Geek Answers Handbook

Redirect to "www" before force_ssl

I transfer the application to the hero, and I am having problems with ssl and redirects.

I am on rails 3.1 and I tried to force ssl with middleware in production.rb environments. I kept trying to add it to the application controller.

The problem is that when I execute the full ssl command, I cannot redirect to www before it reaches the SSL requirement. This is important because the user will be shown a bad SSL certificate warning if they access https://mydomain.com . If they continue, they are then redirected to www.

Enables SSL-forcing, redirecting to the www subdomain works, I just need to redirect first.

Any ideas?

Per Nathan Comment:

I had an imperfect solution. My root_path does not force ssl. All parts with sensitive information force it. Upon arrival, all traffic is directed to www with this in my routes. Rb:

constraints(:host => "domain.com") do match "(*x)" => redirect { |params, request| URI.parse(request.url).tap { |x| x.host = "www.domain.com" }.to_s } end

This can hide most of the problems, since by the time the user clicked on an entry or something else, they were now in the www domain. The browser will not warn about certificates. This worked great for this specific project. Another project that I ended up paying a lot of money for a signed wild card certificate.

Sorry, not a real solution. If you go to https://domain.com/forcedsslpath , the project still provides security warnings.

+4
source share
3 answers

Since your 301 is sent by the application, and the request cannot even get into the application before it comes across the middleware (which runs the ssl rack), your only decisions are to change the middleware or redirect until it even gets into the middleware.

For the latter, you have to poke around Heroku. I do not use it myself. When deploying VPS, you simply add the redirect to your web server with direct access (Apache, nginx) before it even gets into the middleware. This seems like a normal case, so I believe Geroku may have something for you.

For the first, it should not be difficult. The rack-ssl mid-tier tool is very, very simple, and it shouldn't be difficult to defuse it according to your needs.

https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L58

I suppose something like url.host = "www.myhost.com" might be what you want (although you can probably say that there are probably more features of FQDN agnostics).

+2
source

This is how I solved the problem. I removed config.force_ssl = true from production.rb and instead used:

Add this method to ApplicationController

  def force_ssl if Rails.env.production? redirect_to :protocol => 'https' unless request.ssl? end end

And add it as a filter before ApplicationController

 before_filter :force_ssl

I also use ensure_domain , which switches from http://example.com to http://www.example.com . Make sure that such a filter before calling before force_ssl .

+2
source

You must do this by doing a redirect in the rack before the force_ssl middleware.

This post shows how to do this.

http://blog.dynamic50.com/2011/02/22/redirect-all-requests-for-www-to-root-domain-with-heroku/

Hope this helps.

+1
source

More articles:


All Articles