I'm using Rails 3.2.8 and Devise 2.0.4. I'm trying to get Devise emails to send using the 'https' protocol, but none of the solutions I can find are working.
I've already added this to my config/production.rb file:
config.action_mailer.default_url_options = { :host => 'www.mysite.com', :protocol => 'https' }
And this to the top of the same file...
config.force_ssl = true
My NON-Devise emails are working correctly, but these settings appear to have no affect on the Devise emails. As a result, when the http link is clicked in the email, my Apache server is redirecting to 'https' but the trailing slash is being removed and, thus, the url can't be found. I've tried adding a trailing slash on the Apache server, but that doesn't seem to work, either. I'm not sure what else to try.
Try this including the protocol in your host parameter:
config.action_mailer.default_url_options = { :host => 'https://www.example.com' }
This works in Rails 5 and Devise 4, but you would have to test it in Rails 3.2
Related
I am using ruby 2.4.0p0 and Rails 5.2.3
In the production.rb file I have done the following setting:
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true
if Rails.application.config.force_ssl
Rails.application.routes.default_url_options[:protocol] = 'https'
end
But still the resource are getting rendered on http rather then https do I need to do any thing extra, please provide the desired thing to be done to get all assets getting loaded from s3 loads over https.
The website is live here at: https://tukaweb.com/asset/garments
The s3 resources are at http
ex: http://tukaweb.s3.amazonaws.com/uploads/three_d_garment/thumbnail/7/Womens_Dress_35-41_Thumbnail.png?X-Amz-Expires=600&X-Amz-Date=20200918T060705Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIRDA3IQIVTEPMN6Q%2F20200918%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=1792bd4cc2437abd950b7d16d360d09e64423bdef89f41c24a5386d35e982dfa
need them over https.
The required change should be done inside the carrierwave.rb inside the webapp/config/initializers directory modified the settings as:
CarrierWave.configure do |config|
config.fog_provider = 'fog/aws'
config.fog_credentials = {
provider: 'AWS',
aws_access_key_id: 'XXXXXXXXXX',
aws_secret_access_key: 'xxxxxxxxxx',
use_iam_profile: false,
region: 'us-west-2', # optional, defaults to 'us-east-1'
# host: 'ec2-xx-xxx-xx-xx.us-west-2.compute.amazonaws.com', # optional, defaults to nil
:endpoint => 'https://s3.amazonaws.com',
}
config.fog_directory = 'tukaweb' # required
config.fog_public = false # optional, defaults to true
# config.fog_attributes = { cache_control: "public, max-age=#{365.days.to_i}" } # optional, defaults to {}
end
The line which is responsible for changing s3 resource to be downloaded from https instead of http
:endpoint => 'https://s3.amazonaws.com' ## earlier it was 'http://s3.amazonaws.com'
Force SSL only works for the incoming requests to the rail's routes. If you have an image link set to http://image-domain.com/image it's going to use the http, and you'll get a mixed content warning. You need to ensure anything external to the app's routes is going to be using SSL or a secure connection as well.
First thing I do when I see a mixed content warning is to do a global search of the codebase for http:// to find everywhere that isn't using https://. I may or may not do a global find + replace depending on what I see, there are cases where it needs to be http:// or it won't work right (if the site doesn't have an https:// version).
Next thing is to work out what is causing the insecure url, here it is S3, so I would be looking at what uses S3, and working out how I can tell it to use SSL or a secure connection.
Note: The other answer does well explaining what your actual issue is, but this may be more useful to others for general troubleshooting of mixed content issues, and would lead to the same result.
I am running a rails 5 site with config.force_ssl set to true. The problem that I am having is that this creates cookies which force SSL on all subdomains, even ones that are not part of the app or hosted on the same server. For example I have mail.example.com which has its DNS pointed at google and blog.example.com has it's DNS pointed to NameCheap servers. The cookie created by config.force_ssl redirects both of these to https and thereby blocks access to those pages.
Based on the ActionDispatch::SSL documentation I can see that this is intended behavior and apparently there's a way to add exclusions to the ssl_options based on this example:
config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
I'm trying to get this to work with the subdomains mentioned, but it's not working. The same cookie is set and I am once again blocked from those subdomains. Maybe I'm not doing this right. Here is the line:
config.ssl_options = { redirect: { exclude: -> request { request.subdomain =~ /mail|link|blog/ } } }
Alternatively, is there another way I should be doing this?
I am almost done with a Ruby web application which is a forum. I have only one trouble: When a user is sent reset password instructions and clicks on "forgot my password", I see this error:
Showing C:/ruby/lib/ruby/gems/2.1.0/gems/devise-3.4.1/app/views/devise/mailer/reset_password_instructions.html.erb where line #5 raised:
Missing host to link to! Please provide the :host parameter, set default_url_options[:host], or set :only_path to true
What can I do?
Looks like you need to specify your host in your environments.
So, say in your production.rb file, you would need something like this:
config.action_mailer.default_url_options = { host: www.yourhostname.com }
and in development.rb, something like this:
config.action_mailer.default_url_options = { host: "dev.yourhostname.com" }
and so on for for your test environment.
Some info from the docs.
Your error message is:
Missing host to link to! Please provide the :host parameter, set default_url_options[:host], or set :only_path to true
In config.action_mailer.default_url_options, you need to set a :host parameter, so the server knows how to link back to itself. The server doesn't know its domain name or IP address to use.
So in your config/production.rb try setting something like this:
config.action_mailer.default_url_options = { host: 'www.example.com' }
I have a problems with SSL. I need only one page with SSL, but some of assets don't change protocol on https and browser show warning.
Some fonts, svg-icons and one bg-image still with http.
For assets I use Proc in env config.
config.action_controller.asset_host = Proc.new { |source, request = nil, *_|
if request && request.ssl?
"#{request.protocol}#{request.host_with_port}"
else
'http://www.mybrandnew.com'
end
}
Anybody have this problem?
P.S: for partial SSL I already use ssl_requirement
Somehow Google indexed my homepage as https://mydomain.com. When you do a site:mydomain.com search, the first result is https://mydomain.com and I don't have a SSL cert and don't want to do https. Now our visitors get the ugly warnings in their browsers, of course (because heroku serves their *.heroku cert by default).
It seems that I can do a 301 redirect with the rack-rewrite gem but I just can't find how.
So, what is a rack-rewrite recipe to redirect all https:// to http:// ? All I can find is information on how to do the reverse thing or to make the canonical redirections.
Hmm, untested, but would something like this work?
r301 %r{.*}, 'http://non-secure-domain.com$&', :if => Proc.new {|rack_env|
rack_env['SERVER_PORT'] != '80'
}
The documentation of rack-rewrite mentions a nice way at https://github.com/jtrupiano/rack-rewrite#scheme
# Redirect all https traffic to http
r301 %r{.*}, 'http://www.example.tld$&', :scheme => 'https'
Using the scheme option from rack-rewrite will only cause an infinite loop on heroku. You also can't on the port being 80 because of the way heroku will proxy to your workers. Because of this and way the routing layer works, you have to check the HTTP_X_FORWARDED_PROTO header:
r301 %r{.*}, 'http://example.com$&', :if => Proc.new { |rack_env|
rack_env['HTTP_X_FORWARDED_PROTO'] == 'https'
}