Devise auth based on ssl keys

Hi, guys.

I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based on devise. Now I want to add to the my app a ssl key based auth. As web-server it uses thin and nginx as proxy. I have made only ssl on the nginx at 443 and only for some app pathes (e.g. /articles, /search etc). How I can tell to the my app and devise use the ssl keys and assign them to the app users (link users' _session_id and the key together)?

lobster lobster wrote in post #1114299:

I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based on devise. Now I want to add to the my app a ssl key based auth. As web-server it uses thin and nginx as proxy. I have made only ssl on the nginx at 443 and only for some app pathes (e.g. /articles, /search etc). How I can tell to the my app and devise use the ssl keys and assign them to the app users (link users' _session_id and the key together)?

Sorry, but I don't completely understand your question. Your Rails app should have nothing to do with SSL/TLS keys in any way. Your Rails app should ensure that all URLs that need to be secure use the https protocol and nothing more. Any SSL/TLS key exchange should be handled by the web server. That should all happen before your Rails app receives any request.

You also mention that only some paths use SSL/TLS. I would highly recommend against do that. If you need SSL/TLS anywhere in your site, then use SSL/TLS everywhere in your site. Force SSL/TLS on the first request and have all subsequent requests use that SSL/TLS connection.

It has been shown that any transition from HTTP to HTTPS is vulnerable to attack. Notice that many popular sites are now SSL/TLS everywhere (e.g. Github, Facebook, Google Mail, Banking, etc.). There is very little cost in using SSL/TLS all the time, and the benefits of doing so far outweigh the costs. This also eliminates the possibility of mistakes in your Rails app that may redirect from a TLS page to an non-TLS page since all URLs will be secure.