Rails 3 + SSL

rubyonrails-talk
1

After reading tons of posts about buying certs, etc, I'm still confused. Please point me in the right direction. Here's the question:

I have a rails3 site (www.mysite.com). I want to have some pages use ssl, and some not. It appears the require_ssl approach is pre-Rails3 and there are other alternatives. Most of the posts I read talk about using a diff domain for ssl (secure.mysite.com). Doing that means I have to flip domains and seems to get in the way of *_path niceties of routes in rails3.

I realize I'm probably making this harder than it needs to be, but it's my first ssl implementation.

thanks for the replies in advance

2

Keep it simple, just host the entire site in HTTPS. This the approach I am taking:

Hope this helps

Dave

3

using https is very simple. unless you are offering accounts based on subdomains, like sean.yoursite.com, jiblethead.yoursite.com etc. then you are going to need a wildcard subdomain to handle each domain with the same certificate. it's just as simple to setup but is a little more expensive. but you still shouldn't have to think about changing your routes to use https in either case.

check out this post i wrote http://seanbehan.com/linux/rails-ssl-ubuntu-apache2-w-phussion-on-ubunt/ about how to install an ssl certificate. essentially, you need to create two virtual hosts (apache) and have them both go to the same application. https is over port 443 while http is over port 80.

as far as your application is concerned, for rails 3 you can use http://railsplugins.org/plugins/479-bartt-ssl-requirement . essentially, all it does is redirect to a page w/ https:// when it detects the protocol is http:// and the controller#action has been set to use ssl. the ssl_required means that you pages will only be served over https (will be redirected to the same url but with https instead of http) and ssl_allowed means that both protocols will server traffic.

class ApplicationController < ActionController::Base   include ::SslRequirement end

class AccountController < ApplicationController   ssl_required :signup, :payment   ssl_allowed :index

  def signup     # Non-SSL access will be redirected to SSL   end

  def payment     # Non-SSL access will be redirected to SSL   end

  def index     # This action will work either with or without SSL   end

  def other     # SSL access will be redirected to non-SSL   end end

More at the docs File: README — Documentation for bartt-ssl_requirement (1.2.5)