
 
3  
-p. with the advent of hijacking tools for dummies like "firesheep":http://codebutler.github.com/firesheep the need for securing your sessions with ssl is there.
  3
+p. with the advent of hijacking tools for dummies like "firesheep":http://codebutler.github.com/firesheep the need for securing your sessions with ssl is there and it is important that every and any request goes over ssl. this plugin does make the server side *secure* by redirecting the browser to the ssl port if not used. the client side there is "HTTP_Strict_Transport_Security (HSTS)":http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security which is implemented by all modern browsers but it relies on a valid (not self-signed) certificate. with that HSTS header in place the browser uses only https requests to communicate with the server.
4 4
 
5  
-p. this is derived from the "rails/ssl_requirement":http://github.org/rails/ssl_requirement and adopted a more strict approach: *secure everything and open it where needed*.
  5
+p. this gem is derived from the "rails/ssl_requirement":http://github.org/rails/ssl_requirement and adopted a more strict approach: *secure everything and open it where needed*. also it adds HSTS support per default on production - you can turn it off per config.
6 6
 
7 7
 p. info about the actual gem please look into the directory "enforce-ssl-gem":http://github.org/mkristian/enforce-ssl/tree/master/enforce-ssl-gem
8 8
 
@@ -12,12 +12,16 @@ p. the "demo":http://github.org/mkristian/enforce-ssl/tree/master/demo is a samp
12 12
 
13 13
 h2. run all the tests + integrations-tests in one go
14 14
 
15  
-p. first you need jruby for this ! then you need to install
  15
+p. first you need jruby for this ! then you need to install ruby-maven
16 16
 
17  
-bc.         jruby -S gem 'ruby-maven'
  17
+bc.         jruby -S gem install ruby-maven
18 18
 
19 19
 p. which allows to run the integration-tests from the demo with jetty.
20 20
 
21 21
 p. now you can execute
22 22
 
23  
-bc.         rmvn verify
  23
+bc.         rmvn install
  24
+
  25
+h2. ruby-maven
  26
+
  27
+p. this gem comes with command *jetty-run* which runs a jetty server with a http port and https port so with this you "test" this rails plugin. in case you start the regular webrick on port 3000 (or any other then 8080) will not apply the ssl redirect, so you can develop your application as usual with those server.
4  enforce-ssl-gem/Mavenfile
... ...
@@ -0,0 +1,4 @@
  1
+execute_in_phase(:install) do
  2
+puts "hello"
  3
+end
  4
+properties['jruby.plugins.version'] = '0.25.0-SNAPSHOT'
30  enforce-ssl-gem/README.textile
Source Rendered
... ...
@@ -1,33 +1,41 @@
1 1
 h1. Enforce SSL for you controllers
2 2
 
3  
-p. this is derived from the "rails/ssl_requirement":http://github.org/rails/ssl_requirement and adopted a more strict approach: *secure everything and open it where needed*.
4  
-
5  
-p. info about the actual gem please look into the directory "enforce-ssl-gem":http://github.org/mkristian/enforce-ssl/tree/master/enforce-ssl-gem
  3
+p. this is derived from the "rails/ssl_requirement":http://github.org/rails/ssl_requirement and adopted a more strict approach: *secure everything and open it when and where needed*.
6 4
 
7 5
 h2. usage
8 6
 
9  
-p. it requires rails2. for installation add the gem in 'Gemfile'
  7
+p. it requires rails3. for installation add the gem in _Gemfile_
10 8
 
11 9
 bc.         gem 'enforce-ssl'
12 10
 
13  
-p. this activates the 'enforce-ssl' before_filter for all controllers, i.e.
  11
+p. this activates the *enforce-ssl* before_filter for all controllers, i.e.
14 12
 all requests which comes in as http will be redirected to the https url obeying the configured ssl port.
15 13
 
16  
-h3. configure the ssl port
  14
+h3. configure the ssl/no_ssl port
17 15
 
18  
-p. configure the enforced ssl port with (default => { development => 3000, production => 443)
  16
+p. configure the enforced ssl port with (default => { development => 8080/8443, production => 80/443)
19 17
 
20 18
 bc.   config.ssl_port = 8443
  19
+   config.no_ssl_port = 8080
  20
+
  21
+p. for development you can do that in _config/environments/development.rb_.
  22
+
  23
+h3. configure HSTS - HTTP Strict Transport Security
  24
+
  25
+p. there are two config parameters for HSTS: hsts_include_sub_domain (default false) and hsts_max_age (default 31536000 which is one year in seconds). 
  26
+
  27
+p. these configuration is *only used during production* so it sufficient to configure it in _config/environments/production.rb_
21 28
 
22  
-p. for development you can do that in 'config/environments/development.rb'.
  29
+bc.   config.hsts_include_sub_domain = false
  30
+   config.hsts_max_age = 31536000
23 31
 
24 32
 h3. using a webserver which listens to http + https
25 33
 
26  
-p. if your Gemfile allows to JRuby as interpreter then you can use the *jetty-run* from the *ruby-maven* gem (jruby only) to have both an http and an https port listing for requests.
  34
+p. if your Gemfile allows to use JRuby as interpreter then you can use the *jetty-run* from the *ruby-maven* gem (jruby only) to have both an http and an https port listing for requests. that is how the defaults are set up.
27 35
 
28  
-p. webrick can handle ssl as well here a blog which explains how to get ssl working for "webrick and rails3":http://www.nearinfinity.com/blogs/chris_rohr/configuring_webrick_to_use_ssl.html. but you have *only* ssl then !
  36
+p. webrick can handle ssl as well. here a blog which explains how to get ssl working for "webrick and rails3":http://www.nearinfinity.com/blogs/chris_rohr/configuring_webrick_to_use_ssl.html. but you have *only* ssl then and you need to configure the ssl_port correctly.
29 37
 
30  
-p. maybe other servers can offer you both ssl and none-ssl . . .
  38
+p. maybe other servers can offer both ssl and none-ssl . . .
31 39
 
32 40
 p. *NOTE*: use *https://* in your url when using the ssl port or webrick with ssl
33 41
 
13  enforce-ssl-gem/enforce-ssl.gemspec
@@ -17,17 +17,4 @@ Gem::Specification.new do |s|
17 17
 #  s.rdoc_options = ['--main','README.textile']
18 18
   s.files += Dir['lib/**/*']
19 19
   s.add_development_dependency 'rake', '0.8.7'
20  
-
21  
-  s.post_install_message = <<-TEXT
22  
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
23  
-configure the enforced ssl port with 
24  
-(default => { development => 3000, production => 443 }):
25  
-
26  
-   config.ssl_port = 8443
27  
-
28  
-for development you can do that in 'config/environments/development.rb'. 
29  
-you can use 'jetty-run' from 'ruby-maven' gem (jruby only) to have both 
30  
-an http and an https port listing for requests.
31  
-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
32  
-TEXT
33 20
 end

0 notes on commit 2274193

Please sign in to comment.
Something went wrong with that request. Please try again.