Rails 3 SSL Deprecation

Asked 3/9, 2010 at 8:27 Answered 5/4, 2014 at 3:44

I am upgrading an application to Rails 3.0.0 and am wondering if the standard method for adding SSL has changed (I vaguely remember demos indicating the router could now handle SSL, though I'm not sure if it was just for demonstration purposes). I currently use the "ssl_requirement" gem, however it gives:

DEPRECATION WARNING: Using #request_uri is deprecated. Use fullpath instead. (called from ensure_proper_protocol at /Library/Ruby/Gems/1.8/gems/ssl_requirement-0.1.0/lib/ssl_requirement.rb:53)

Also, it appears to break when handling the new 'data-method' attributes. For example:

<%= link_to "Logout", user_path, :method => :delete %>

Works fine when accessing from an SSL section of the application, but fails (attempts to render show action) when followed from a non-SSL section (all actions in the user controller require SSL, although I understand that the destroy action does not transmit secure data).

Immotile answered 3/9, 2010 at 8:27 Comment(0)

It's indeed pretty simple in Rails 3. In config/routes.rb:

MyApplication::Application.routes.draw do
  resources :sessions, :constraints => { :protocol => "https" }
end

Or if you need to force SSL for multiple routes:

MyApplication::Application.routes.draw do
  scope :constraints => { :protocol => "https" } do 
    # All your SSL routes.
  end
end

And linking to SSL routes can be done like this:

<%= link_to "Logout", sessions_url(:protocol => 'https'), :method => :delete %>

If you wish to automatically redirect some controllers (or actually, some subpaths) to an equivalent https-based URL, you can add something like this to your routes (I wish this part were simpler):

# Redirect /foos and anything starting with /foos/ to https.
match "foos(/*path)", :to => redirect { |_, request|
  "https://" + request.host_with_port + request.fullpath }

Barium answered 3/9, 2010 at 11:51 Comment(6)

This seems to be more complex than using 'ssl_requirement'. Is it the new standard method of doing it in Rails 3 or is 'ssl_requirement' still usable? Thanks. – Immotile 3/9, 2010 at 15:58

@Kevin: Apart from the automatic redirection, I think it's pretty easy. Moreover, this is all possible with the standard routing DSL, something that couldn't be done in Rails 2, hence the need for an external library. – Barium 3/9, 2010 at 16:11

In the development environment, do scope :constraints => { :protocol => Rails.env.production? ? 'https' : 'http' } do ... end Source: themomorohoax.com/2010/10/08/using-ssl-in-rails-3 – Grimona 27/4, 2011 at 3:22

Note that in Rails 3.1, it is getting simpler: simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl – Barium 5/5, 2011 at 21:27

The match rule you give creates a redirect loop. – Inflate 21/12, 2012 at 19:49

@KevinSylvestre How is this more complex? You could just use scope to wrap all your https routes in one place, as opposed to doing this in each individual controller and trying to keep track of that. It's way more DRY. – Quicklime 29/8, 2013 at 15:59

After spending an afternoon looking for the best solution I settled on the approach described in this article: http://clearcove.ca/blog/2010/11/how-to-secure-a-rails-app-on-heroku-with-ssl-firesheep/ which referenced this article: Force SSL using ssl_requirement in Rails 2 app

Basically do this:

# lib/middleware/force_ssl.rb
class ForceSSL
  def initialize(app)
    @app = app
  end

  def call(env)
    if env['HTTPS'] == 'on' || env['HTTP_X_FORWARDED_PROTO'] == 'https'
      @app.call(env)
    else
      req = Rack::Request.new(env)
      [301, { "Location" => req.url.gsub(/^http:/, "https:") }, []]
    end
  end
end

# config/application.rb
config.autoload_paths += %W( #{ config.root }/lib/middleware )

# config/environments/production.rb
config.middleware.use "ForceSSL"

Sisyphean answered 16/1, 2011 at 3:24 Comment(1)

I prefer this method as @molf's solution requires SSL even in the development environment. – Mota 26/1, 2011 at 18:17

Toppic is old but just for googling people:

in *app/controller/your_controller.rb*

 class LostPasswordsController < ApplicationController

   force_ssl

   def index
     #....
   end
 end

if globally use it in application controller

http://apidock.com/rails/ActionController/ForceSSL/ClassMethods/force_ssl

...thx S.L. for tip

Mcclintock answered 26/3, 2012 at 13:57 Comment(2)

Thanks for this. Combined with the except and only options, this is a great solution for selective SSL. – Preference 4/4, 2012 at 20:55

b.t.w. there is a differennce between config.force_ssl and controller force_ssl eq8.eu/blogs/… – Mcclintock 8/5, 2016 at 10:8

In later Rails (at least 3.12+) you can use the following, environment-specific:

in config/environments/production.rb (or other environment)

# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true

Oyler answered 5/4, 2014 at 3:44 Comment(0)

Recommended topics

Hot tags