Forum: Ruby on Rails SSL for login page only

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
83b5c9943dd360dc52ea71a593f9b584?d=identicon&s=25 donut donut (donut)
on 2007-01-12 04:02
I'm having difficulty setting up my site so that only the login page
uses SSL.  I'm confused by the config.  Can some please explain?

I'm setting up my environment using WEBrick.  I got WEBrick running with
ssl on port 3001 thanks to this script: http://pastie.caboo.se/25896

My understanding is that the ssl config is done in the server config
script, not in my rails app code.  Correct me if I'm wrong.

Now that I have the site running, a user can connect to
https//localhost/account/login but he can't go to any other pages with
the normal non-SSL HTTP.  Am I supposed to also have a non-SSL WEBrick
running at the same time?  If so, these 2 webricks would be listening on
2 different ports(3000 and 3001).  What I want to do eventually in
production is to make the following links work:

http://www.mysite.com/myhome               (non-SSL)
https//www.mysite.com/account/login        (SSL)

Thanks for your help.
3f7fc5fbdbb40cf38d5bf94f265b343c?d=identicon&s=25 Andrew Skegg (askegg)
on 2007-01-12 04:49
donut donut wrote:
> I'm having difficulty setting up my site so that only the login page
> uses SSL.  I'm confused by the config.  Can some please explain?
>
> I'm setting up my environment using WEBrick.  I got WEBrick running with
> ssl on port 3001 thanks to this script: http://pastie.caboo.se/25896
>
> My understanding is that the ssl config is done in the server config
> script, not in my rails app code.  Correct me if I'm wrong.
>
> Now that I have the site running, a user can connect to
> https//localhost/account/login but he can't go to any other pages with
> the normal non-SSL HTTP.  Am I supposed to also have a non-SSL WEBrick
> running at the same time?  If so, these 2 webricks would be listening on
> 2 different ports(3000 and 3001).  What I want to do eventually in
> production is to make the following links work:
>
> http://www.mysite.com/myhome               (non-SSL)
> https//www.mysite.com/account/login        (SSL)
>
> Thanks for your help.

SSL seems to be flavour of the day.

The short answer is HTTP and HTTPS *do* run on different port (80 & 443
by default), so you will need to configure 2 servers.

Try section 5 here (he is using mongrel, so the details may vary):
http://blog.codahale.com/tags/ruby-on-rails/

When I was working with LDAP it was possible to secure any connection on
any port using TLS.  I know most browsers now support TLS but I have not
tried to secure a HTTP connection, so I don't know if this is possible.
83b5c9943dd360dc52ea71a593f9b584?d=identicon&s=25 donut donut (donut)
on 2007-01-12 05:26
Andrew Skegg wrote:
> The short answer is HTTP and HTTPS *do* run on different port (80 & 443
> by default), so you will need to configure 2 servers.
>
> Try section 5 here (he is using mongrel, so the details may vary):
> http://blog.codahale.com/tags/ruby-on-rails/
>
> When I was working with LDAP it was possible to secure any connection on
> any port using TLS.  I know most browsers now support TLS but I have not
> tried to secure a HTTP connection, so I don't know if this is possible.

Thanks, Andrew!  This is what I need!  I now have 2 webrick's running in
my dev environment.  The link you gave has a lot of good info.  I'll
move to mongrel + apache for production.
3f7fc5fbdbb40cf38d5bf94f265b343c?d=identicon&s=25 Andrew Skegg (askegg)
on 2007-01-12 05:37
donut donut wrote:
> Thanks, Andrew!  This is what I need!  I now have 2 webrick's running in
> my dev environment.  The link you gave has a lot of good info.  I'll
> move to mongrel + apache for production.

All the cool kids are using mongrel nowadays.  In fact, Rails 1.2
defaults to mongrel for development.

You got my interest up in trying to secure HTTP with TLS.  The web seems
sparse on details of doing this - I might give it a go over the weekend.
This topic is locked and can not be replied to.