Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections. As of Version 0.2.0, Rack::SslEnforcer marks Cookies as secure by default (HSTS must be set manually). Tested on Ruby 1.8.7 & 1.9.2
gem install rack-ssl-enforcer
require 'rack/ssl-enforcer' use Rack::SslEnforcer
Or, if you are using Bundler, just add this to your Gemfile:
gem 'rack-ssl-enforcer'
To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (config/application.rb for Rails3, config/environment.rb for Rails2):
config.middleware.use Rack::SslEnforcer
If all you want is SSL for your whole application, you are done! However, you can specify some
You might need the :redirect_to option if the requested URL can’t be determined (e.g. if using a proxy).
config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
You can also define specific regex patterns or paths or hosts to redirect.
config.middleware.use Rack::SslEnforcer, :only => /^\/admin\// config.middleware.use Rack::SslEnforcer, :only => "/login" config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/] config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com' config.middleware.use Rack::SslEnforcer, :only_hosts => ["[www|api]\.example\.org", 'example.com'] config.middleware.use Rack::SslEnforcer, :except_hosts => 'help.example.com' config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
Note: hosts options take precedence over the path options. See tests for examples.
Use the :strict option to force http for all requests not matching your :only specification
config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com', :strict => true
Or in the case where you have matching urls with different methods (rails restful routes: get#users post#users || get#user/:id put#user/:id) you may need to post and put to secure but redirect to http on get.
config.middleware.use Rack::SslEnforcer, :only => [/^\/users\/(.+)\/edit/], :mixed => true
The above will allow you to post/put from the secure/non-secure urls keeping the original schema.
To set HSTS expiry and subdomain inclusion (defaults: one year, true). Strict option disables HSTS.
config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false } config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
-
Add configuration option to specify local http / https ports
-
Cleanup tests
Flagging cookies as secure functionality and HSTS support is greatly inspired by Joshua Peek’s Rack::SSL
-
Fork the project.
-
Make your feature addition or bug fix.
-
Add tests for it. This is important so I don’t break it in a future version unintentionally.
-
Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
-
Send me a pull request. Bonus points for topic branches.
Copyright © 2010 Tobias Matthies. See LICENSE for details.