Forum: Ruby on Rails Devise auth based on ssl keys

098ecbd8a27e8845e4be17abd4887631?d=identicon&s=25 lobster lobster (lobster)
on 2013-07-03 11:28
Hi, guys.


I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based
on devise. Now I want to add to the my app a ssl key based auth. As
web-server it uses thin and nginx as proxy. I have made only ssl on the
nginx at 443 and only for some app pathes (e.g. /articles, /search etc).
How I can tell to the my app and devise use the ssl keys and assign them
to the app users (link users' _session_id and the key together)?
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2013-07-03 15:28
lobster lobster wrote in post #1114299:
> I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based
> on devise. Now I want to add to the my app a ssl key based auth. As
> web-server it uses thin and nginx as proxy. I have made only ssl on the
> nginx at 443 and only for some app pathes (e.g. /articles, /search etc).
> How I can tell to the my app and devise use the ssl keys and assign them
> to the app users (link users' _session_id and the key together)?

Sorry, but I don't completely understand your question. Your Rails app
should have nothing to do with SSL/TLS keys in any way. Your Rails app
should ensure that all URLs that need to be secure use the https
protocol and nothing more. Any SSL/TLS key exchange should be handled by
the web server. That should all happen before your Rails app receives
any request.

You also mention that only some paths use SSL/TLS. I would highly
recommend against do that. If you need SSL/TLS anywhere in your site,
then use SSL/TLS everywhere in your site. Force SSL/TLS on the first
request and have all subsequent requests use that SSL/TLS connection.

It has been shown that any transition from HTTP to HTTPS is vulnerable
to attack. Notice that many popular sites are now SSL/TLS everywhere
(e.g. Github, Facebook, Google Mail, Banking, etc.). There is very
little cost in using SSL/TLS all the time, and the benefits of doing so
far outweigh the costs. This also eliminates the possibility of mistakes
in your Rails app that may redirect from a TLS page to an non-TLS page
since all URLs will be secure.
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.