SSL for login page only


#1

I’m having difficulty setting up my site so that only the login page
uses SSL. I’m confused by the config. Can some please explain?

I’m setting up my environment using WEBrick. I got WEBrick running with
ssl on port 3001 thanks to this script: http://pastie.caboo.se/25896

My understanding is that the ssl config is done in the server config
script, not in my rails app code. Correct me if I’m wrong.

Now that I have the site running, a user can connect to
https//localhost/account/login but he can’t go to any other pages with
the normal non-SSL HTTP. Am I supposed to also have a non-SSL WEBrick
running at the same time? If so, these 2 webricks would be listening on
2 different ports(3000 and 3001). What I want to do eventually in
production is to make the following links work:

http://www.mysite.com/myhome (non-SSL)
https//www.mysite.com/account/login (SSL)

Thanks for your help.


#2

donut donut wrote:

I’m having difficulty setting up my site so that only the login page
uses SSL. I’m confused by the config. Can some please explain?

I’m setting up my environment using WEBrick. I got WEBrick running with
ssl on port 3001 thanks to this script: http://pastie.caboo.se/25896

My understanding is that the ssl config is done in the server config
script, not in my rails app code. Correct me if I’m wrong.

Now that I have the site running, a user can connect to
https//localhost/account/login but he can’t go to any other pages with
the normal non-SSL HTTP. Am I supposed to also have a non-SSL WEBrick
running at the same time? If so, these 2 webricks would be listening on
2 different ports(3000 and 3001). What I want to do eventually in
production is to make the following links work:

http://www.mysite.com/myhome (non-SSL)
https//www.mysite.com/account/login (SSL)

Thanks for your help.

SSL seems to be flavour of the day.

The short answer is HTTP and HTTPS do run on different port (80 & 443
by default), so you will need to configure 2 servers.

Try section 5 here (he is using mongrel, so the details may vary):
http://blog.codahale.com/tags/ruby-on-rails/

When I was working with LDAP it was possible to secure any connection on
any port using TLS. I know most browsers now support TLS but I have not
tried to secure a HTTP connection, so I don’t know if this is possible.


#3

Andrew S. wrote:

The short answer is HTTP and HTTPS do run on different port (80 & 443
by default), so you will need to configure 2 servers.

Try section 5 here (he is using mongrel, so the details may vary):
http://blog.codahale.com/tags/ruby-on-rails/

When I was working with LDAP it was possible to secure any connection on
any port using TLS. I know most browsers now support TLS but I have not
tried to secure a HTTP connection, so I don’t know if this is possible.

Thanks, Andrew! This is what I need! I now have 2 webrick’s running in
my dev environment. The link you gave has a lot of good info. I’ll
move to mongrel + apache for production.


#4

donut donut wrote:

Thanks, Andrew! This is what I need! I now have 2 webrick’s running in
my dev environment. The link you gave has a lot of good info. I’ll
move to mongrel + apache for production.

All the cool kids are using mongrel nowadays. In fact, Rails 1.2
defaults to mongrel for development.

You got my interest up in trying to secure HTTP with TLS. The web seems
sparse on details of doing this - I might give it a go over the weekend.