How can I force Rails to only use TLS over SSL? - ruby-on-rails

We are being forced to only use TLS instead of SSL when sending a request to a server, but we don't know how to make sure that the request is being sent using TLS, and if it's not, we're not sure how to force Rails to do it.
Here is how we are sending the request:
uri = URI.parse("https://someurl.com")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(uri.path)
request.body = body
http.request(request)

try to add
http.ssl_options = OpenSSL::SSL::OP_NO_SSLv2 + OpenSSL::SSL::OP_NO_SSLv3 + OpenSSL::SSL::OP_NO_COMPRESSION

Related

In RoR, how do I send an https request over a socks port?

I’m using the below code to retrieve a web page through SOCKS
uri = URI(url)
content = nil
status = nil
content_type = nil
res1 = Net::HTTP.SOCKSProxy('127.0.0.1', 50001).start(uri.host, uri.port) do |http|
puts "launching #{uri.path}"
resp = http.get(uri.path)
status = resp.code
content = resp.body
content_type = resp['content-type']
end
In advance, I don’t know if the url is going to be “http” or “https”. When I try and connect to an https port, it appears the request is still sent over http as evidenced by below …
doc = WebpageHelper.get_url("https://whatismyip.com/")
which actually results in
2.3.0 :013 > doc.to_s
=> "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\" \"http://www.w3.org/TR/REC-html40/loose.dtd\">\n<html>\r\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\n<title>400 The plain HTTP request was sent to HTTPS port</title>\n</head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>The plain HTTP request was sent to HTTPS port</center>\r\n<hr>\n<center>cloudflare-nginx</center>\r\n</body>\r\n</html>\n"
Is there something I need to set in the above that can force the request over https if it is actually an https web page?

Using Net::HTTP to POST Json data to remote server

I'm Using ruby on rails and for some reason the remote server doesn't accept the format of my data, I want to make sure nothing else is wrong with with my code:
I have tried your code with following and it's returning data, you can ignore the line request.body or you can use it, in both cases it will return you the response.
uri=URI.parse('https://mkpartners.secure.force.com/services/apexrest/careers?firstName=ss&lastName=dd&email=pp#ss.com')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Get.new(uri.request_uri)
request.body =JSON.pretty_generate(data)
response = http.request(request)
The issue with the return value they are returning HTML, when you will try to prase the response using JSON.parse(response.body), it's throwing error.you need to confirm with other team that they should return json.
Problem solved, it was a webservice problem.

Making an API call over SSL in Ruby

I have a method that works just fine for calls to non-ssl apis, but it gives me the following error response whenever I request https-only apis:
757: unexpected token at '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
</p>
</body></html>
The method is fairly straightforward:
def my_service_api_call(path = nil, query = nil)
my_service_api_key = ENV["MY_SERVICE_KEY"]
api_path = "#{path}/?api_key=#{my_service_api_key}&#{query}"
url = URI.parse(api_path)
req = Net::HTTP::Get.new(api_path)
res = Net::HTTP.start(url.host, url.port) { |http| http.request(req) }
JSON.parse(res.body)["results"]
end
This works great over http but fails over https-only. Is there an equivalent way to do HTTPS requests?
There's a more elegant way to reuse your instance of Net::HTTP and enable requests over HTTPS:
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE # Sets the HTTPS verify mode
#data = http.get(uri.request_uri)
Notice the use of use_ssl. From the documentation:
Turn on/off SSL. This flag must be set before starting session. If you change use_ssl value after session started, a Net::HTTP object raises IOError.
Note also that the usage of VERIFY_NONE is controversial, since it doesn't force the validity of of certificates to be checked. For many applications and users, this will not bear any negative ramifications. In cases where certificate validity should be checked, this post suggests the following:
Securely transfer the correct certificate and update the default certificate store or set the ca file instead.
You need to set use_ssl to true:
like this:
http = Net::HTTP.new(uri.hostname, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.ssl_version = :SSLv3

Parsing HTTPS instead of HTTP in Rails

I know how to parse HTTP requrests using Net::HTTP. How do you parse HTTPS requests?
I've tried and it says as a response (one of the lines):
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
stox
Edited:
So to show you in a little bit more detail:
For example, here is the HTTP API
https://xxxxx.info/merchant/balance?password=$main_password
How do I use Net:http to run this? Or do I use something else?
Thanks
Stox
would be helpful if you showed us some code?
try setting these attributes
# assuming http is generated like this http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# might need this as well?
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
You can achieve that by setting use_ssl to true before executing the request.
uri = URI(https://xxxxx.info/merchant/balance?password=$main_password)
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
http.request(req)
end
puts res.body
reference https://ruby-doc.org/stdlib-2.4.1/libdoc/net/http/rdoc/Net/HTTP.html#class-Net::HTTP-label-HTTPS

Ruby on Rails HTTPS Post Bad Request

Greetings all.
My application works with a remote server. Server uses https
authorization of the certificate. I have following code to authorize and
sends request:
uri = URI.parse("https://db1-test.content.ertelecom.ru/")
http = Net::HTTP.new(uri.host, '443')
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = File.join(File.dirname("public/certificate.pem"),
"certificate.pem")
http.start do |http|
req =
Net::HTTP::Get.new("/cgi-bin/expr/export.get_pay_systems?partner_id=1003")
responce = http.request(req)
resp = responce.body
end
this code works well, I get the data from the server. BUT when I try to
make POST request:
http.start do |http|
req =
Net::HTTP::Post.new("/cgi-bin/expr/payment_transactions.verify_order",
params)
responce = http.request(req)
resp = responce.body
end
I get an error from the server:
Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.
what is that be? I tried to find a solution, but to no avail. the
Internet caught the message that it could be antivirus, but I'm on
Linux. I will be glad to any thoughts!
You're not filling the header data.
You could either use the Net::HTTP.post_form method to create your request or populate the form_data yourself.
post_form solution:
req = NET::HTTP.post_form("/cgi-bin/expr/payment_transactions.verify_order", params)
manual form_data population
req =
Net::HTTP::Post.new("/cgi-bin/expr/payment_transactions.verify_order")
req.set_form_data(params)

Resources