Rails 3 + SSL

luislavena · March 26, 2011, 6:44pm

After reading tons of posts about buying certs, etc, I’m still
confused. Please point me in the right direction. Here’s the
question:

I have a rails3 site (www.mysite.com). I want to have some pages use
ssl, and some not. It appears the require_ssl approach is pre-Rails3
and there are other alternatives. Most of the posts I read talk about
using a diff domain for ssl (secure.mysite.com). Doing that means I
have to flip domains and seems to get in the way of *_path niceties of
routes in rails3.

I realize I’m probably making this harder than it needs to be, but
it’s my first ssl implementation.

thanks for the replies in advance

jiblethead · March 27, 2011, 4:29am

Keep it simple, just host the entire site in HTTPS. This the approach
I am taking:

Hope this helps

Dave

jiblethead · March 27, 2011, 4:11pm

using https is very simple. unless you are offering accounts based on
subdomains, like sean.yoursite.com, jiblethead.yoursite.com etc. then
you are going to need a wildcard subdomain to handle each domain with
the same certificate. it’s just as simple to setup but is a little
more expensive. but you still shouldn’t have to think about changing
your routes to use https in either case.

check out this post i wrote
http://seanbehan.com/linux/rails-ssl-ubuntu-apache2-w-phussion-on-ubunt/
about how to install an ssl certificate. essentially, you need to
create two virtual hosts (apache) and have them both go to the same
application. https is over port 443 while http is over port 80.

as far as your application is concerned, for rails 3 you can use
http://railsplugins.org/plugins/479-bartt-ssl-requirement .
essentially, all it does is redirect to a page w/ https:// when it
detects the protocol is http:// and the controller#action has been set
to use ssl.
the ssl_required means that you pages will only be served over https
(will be redirected to the same url but with https instead of http)
and ssl_allowed means that both protocols will server traffic.

class ApplicationController < ActionController::Base
include ::SslRequirement
end

class AccountController < ApplicationController
ssl_required :signup, :payment
ssl_allowed :index

def signup
# Non-SSL access will be redirected to SSL
end

def payment
# Non-SSL access will be redirected to SSL
end

def index
# This action will work either with or without SSL
end

def other
# SSL access will be redirected to non-SSL
end
end

More at the docs
http://rubydoc.info/gems/bartt-ssl_requirement/1.2.5/frames