On Thu, Sep 14, 2006 at 06:50:54AM +1000, Greg H. wrote:
Can anyone give me a headsup/pointer re how to enable some (or all?) of
my pages to be SSL encrypted (e.g. login pages where password is being
transfered)? Is this in the ruby application or part of the apache
configuration? What doco should I brush up on?
I’m on Dreamhost so I don’t think I have full access to apache.
Well, I don’t know how you would deal with it there, so my instructions
will be general.
Making some of your pages ssl requires some setup on your web server in
addition to some setup in your application.
On the web server, just make an ssl site.
You can then set up
some methods in app/controllers/application.rb which you can then use as
a
before_filter in your controllers. The two methods you need are
“ssl_required” and “ssl_prohibited”. They look something like this:
def ssl_required
unless @request.ssl?
redirect_to “https://#{@request.host}/#{@request.request_uri}”
end
end
def ssl_prohibited
if @request.ssl?
redirect_to “http://#{@request.host}/#{@request.request_uri}”
end
end
(this is untested, you might need to fix it. If so, please followup
this post with the fix for future searching)
You can then put:
before_filter :ssl_required, :only => [:cart, :checkout]
to force some items to ssl. You then use the opposite:
before_filter: ssl_prohibited
for controllers or actions that shouldn’t be ssl.
If you have access to web server config, you can also force ssl or
non-ssl on certain paths using “redirectmatch”. Doing it in your app
gives you a little more flexibility and keeps it all in one place.
Michael
Michael Darrin Chaney
[email protected]
http://www.michaelchaney.com/