I’m trying to get SSL working on my app, using ssl_requirement. SSL is
working, but ssl_requirement doesn’t seem to be handling the request
properly- it doesn’t redirect to https.
Relevant files:
application.rb:
class ApplicationController < ActionController::Base
include SslRequirement
include AuthenticatedSystem
def ssl_required?
return false if local_request? || RAILS_ENV == ‘test’
super
end
…
end
users_controller.rb:
class UsersController < ApplicationController
ssl_required :new, :create, :reset_password
…
end
vhost.conf:
( VirtualHost *:80 is a duplicate of the code below, except for the
first 2 lines)
<VirtualHost 123.123.123.123:443>
SSLEngine on
RequestHeader set X_FORWARDED_PROTO “https”
DocumentRoot /var/www/apps/my_app/current/public
<Directory /var/www/apps/my_app/current/public>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Configure mongrel_cluster
<Proxy balancer://my_app_cluster>
BalancerMember http://127.0.0.1:8000
BalancerMember http://127.0.0.1:8001
RewriteEngine On
Prevent access to .svn directories
RewriteRule ^(.*/)?.svn/ - [F,L]
ErrorDocument 403 “Access Forbidden”
Check for maintenance file and redirect all requests
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /system/maintenance.html [L]
Rewrite index to check for static
RewriteRule ^/$ /index.html [QSA]
Rewrite to check for Rails cached page
RewriteRule ^([^.]+)$ $1.html [QSA]
Redirect all non-static requests to cluster
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://my_app_cluster%{REQUEST_URI}
[P,QSA,L]
Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/xml
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
ErrorLog logs/my_app.com-error_log
CustomLog logs/my_app.com-access_log combined
This just specifies locations of key and crt files
Include /etc/httpd/conf/apps/ssl.conf
In production, the app just throws a 404 when I try to access
https://my_app.com/signup.
My specs:
describe “Requesting /signup” do
controller_name :users
before(:each) do
@user = mock_model(User, :to_param => “1”, :save => true)
User.stub!(:new).and_return(@user)
end
def do_get
get :new
end
it “should redirect to HTTPS version if request.ssl? is false” do
request.stub!(:ssl?).and_return false
do_get
response.should redirect_to(“https://test.host/signup”)
end
it “should redirect to the HTTPS version” do
request.stub!(:ssl?).and_return true
do_get
response.should redirect_to(“https://test.host/signup”)
end
end
autotest spits out:
‘Requesting /signup should redirect to the HTTPS version’ FAILED
expected redirect to “https://test.host/signup”, got redirect to
“http://test.host/signup”
‘Requesting /signup (/users/new) should redirect to HTTPS version if
request.ssl? is false’ FAILED
expected redirect to “https://test.host/signup”, got no redirect
When I try to access the production site via the command line, I get
this:
$ curl -I https://my_app.com/signup
HTTP/1.1 302 Moved Temporarily
Date: Tue, 19 Feb 2008 07:52:24 GMT
Server: Mongrel 1.0.1
Status: 302 Found
Location: http://my_app.com/signup
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 107
Set-Cookie: _my_app_session_id=7eeea00b749ef2ed8b06730b18c62646;
path=/
Vary: Accept-Encoding
Connection: close
$ curl -I http://my_app.com/signup
HTTP/1.1 200 OK
Date: Tue, 19 Feb 2008 07:52:40 GMT
Server: Mongrel 1.0.1
Status: 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Content-length: 12031
Connection: Keep-Alive
Set-Cookie: _my_app_session_id=5c8fd1c3f962b65aeeb6a4b6299c3e46;
path=/
The request is getting past Apache, it looks like the app itself is
not handling the request correctly.
Has anyone encountered this problem before? Any help would be much
appreciated.
Bobby