Re: [SDRuby] Running Rails in https all the time

Thu, 17 Dec 2009 13:08:49 -0800 

Did you setup a VirtualHost running on port 443 as well as port 80?  You
need both -- the SSL VirtualHost will need to be IP based, have a valid
cert/private key, and have SSL enabled.  For the non-SSL virtualhost, point
it to an empty directory (not to your rails app) and add a .htaccess that
redirects all traffic to the HTTPS URL.  That way your Rails app will never
receive a request that's not HTTPS.  You shouldn't need a plugin for what
you're doing, as Rails won't need to know about the protocol.

Example:

<VirtualHost 1.2.3.4:443>
  ServerName www.example.com
  DocumentRoot /home/user/apps/app-production/current/public
  <Directory "/home/user/apps/app-production/current/public">
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>

  SSLEngine on
  SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /home/user/ssl/www.example.com/www.example.com.crt
  SSLCertificateKeyFile /home/user/ssl/www.example.com/www.example.com.key
</VirtualHost>

James

On Thu, Dec 17, 2009 at 1:00 PM, Chris McCann <[email protected]> wrote:

> I've got a client who wants me to run their Ruby on Rails site using
> https all the time because of the type of information they're
> processing with the application.  I'm having trouble getting Rails to
> use the https protocol.  I've deployed to Apache2 with Passenger.
>
> I thought it would be a simple matter of getting an SSL certificate
> and configuring the web server to use it.  I added the
> X_FORWARDED_PROTO "https" line to the virtual host but that didn't do
> the trick.
>
> I know of DHH's ssl_requirement plugin, but I don't really need the
> granularity of running particular controller actions under https -- I
> want everything in https all the time.
>
> I did find post on another group that mentioned adding a re-write rule
> for the *:80 vhost like this:
>
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=permanent]
>
> Is this required?  Can anybody here point out what part of the
> configuration, either in Apache, Passenger or Rails, that I've
> overlooked?
>
> Thanks,
>
> Chris
>
> --
> SD Ruby mailing list
> [email protected]
> http://groups.google.com/group/sdruby
>

-- 
SD Ruby mailing list
[email protected]
http://groups.google.com/group/sdruby

Reply via email to