Need crash course in HTTPS / SSL for Rails

Question

Need crash course in HTTPS / SSL for Rails

I have a Ruby on Rails application and it works on Heroku using HTTP. Now it's time to use HTTPS during the login process and for all transactions after the user logs in. But I'm not sure where to start.

Configuration

We use:

Ruby (1.9.2) Rails (3.0.5) Devise (1.5.3)

Our domain (registered by GoDaddy) is oursite.com (and not its real name), which resolves oursite.herokuapp.com . I want secure transactions to be executed in the https://secure.oursite.com subdomain. I purchased an SSL certificate from GoDaddy, created key files, registered for the Zerigo DNS service, and installed sitesite.com site name servers on Zergo servers. And on Heroku I did:

 heroku domains:add secure.oursite.com heroku ssl:add final.crt site.key heroku addons:add ssl:hostname

the questions

If a user comes to our site under http://oursite.com , how (and when) do I switch to https://secure.oursite.com ?
How to force use https for any secure transaction (for example, to send a password)?
How to check this stuff with localhost: 3000?

Specific answers, general answers, and pointers to study guides and examples are equally welcome. Thanks!

+4

ruby-on-rails ssl https heroku

fearless_fool Jan 25 '12 at 18:10

source share

2 answers

I would look at ssl_requirement. This allows you to protect various parts of your application, forcing you to serve only certain pages via HTTPS.

https://github.com/rails/ssl_requirement

With local development, you need to configure some kind of Apache / NGinx configuration with a locally signed certificate connected. A quick google uncovered this:

http://www.subelsky.com/2007/11/testing-rails-ssl-requirements-on-your.html

+1

Neil middleton Jan 25 '12 at 18:25

source share

fearless_fool · Accepted Answer · 2012-01-27T07:01:16+0000

First of all:

redirect from http://example.com to https://example.mysite.com

... is a very specific question that replaces this very general question. I summarize the best bits of information that I have found in the last 24 hours, as this may be useful to someone else.

The Heroku article on SSL is a must-read if you are deploying to Heroku.
Heroku also has an article describing how to buy an SSL certificate from a general provider , as well as an article describing how to buy an SSL certificate from GoDaddy .
I lingered for a while trying to set up CNAME records for the Zerigo DNS service . The perforation line is that if you create your Zerigo account using the Heroku toolbar, you must also configure your CNAME records using the Heroku toolbar. Gory details listed here .
If you are planning on upgrading to Rails 3.1, this is the right time for this, as it has a built-in force_ssl method that is a clean replacement for various add-ons (especially ssl_requirement ).
Having said that, it is worth paying attention to the implementation of ssl_requirement at https://github.com/rails/ssl_requirement/blob/master/lib/ssl_requirement.rb to see how it uses redirect_to and request .
Simone Carletti contains a comprehensive blog entry Configuring Rails 3 to use HTTPS and SSL , covering both Rails 3.0 and Rails 3.1.

Hope this is helpful ...

Need crash course in HTTPS / SSL for Rails

Configuration

the questions

More articles: