Don't take this the wrong way, but.... hire an expert. You're not doing your client any real service taking a guess at this. There are security implications here with both the .htaccess and the rewrite solution. I don't mean to scare you, it's pretty easy to become an expert, but it's a bad idea to just pull recommendations from a mailing list (as good as that list may be) and trusting that your client's site is now secure.
My 2ยข On Dec 17, 2009, at 2:48 PM, Chris McCann wrote: > James, > > On re-reading your reply I realized you got a little ahead of me with > the "add a .htaccess" part. My Apache config skills are pretty green > -- can you give me a little more guidance? In the meantime I'll > google it for my own education. > > Thanks, > > Chris > > On Dec 17, 1:08 pm, James Miller <[email protected]> wrote: >> Did you setup a VirtualHost running on port 443 as well as port >> 80? You >> need both -- the SSL VirtualHost will need to be IP based, have a >> valid >> cert/private key, and have SSL enabled. For the non-SSL >> virtualhost, point >> it to an empty directory (not to your rails app) and add >> a .htaccess that >> redirects all traffic to the HTTPS URL. That way your Rails app >> will never >> receive a request that's not HTTPS. You shouldn't need a plugin >> for what >> you're doing, as Rails won't need to know about the protocol. >> >> Example: >> >> <VirtualHost 1.2.3.4:443> >> ServerNamewww.example.com >> DocumentRoot /home/user/apps/app-production/current/public >> <Directory "/home/user/apps/app-production/current/public"> >> Options FollowSymLinks >> AllowOverride None >> Order allow,deny >> Allow from all >> </Directory> >> >> SSLEngine on >> SSLCipherSuite >> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL >> SSLCertificateFile /home/user/ssl/www.example.com/www.example.com.crt >> SSLCertificateKeyFile /home/user/ssl/www.example.com/www.example.com.key >> </VirtualHost> >> >> James >> >> On Thu, Dec 17, 2009 at 1:00 PM, Chris McCann >> <[email protected]> wrote: >>> I've got a client who wants me to run their Ruby on Rails site using >>> https all the time because of the type of information they're >>> processing with the application. I'm having trouble getting Rails >>> to >>> use the https protocol. I've deployed to Apache2 with Passenger. >> >>> I thought it would be a simple matter of getting an SSL certificate >>> and configuring the web server to use it. I added the >>> X_FORWARDED_PROTO "https" line to the virtual host but that didn't >>> do >>> the trick. >> >>> I know of DHH's ssl_requirement plugin, but I don't really need the >>> granularity of running particular controller actions under https >>> -- I >>> want everything in https all the time. >> >>> I did find post on another group that mentioned adding a re-write >>> rule >>> for the *:80 vhost like this: >> >>> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=permanent] >> >>> Is this required? Can anybody here point out what part of the >>> configuration, either in Apache, Passenger or Rails, that I've >>> overlooked? >> >>> Thanks, >> >>> Chris >> >>> -- >>> SD Ruby mailing list >>> [email protected] >>> http://groups.google.com/group/sdruby >> >> > > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
