There’s a lot of buzz right now about Firesheep and non-secure Rails applications.
This is a pretty simple problem to solve with Apache’s mod_rewrite. If the traffic isn’t on https, force it to be. This configuration only needs to be in production, of course.
Here’s /etc/apache2/sites-enabled/adgrok:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
<VirtualHost *:80> ServerName secure.adgrok.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://secure.adgrok.com%{REQUEST_URI} NameVirtualHost *:443 </VirtualHost> <IfModule mod_ssl.c> <VirtualHost *:443> SSLEngine on ServerAdmin webmaster@adgrok.com ServerName secure.adgrok.com SSLCertificateFile /etc/ssl/private/secure.adgrok.com.crt SSLCertificateKeyFile /etc/ssl/private/adgrok.key SSLCertificateChainFile /etc/ssl/private/sf_bundle.crt SSLProtocol all SSLCipherSuite HIGH:MEDIUM DocumentRoot /u/apps/adgrok/current/public <Directory /u/apps/adgrok/current/public> Options -MultiViews AllowOverride all </Directory> ErrorLog /var/log/apache2/error.log LogLevel info CustomLog /var/log/apache2/access.log combined </VirtualHost> |
Note that all of our CSS references relative paths, and we use named routes in our rails views, which takes care of the other URLs.
