I'm developing a chat-based app with Ruby on Rails.
Since I have to make the app show the messages in realtime, I decided to implement pub/sub with the gem "render_sync".
That gem is using Faye as server to handle push notifications.
So I configured everything like here's explained (https://github.com/chrismccord/render_sync), started the main server at port 3000, the faye server at port 9292, and it works seamlessly.
But when I decided to move my app under SSL (with a self signed certificate), it is not working anymore.
I created a self-signed certificate for the main server and a configuration file:
server.yml
port: 3000
ssl: true
ssl_key_file: server.key
ssl_cert_file: server.crt
then I started the main server with the command:
> thin -C config/server.yml start
At this point the app is working under SSL, but the push notifications don't.
So - looking at the chapter Serving Faye over HTTPS (with Thin) from the link posted above -, I edited "server" and "adapter_javascript_url" fields in sync.yml file, and I tried to create a configuration file for the Faye server like this:
sync_thin.yml
port: 4443
ssl: true
ssl_key_file: faye.key
ssl_cert_file: faye.crt
environment: production
rackup: sync.ru
but I can't figure out what should I put in ssl_key_file and ssl_cert_file fields!
Should I put the same .key and .crt files generated for the main server? Or do I must generate another couple of key e cert?
I tried to generate another couple of those, but the browser warns me saying that the cert is invalid.
Can anyone help me, or show me an example of a working faye ssl server somewhere?
Related
I followed this tutorial "Rails with SSL in Development The Simple Way" and successfully set up SSL for a Rails app. Now I created a second Rails app and it is trying to use SSL even though I didn't configure it to.
I am wondering why this is happening and what I can do to stop it.
I did manage to get the second app working by following the steps in the tutorial, but I didn't intend to make it use SSL. Before doing that, it was throwing errors about invalid HTTP format, parsing fails and my browser said SSL connection error - ERR_SSL_PROTOCOL_ERROR. I even made sure that config.force_ssl was set to false in in application.rb
The command to start the thin SSL server is thin start --ssl --ssl-key-file server.key --ssl-cert-file server.crt
which is slightly different than the deprecated command in the tutorial.
I'm on Linux Mint by the way.
Env
Rails 4.0.4
Using SSL certificates for HTTPS connections
In my config/environments/production.rb
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true
This is how I start my server:
thin start -e production -d -p 3001 -P ./tmp/pids/thin_https.pid --ssl --ssl-key-file /etc/ssl/current/www_domain_io.key --ssl-cert-file /etc/ssl/current/WWW.DOMAIN.IO.crt
Then I am getting this screen when accessing my production website:
I click OK, and I land on my page https://www.domain.io page successfully. The entity is verified and the https: show in green. So I am good ... but why do I get that "Select a certificate to authenticate to www.domain.io:443` ? I figured that once my entity was verified I should land automatically on my page ? Any ideas?
UPDATE
The documention shows --ssl-disable-verify option that is actually not available on thin 1.6.2 codename Doc Brown
SSL options:
--ssl Enables SSL
--ssl-key-file PATH Path to private key
--ssl-cert-file PATH Path to certificate
--ssl-disable-verify Disables (optional) client cert requests <=== this is NOT available
I have posted an issue on github
Thin lighthouse ticket about --ssl-disable-verify
Existing ticket on GitHub
I just don't understand how to get the version of thin where this option is available.
A similar post on SO suggests your .crt file includes the root CA certificate for your certificate chain. Remove it, and you should be good to go.
Intermediate certifcates should still remain in the .crt file, presumably.
You're starting your thin server on port 3001, but you're connecting to the regular https URL, which by default connects to port 443. So I assume you have a web server instance (Apache/nginx) proxying requests for thin.
If that's the case, you should disable SSL for thin, as this will be handled by the proxy server in front of your thin instance.
If you don't have a reverse proxy, and want to use just thin, you should specify the port where thin is listening in the URL (https://example.com:3001).
I'm very surprised to find such little documentation on this topic which quite many developers must have faced before me.
We're changing our app to 100% HTTPS/SSL (as partial SSL doesn't make sense).
That's cool but before that, we need to migrate to it, hence to test it. Of course I found some basic information (here and here).
As I'd like my local environment to be as close as possible to the other ones in order to avoid unexpected errors, those solutions are not satisfying to me : they are ok for short time testing a feature, not more.
Here are the problems/questions I have:
Can I get a valid certificate for my local machine, to avoid the ugly warning step I can't even accept definitively on chrome?
Booting server with thin (thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt), can I get same log messages as from rails server?
Can't I keep using rails server as a booting command (except by writing an dirty ALIAS ...)
Summary question is can I make a config so that it is transparent for anybody to run the instance of our app locally in https?
I mean, absolutely everything's done in rails to make development easy, and production robust, but here, there would be such a lack of good tools? I hardly can believe it ... or let's do it now!
Thanks for support! I'm using rails 3.2 with ruby 1.9.
Can I get a valid certificate for my local machine, to avoid the ugly
warning step I can't even accept definitively on chrome?
This depends if you're using the actual certificate for your domain (eg. example.com), or generating one just for development. If you are using the actual certificate from production, you could simply edit your hosts file to have example.com resolve to localhost. Then visiting https://example.com should load your Rails app.
You'll probably also need to include this in your application.rb:
config.force_ssl = true
If you're generating your own certificate you'll need to go through the motions of creating a private Certificate Authority to avoid the SSL warning in Chrome. This is a lot more work and probably not worth it.
Booting server with thin (thin start --ssl --ssl-verify --ssl-key-file
server.key --ssl-cert-file server.crt), can I get same log messages as
from rails server?
You should be able to tail -f log/development.log from the root of your Rails app.
Can't I keep using rails server as a booting command (except by
writing an dirty ALIAS ...)
This one is trickier as the server that runs when using rails s is WebBrick. You could try what's listed in this post here: Configuring WEBrick to use SSL in Rails 4
As an aside the typical setup for a Rails app is to proxy it behind say an SSL terminated nginx server. This way your Rails app doesn't need to know anything about SSL, as well as giving you a number of other benefits like being able to serve assets from nginx, load-balancing, virtual hosts etc.
If you're interested in setting up an environment that is identical to production I'd look into Vagrant.
My application isn't quite ready to go full SSL so in the meantime, I am allowing SSL but not requiring it. I do require SSL for certain controllers and force redirects to HTTPS for actions in such controllers.
I can start a thin server using SSL via thin start --ssl. This works great for SSL testing. However, I cannot have HTTP and HTTPS running simultaneously on the same port. Obviously, this makes testing redirects from HTTP to HTTPS quite frustrating. I can run an Apache or nginx server on top but I don't really want to go through the trouble of doing that in my development environment.
To start two servers, one for SSL and without, I use foreman like so:
web: rails server
ssl: thin start --ssl -p 3001
This starts the HTTP server on port 3000 and HTTPS server on 3001. Now my question is. How do I create a "smart redirect" policy only on my development environment only such that redirects from HTTP to HTTPS intelligently changes the port from 3000 to 3001? Thanks!
I have been trying to configure my rails project to use SSL (as application wide) with thin (by adding thin gem and placing config.force_ssl = true to application.rb) but as a result, I have an annoying problem.
When I start my rails server using rails s and try to access http://localhost:3000 it redirects to https://localhost:3000 which is correct, however it will complain about missing SSL certification..
SSL connection error
Unable to make a secure connection to the server. This may be a
problem with the server, or it may be requiring a client
authentication certificate that you don't have.
On the other hand, If I start my application using thin start --ssl and try to access http://localhost:3000 it doesn't redirect to https://localhost:3000 and complains about this:
No data received
Unable to load the webpage because the server sent no data.
but by accessing https://localhost:3000 it just shows certificate warning but it all works after agreeing to continue.
So my question is, How can I make http to https redirection work when using SSL with thin in (development mode)?
Perfect answer would contain possibility to start server normally by using rails s while SSL would be enabled application wide and accessing http redirects to https and all works! :)
Thanks in advance, have been searching for hours but cant find an answer.
You should install your own openssl signed certificate.
You can find more information on this page
Your PC as (localhost) can self sign SSL certificate and your browser can accept it, but i think that browser will not automatically accept certificate with security on that layer. Maybe to try to add your localhost certificate to the browser ?
Verify config/environments/development.rb has the following line
config.force_ssl = true
Refer the post thin with ssl support and ruby debug and the responses(from nathan and shree) that has more information on this subject:
Use ngrok (https://ngrok.com/). It's free. Installation is easy.
Just start up your server, then in another terminal window run
ngrok http 3000
ngrok will give you an address that loops back to your dev machine - something like http://randomstringhere.ngrok.io
Put that in your browser and you'll see it redirect to https://randomstringhere.ngrok.io, still routing to your server on port 3000
Here is the simplest solution.
https://makandracards.com/makandra/15903-using-thin-for-development-with-ssl