Rails/Apache/Mongrel/SSL

Hi all,

I’m looking for a little guidance here in setting up my .htacces and/
or httpd.conf files. I’ve got a single Rails app that happens to have
two domains pointing to it…let’s say www.domain1.com and
www.domain2.com.
www.domain2.com has an SSL certificate associated with it, so any
request can be made via http or https and this seems to be working
fine (domain1.com can only be accessed via http).

My problem is that I need all actions for a particular controller
(registration) to be encrypted. The possible actions are:

/registration
/registration/showClasses
/registration/showForm
/registration/sendRegistration
/registration/sendQuestionnaire

If any requests are made to http://www.domain1.com/registration/
(1st domain, un-encrypted) or
http://www.domain2.com/registration/
(2nd domain, un-encrypted) then they should be forwarded to
https://www.domain2.com/registration/ (2nd domain, encrypted).

Any other request (to any controller OTHER THAN the registration
controller) should be forwarded to
http://www.domain1.com/controller/.

At this point, the SSL seems to be set up just fine…I can go to
https://www.domain2.com and get a secure page. However there’s nothing
keeping me from just changing the protocol to http in the address bar
or changing the whole address to http://www.domain1.com and just
bypassing the SSL encryption entirely.

Any thoughts? Thanks!

-Brian

Here you go => http://github.com/rails/ssl_requirement/tree/master

On Thu, Sep 4, 2008 at 4:14 PM, bmcelhany [email protected] wrote:

My problem is that I need all actions for a particular controller
(2nd domain, un-encrypted) then they should be forwarded to

Any thoughts? Thanks!

-Brian


Maurício Linhares
http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/
(en)
João Pessoa, PB, +55 83 8867-7208

Hi Mauricio,

Thanks for the link…this definitely looks like it will get me going
in the right direction.

Is there a way, using this plug-in, to specify that when an
“ssl_required” action is called that it needs to be directed to the
https://www.domain2.com domain? In other words, if a user requests a
secure action from the 1st domain, it’s not enough to simply change
the protocol from http to https…it needs to be redirected to the 2nd
domain (it’s the only one with an SSL certificate). Does that make
sense at all?

-Brian

On Sep 4, 12:18 pm, “Maurício Linhares” [email protected]

That seems to do the trick. Thanks!

On Sep 4, 12:46 pm, “Maurício Linhares” [email protected]

Hi Brian,

I think it’s completely possible, looking at the source code, the
method that sends the client to the SSL enabled page is this one:

def ensure_proper_protocol
  return true if ssl_allowed?

  if ssl_required? && !request.ssl?
    redirect_to "https://" + request.host + request.request_uri
    flash.keep
    return false
  elsif request.ssl? && !ssl_required?
    redirect_to "http://" + request.host + request.request_uri
    flash.keep
    return false
  end
end

You would just have to tweak it to your own needs.

On Thu, Sep 4, 2008 at 4:40 PM, bmcelhany [email protected] wrote:

the protocol from http to https…it needs to be redirected to the 2nd
domain (it’s the only one with an SSL certificate). Does that make
sense at all?

-Brian


Maurício Linhares
http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/
(en)
João Pessoa, PB, +55 83 8867-7208

On 4 Sep 2008, at 21:14, bmcelhany [email protected] wrote:

https://www.domain2.com and get a secure page. However there's nothing keeping me from just changing the protocol to http in the address bar or changing the whole address to http://www.domain1.com and just bypassing the SSL encryption entirely.

Any thoughts? Thanks!

Stick a before_filter that checks whether it’s an ssl request?

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs