Jason, Thanks for chiming in. This isn't rocket science, I just don't have much experience setting up virtual hosts in Apache and assume that there are some smart, experienced guys here who have and can explain what I'm missing. My client's needs are not extreme, they just asked if I could run the site via https instead of http. Simple enough.
I don't need to pay an "expert" some silly hourly rate for something that probably boils down to a few lines in a config file. Besides, if I am to become an "expert", or more accurately "expert enough", the only way is through doing it myself, wouldn't you agree? But point taken: if this were no-kidding some high-security situation (which it isn't) I'd do well by my client to hire a security expert. Since that's not the case, I feel confident in figuring it out on my own with a little help from some devs with more experience. Cheers, Chris On Dec 17, 2:58 pm, Jason King <[email protected]> wrote: > Don't take this the wrong way, but.... hire an expert. > > You're not doing your client any real service taking a guess at this. > There are security implications here with both the .htaccess and the > rewrite solution. I don't mean to scare you, it's pretty easy to > become an expert, but it's a bad idea to just pull recommendations > from a mailing list (as good as that list may be) and trusting that > your client's site is now secure. > > My 2¢ > > On Dec 17, 2009, at 2:48 PM, Chris McCann wrote: > > > James, > > > On re-reading your reply I realized you got a little ahead of me with > > the "add a .htaccess" part. My Apache config skills are pretty green > > -- can you give me a little more guidance? In the meantime I'll > > google it for my own education. > > > Thanks, > > > Chris > > > On Dec 17, 1:08 pm, James Miller <[email protected]> wrote: > >> Did you setup a VirtualHost running on port 443 as well as port > >> 80? You > >> need both -- the SSL VirtualHost will need to be IP based, have a > >> valid > >> cert/private key, and have SSL enabled. For the non-SSL > >> virtualhost, point > >> it to an empty directory (not to your rails app) and add > >> a .htaccess that > >> redirects all traffic to the HTTPS URL. That way your Rails app > >> will never > >> receive a request that's not HTTPS. You shouldn't need a plugin > >> for what > >> you're doing, as Rails won't need to know about the protocol. > > >> Example: > > >> <VirtualHost 1.2.3.4:443> > >> ServerNamewww.example.com > >> DocumentRoot /home/user/apps/app-production/current/public > >> <Directory "/home/user/apps/app-production/current/public"> > >> Options FollowSymLinks > >> AllowOverride None > >> Order allow,deny > >> Allow from all > >> </Directory> > > >> SSLEngine on > >> SSLCipherSuite > >> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > >> SSLCertificateFile /home/user/ssl/www.example.com/www.example.com.crt > >> SSLCertificateKeyFile /home/user/ssl/www.example.com/www.example.com.key > >> </VirtualHost> > > >> James > > >> On Thu, Dec 17, 2009 at 1:00 PM, Chris McCann > >> <[email protected]> wrote: > >>> I've got a client who wants me to run their Ruby on Rails site using > >>> https all the time because of the type of information they're > >>> processing with the application. I'm having trouble getting Rails > >>> to > >>> use the https protocol. I've deployed to Apache2 with Passenger. > > >>> I thought it would be a simple matter of getting an SSL certificate > >>> and configuring the web server to use it. I added the > >>> X_FORWARDED_PROTO "https" line to the virtual host but that didn't > >>> do > >>> the trick. > > >>> I know of DHH's ssl_requirement plugin, but I don't really need the > >>> granularity of running particular controller actions under https > >>> -- I > >>> want everything in https all the time. > > >>> I did find post on another group that mentioned adding a re-write > >>> rule > >>> for the *:80 vhost like this: > > >>> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=permanent] > > >>> Is this required? Can anybody here point out what part of the > >>> configuration, either in Apache, Passenger or Rails, that I've > >>> overlooked? > > >>> Thanks, > > >>> Chris > > >>> -- > >>> SD Ruby mailing list > >>> [email protected] > >>>http://groups.google.com/group/sdruby > > > -- > > SD Ruby mailing list > > [email protected] > >http://groups.google.com/group/sdruby > > -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
