Devise auth based on ssl keys

Hi, guys.

I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based
on devise. Now I want to add to the my app a ssl key based auth. As
web-server it uses thin and nginx as proxy. I have made only ssl on the
nginx at 443 and only for some app pathes (e.g. /articles, /search etc).
How I can tell to the my app and devise use the ssl keys and assign them
to the app users (link users’ _session_id and the key together)?

lobster lobster wrote in post #1114299:

I already have a rails 3.1.2 and ruby 1.9.3 vast app with an auth based
on devise. Now I want to add to the my app a ssl key based auth. As
web-server it uses thin and nginx as proxy. I have made only ssl on the
nginx at 443 and only for some app pathes (e.g. /articles, /search etc).
How I can tell to the my app and devise use the ssl keys and assign them
to the app users (link users’ _session_id and the key together)?

Sorry, but I don’t completely understand your question. Your Rails app
should have nothing to do with SSL/TLS keys in any way. Your Rails app
should ensure that all URLs that need to be secure use the https
protocol and nothing more. Any SSL/TLS key exchange should be handled by
the web server. That should all happen before your Rails app receives
any request.

You also mention that only some paths use SSL/TLS. I would highly
recommend against do that. If you need SSL/TLS anywhere in your site,
then use SSL/TLS everywhere in your site. Force SSL/TLS on the first
request and have all subsequent requests use that SSL/TLS connection.

It has been shown that any transition from HTTP to HTTPS is vulnerable
to attack. Notice that many popular sites are now SSL/TLS everywhere
(e.g. Github, Facebook, Google Mail, Banking, etc.). There is very
little cost in using SSL/TLS all the time, and the benefits of doing so
far outweigh the costs. This also eliminates the possibility of mistakes
in your Rails app that may redirect from a TLS page to an non-TLS page
since all URLs will be secure.