One SSL page assets - ruby-on-rails

I have a problems with SSL. I need only one page with SSL, but some of assets don't change protocol on https and browser show warning.
Some fonts, svg-icons and one bg-image still with http.
For assets I use Proc in env config.
config.action_controller.asset_host = Proc.new { |source, request = nil, *_|
if request && request.ssl?
"#{request.protocol}#{request.host_with_port}"
else
'http://www.mybrandnew.com'
end
}
Anybody have this problem?
P.S: for partial SSL I already use ssl_requirement

Related

Rails application resources not getting rendered over https

I am using ruby 2.4.0p0 and Rails 5.2.3
In the production.rb file I have done the following setting:
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true
if Rails.application.config.force_ssl
Rails.application.routes.default_url_options[:protocol] = 'https'
end
But still the resource are getting rendered on http rather then https do I need to do any thing extra, please provide the desired thing to be done to get all assets getting loaded from s3 loads over https.
The website is live here at: https://tukaweb.com/asset/garments
The s3 resources are at http
ex: http://tukaweb.s3.amazonaws.com/uploads/three_d_garment/thumbnail/7/Womens_Dress_35-41_Thumbnail.png?X-Amz-Expires=600&X-Amz-Date=20200918T060705Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIRDA3IQIVTEPMN6Q%2F20200918%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=1792bd4cc2437abd950b7d16d360d09e64423bdef89f41c24a5386d35e982dfa
need them over https.
The required change should be done inside the carrierwave.rb inside the webapp/config/initializers directory modified the settings as:
CarrierWave.configure do |config|
config.fog_provider = 'fog/aws'
config.fog_credentials = {
provider: 'AWS',
aws_access_key_id: 'XXXXXXXXXX',
aws_secret_access_key: 'xxxxxxxxxx',
use_iam_profile: false,
region: 'us-west-2', # optional, defaults to 'us-east-1'
# host: 'ec2-xx-xxx-xx-xx.us-west-2.compute.amazonaws.com', # optional, defaults to nil
:endpoint => 'https://s3.amazonaws.com',
}
config.fog_directory = 'tukaweb' # required
config.fog_public = false # optional, defaults to true
# config.fog_attributes = { cache_control: "public, max-age=#{365.days.to_i}" } # optional, defaults to {}
end
The line which is responsible for changing s3 resource to be downloaded from https instead of http
:endpoint => 'https://s3.amazonaws.com' ## earlier it was 'http://s3.amazonaws.com'
Force SSL only works for the incoming requests to the rail's routes. If you have an image link set to http://image-domain.com/image it's going to use the http, and you'll get a mixed content warning. You need to ensure anything external to the app's routes is going to be using SSL or a secure connection as well.
First thing I do when I see a mixed content warning is to do a global search of the codebase for http:// to find everywhere that isn't using https://. I may or may not do a global find + replace depending on what I see, there are cases where it needs to be http:// or it won't work right (if the site doesn't have an https:// version).
Next thing is to work out what is causing the insecure url, here it is S3, so I would be looking at what uses S3, and working out how I can tell it to use SSL or a secure connection.
Note: The other answer does well explaining what your actual issue is, but this may be more useful to others for general troubleshooting of mixed content issues, and would lead to the same result.

Can't Get Devise Emails to Use HTTPS

I'm using Rails 3.2.8 and Devise 2.0.4. I'm trying to get Devise emails to send using the 'https' protocol, but none of the solutions I can find are working.
I've already added this to my config/production.rb file:
config.action_mailer.default_url_options = { :host => 'www.mysite.com', :protocol => 'https' }
And this to the top of the same file...
config.force_ssl = true
My NON-Devise emails are working correctly, but these settings appear to have no affect on the Devise emails. As a result, when the http link is clicked in the email, my Apache server is redirecting to 'https' but the trailing slash is being removed and, thus, the url can't be found. I've tried adding a trailing slash on the Apache server, but that doesn't seem to work, either. I'm not sure what else to try.
Try this including the protocol in your host parameter:
config.action_mailer.default_url_options = { :host => 'https://www.example.com' }
This works in Rails 5 and Devise 4, but you would have to test it in Rails 3.2

Rails 5 config.force_ssl blocking access to subdomains that point to a different server

I am running a rails 5 site with config.force_ssl set to true. The problem that I am having is that this creates cookies which force SSL on all subdomains, even ones that are not part of the app or hosted on the same server. For example I have mail.example.com which has its DNS pointed at google and blog.example.com has it's DNS pointed to NameCheap servers. The cookie created by config.force_ssl redirects both of these to https and thereby blocks access to those pages.
Based on the ActionDispatch::SSL documentation I can see that this is intended behavior and apparently there's a way to add exclusions to the ssl_options based on this example:
config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
I'm trying to get this to work with the subdomains mentioned, but it's not working. The same cookie is set and I am once again blocked from those subdomains. Maybe I'm not doing this right. Here is the line:
config.ssl_options = { redirect: { exclude: -> request { request.subdomain =~ /mail|link|blog/ } } }
Alternatively, is there another way I should be doing this?

rack-rewrite code to redirect https to http (on heroku)

Somehow Google indexed my homepage as https://mydomain.com. When you do a site:mydomain.com search, the first result is https://mydomain.com and I don't have a SSL cert and don't want to do https. Now our visitors get the ugly warnings in their browsers, of course (because heroku serves their *.heroku cert by default).
It seems that I can do a 301 redirect with the rack-rewrite gem but I just can't find how.
So, what is a rack-rewrite recipe to redirect all https:// to http:// ? All I can find is information on how to do the reverse thing or to make the canonical redirections.
Hmm, untested, but would something like this work?
r301 %r{.*}, 'http://non-secure-domain.com$&', :if => Proc.new {|rack_env|
rack_env['SERVER_PORT'] != '80'
}
The documentation of rack-rewrite mentions a nice way at https://github.com/jtrupiano/rack-rewrite#scheme
# Redirect all https traffic to http
r301 %r{.*}, 'http://www.example.tld$&', :scheme => 'https'
Using the scheme option from rack-rewrite will only cause an infinite loop on heroku. You also can't on the port being 80 because of the way heroku will proxy to your workers. Because of this and way the routing layer works, you have to check the HTTP_X_FORWARDED_PROTO header:
r301 %r{.*}, 'http://example.com$&', :if => Proc.new { |rack_env|
rack_env['HTTP_X_FORWARDED_PROTO'] == 'https'
}

Rails 3.1 ssl is used even if I disabled ssl?

I have added force_ssl in my ApplicationController, and deleted later, but now, every request is still prompted to https. I have tried to add config.force_ssl = false to all the configuration files in application.rb and environments/development.rb, etc., but it doesn't work. When I reboot the server, the requests are still converted to https. Any clue?
Updates:
This happens only when I request the root of the application, e.g. http://localhost:3000/, however in my config/routes.rb file I have specified the url for the root clearly: root :to => 'home#index'
You're seeing the effects of HTTP Strict Transport Security's max-age, which is set by Rack::SSL (which config.force_ssl = true sets up) to something high.
In addition to rebooting your app, you also have to clear the browser cache.
For those who it's still unclear, here is what I did to do the trick.
In application_controller.rb :
before_filter :expire_hsts
[...]
private
def expire_hsts
response.headers["Strict-Transport-Security"] = 'max-age=0'
end
In production.rb
config.force_ssl = false
Clear the cache of your web browser and that's it !
yfeldblum is absolutely correct. Disabling it and making chrome forget the header can be a pain.
Here's what I ended up putting in my config/application.rb
config.middleware.insert_before(Rack::Lock, Rack::SSL, hsts: false, exclude: proc { |env|
!env['PATH_INFO'].start_with?('/manage')
})
** note A: hsts: false is the critical bit
** note B: I'm using 1.9, so my hash syntax might be different than yours.
Beyond that, I had to open this url in Chrome chrome://net-internals/#hsts and remove the domains that had this header set.
Thankfully this didn't make it to production, because Rack::SSL sets a very long expires on this header.
if are you using nginx see option:
proxy_set_header X-Forwarded-Proto https;
and disable it!

Resources