I have a ruby on rails 4 app on Heroku (my_app.herokuapp.com). I registered a domain my_domain.com and created a CNAME (alias) to point to my_app.herokuapp.com. So now when I type www.my_domain.com it serves the app on my_app.herokuapp.com. But it tries to serve it using https and not http and before displaying anything complains "The connection is untrusted". How can temporarily fix this by changing it to http? I mean when I type www.my_domain.com in the browser I want it to serve http://my_app.herokuapp.com and not https://my_app.herokuapp.com.
Thanks a lot.
Comment out config.force_ssl = true in config/environments/production.rb
Related
I've got a non wildcard SSL certificate for my root domain (example.com), and I'm using the heroku ssl endpoint add on. I'm using routing constraints so subdomain.example.com matches various controller actions, and I reroute the subdomain with CNAME records to the root domain. This all works fine in development, and it works fine in Tor browser if I disable https, but I can't get it to work in any ordinary browser.
I've tried using gem SSL-enforcer to enforce SSL except on host with subdomain as such:
config.middleware.use Rack::SslEnforcer, :except_hosts => 'subdomain.mydomain.com', :strict => true
Can I disable the https protocol for subdomain of my rails app? I feel like this might be impossible as I've read that SSL negotiations are made before the server knows the URL.
I would have recommended SSL-enforcer.....
Are you using config.force_ssl and generating a strict transport security header? I would suspect that might be the issue if it works with Tor but not a normal browser. Check the headers; if the HSTS exists, then that's probably the reason. Should be straight forward to change that (changing the max-age attribute to 0)
If not, check the Heroku docs again and make sure your settings and DNS/CNAME are correct....
https://devcenter.heroku.com/articles/ssl-endpoint#subdomain
Hope this helps.
I have a web website in IIS 6.1, with a Self-signed SSL. The website contains 3 web applications, all setup to use https as binding. Whenever I browse the application, the URL shows as
https://localhost/mysite1/default.aspx
I was under the impression that by adding a Site binding to use the computer name instead would change the URL to something like:
https://myservername/mysite1/default.aspx,
which means it will no longer complain about the SSL certificate being invalid when accessing the website, as the SSL is issued by "myservername"
I used the following command:
cscript.exe //nologo %systemdrive%\inetpub\adminscripts\adsutil.vbs set W3SVC/2/SecureBindings “:443:myservername”
My application identifier (2), which is shown under the "Sites" node.
After running the command, the URL is now directing to:
https://myservername.xn--9o0a/mysite1/default.aspx
That obviously doesn't work... it added .xn--9o0a to the URL??? What am I missing?
After doing some googling I managed to find this article that explains everything and how to fix the issue I was having.
http://gavinmckay.wordpress.com/2009/03/24/howto-fix-wcf-host-name-on-iis/
I followed Railscast 121 to set up subdomains for my site, www.blog.com, and got everything working in development. I could use lvh.me:3000 to access my application at both the root url www.blog.com and at the specific subdomains I set up e.g. john-doe.blog.com
After pushing to Heroku, I can no longer connect to the root url at lvh.me:3000. What could be causing this?
Symptoms in development environment:
I can access www.blog.com through localhost:3000.
I cannot access www.blog.com at lvh.me:3000. but CAN still access john-doe.blog.com.
I opened a DIFFERENT application www.secondapp.com, and the root path for this also works at localhost:3000 but not at lvh.me:3000. I have not set up any subdomains for secondapp, but tried the url john-doe.secondapp.com just in case, and for some reason, this works. Very strange...
I must have inadvertently adjusted some files, but I don't know where/how. It's completely beyond me why a completely different app would work with a subdomain for an unrelated app. Any feedback would be much appreciated.
This is because of the current godaddy outage. Once their DNS is back up, it should resolve correctly.
In the meantime, you can try editing your hosts file.
There is a nice option to config for the Rails app:
config.force_ssl = true
However it seems that just putting that to true doesn't get the HTTPS connections working. Even more - after trying (and failing) to connect to https://localhost:3000 with Chrome, I've set this option to false, and Chrome still tries to open https, even if I write http.
So, couple of questions:
--How to force Chrome not to try https anymore?
--What is the proper way of enabling SSL on my Rails app?
Update: The app is run on Heroku, and it seems that https is supported there automagically. Can I test SSL also locally? Like when running rails server?
First, I should say that I haven't tried this, but there are mainly two possibly reasons for Chrome still using HTTPS:
Using HTTP Strict Transport Security headers: if the server sets them, the client (supporting HSTS, like Chrome) is meant to stick to HTTPS for all subsequent requests to that host.
Permanent redirects. If the initial redirect you got was using "301 Moved Permanently" (and not 302 for example) to make the redirection,(*) the browser is meant to remember it ("The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs").
A likely solution to this would be to clear the cache in your browser.
(*) This question seems to indicate this is the case for Ruby on Rails with this config).
I had the same issue. What I did is using an ssl enforcer gem which adds a middleware that handles ssl and redirects. It has a strict option which enforces the configured protocols.
in your Gemfile add:
gem 'rack-ssl-enforcer'
in production.rb add:
config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, strict: true
This will force the requested pages to be secured and the rest to be non secured. It disables the HSTS header which is problematic in chrome (redirect caching issue).
You can also expire the cache for all cleints (if it already exist) to make sure you'll not get infinite redirect:
config.middleware.use Rack::SslEnforcer, only: %r{your_regex_condition}, :hsts => { :expires => 1, :subdomains => false }
also remove the ssl enforcement in production.rb (otherwise it might conflict with this middleware):
config.force_ssl = false
Let's see what happened once you updated your config file with:
config.force_ssl = true
This has caused Rack SSL Middleware to be loaded as the first middleware. As you can see in the code, Rack SSL sets an HSTS header by adding this line to the headers :
Strict-Transport-Security
It tells supported browsers such as Chrome to use HTTPS only to access your website.
So once you set back :
config.force_ssl = false
Chrome will still uses HTTPS to access your website and causes an error.
To solve this problem, you need to empty the HSTS cache. You can to that by going to the following url in your chrome browser :
chrome://net-internals/#hsts
Open your Chrome Developer Tools when you're at localhost: Then you can right click the refresh button ↻ and select "Empty cache and hard reload".
This error might also happens to you, if you start your server in the production environment, where HSTS is enabled.
Chrome redirects you to https://localhost:3000/ and says "SSL connection error".
I'm running Rails 3.1.2 on Apache with the latest Passenger, 3.0.11. I'm using force_ssl to require a secure connection in a few of my application's actions.
The web browser is warning that although the identity of the site has been verified and the connection is encrypted, the page contains other resources which are not secure. The culprit is a reference to the Google Fonts API being made over plain http. My view contains the following:
= stylesheet_link_tag "#{request.port}fonts.googleapis.com/css?family=Oswald"
I also tried this:
= stylesheet_link_tag "http#{request.ssl? ? 's' : ''}://fonts.googleapis.com/css?family=Oswald"
Both of these result in the stylesheet url having "http://".
I had success doing this in a Rails 3.0.5/Passenger 3.0.7/SslRequirement, but can't get it to work in Rails 3.2.1/Passenger 3.0.11/force_ssl.
put "//fonts.googleapis.com/css?family=Oswald" without the http or https - that way the browser uses the same protocol as the page you are on and doesn't show any warnings.