Cheap SSL certification for an app hosted on Heroku - ruby-on-rails

I have a Rails app on Heroku and I would need to add there a SSL certificate. In the Heroku add-ons section I see that is possible to buy on Heroku add-on, but the price is $20/month, which is $240 and I cannot afford it at the moment.
Is there any cheaper way to get an SSL for a Heroku app?

We've installed our SSL certificate on a DigitalOcean.com instance running Nginx as a reverse proxy.
Trade-offs include a bump in latency and paying for bandwidth overages but those haven't been issues for us.
Here is a basic Nginx config similar to ours:
server {
listen 80;
rewrite ^ https://www.example.com$request_uri? permanent;
}
# HTTPS server
server {
listen 443;
ssl on;
ssl_certificate /root/example.crt;
ssl_certificate_key /root/example.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://example.herokuapp.com/;
}
}
This is a basic example and could be made a little more secure (possibly forcing SSL in your app) but this gets you started.
This also gives you the opportunity to speed up your app by creating a cache or serving the app's static assets. You could upload your precompiled assets and have Nginx serve them like this:
location /assets/ {
root /path-to/assets/;
expires 1y;
add_header Cache-Control public;
}
EDIT: July 2017
My, how things have changed. There are a lot of low/no cost solutions for this now. Cloudflare is a great option.

Related

Security: Rails + Nginx HTTPS, should I proxy_pass with https?

I successfully moved my Rails app to https with the following Nginx config:
upstream example_staging {
server localhost:3000;
}
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass http://example_staging;
proxy_read_timeout 90;
}
ssl_certificate /etc/letsencrypt/live/staging.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/staging.example.com/privkey.pem;
# other configs ...
}
The good thing is that I did not have to change anything in Rails, since it is still receiving http queries.
But I'm wondering if there might be a security breach because of that... Like the cookie/session encryption might be endangered?
Should I do something like:
location / {
proxy_pass https://example_staging; # with HTTPS
proxy_read_timeout 90;
}
and let Rails know about certificates or am I fine like that? (which would be great because it is simple, and it must be faster since there's no need for two decryptions)
If the server is completely under your control and your upstream traffic never leaves the server (I'd also advise to switch to unix sockets for additional security and some performance) there's no need to encrypt.

Why Nginx response extremely slow while accessing my Rails app (Both running on same Windows machine)?

I have both a working Rails 4 application (http://localhost:3000) and Nginx server (http://localhost:80) accessible through the browser.
Nginx has been configured as reverse proxy with my Rails 4 app so that http://localhost actually reaches my rails application http://localhost:3000. Now, this is working fine but the web pages get displayed extremely slowly whenever I access the application through Nginx. I have configured Tomcat with Apache Web Server in past and never slowness problem before and practically speaking Nginx is said to much lighter and faster than Apache Web Server.
This makes me think if I have configured my Rails app with Nginx correctly?
Modified nginx.conf
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://localhost:3000;
}
...
...
}

Faye-rails, ngnix, passenger slow responce from faye

I want to create a simple chat.
I am not a guru of server administration.
So I have a question about ngnix and faye.
I use ngnix + passenger for my production server. I have a droplet on digitalocean and want deploy my application on this.
So for deployment I use official passenger tutorial https://www.phusionpassenger.com/library/install/nginx/install/oss/trusty/
For model callbacks I use faye-rails gem. Like faye-rails say if I use passenger, I need use this configuration
config.middleware.use FayeRails::Middleware, mount: '/faye', :timeout => 25, server: 'passenger', engine: {type: Faye::Redis, host: 'localhost'} do
map '/announce/**' => SomeController
end
In my development localhost:3000 chat works perfectly fast. But when I deploy it, it works very slowly(the response comes in the interval of 5 to 60 seconds). I dont know how to fix it.
In my /etc/ngnix/sites-enabled/myapp.conf I use this config:
server {
listen 80;
server_name server_ip;
# Tell Nginx and Passenger where your app's 'public' directory is
root /project_path_to_public;
# Turn on Passenger
passenger_enabled on;
passenger_ruby /ruby_wrapper_path;
}
Need I upgrade my /etc/ngnix/sites-enabled/myapp.conf and how? Or what I need to do?
I'm currently using Faye and Redis on an application I'm developing. This is not a direct solution to the question's current setup, but an alternative method that I have implemented. Below is my nginx configuration and then I have Faye running via rackup in a screen on the server.
/etc/nginx/sites-enabled/application.conf:
server {
listen 80;
listen [::]:80;
server_name beta.application.org;
# Tell Nginx and Passenger where your app's 'public' directory is
root /var/www/application/current/public;
# Turn on Passeger
passenger_enabled on;
passenger_ruby /usr/local/rvm/gems/ruby-2.2.1/wrappers/ruby;
rails_env production;
location ~* ^/assets/ {
# Per RFC2616 - 1 year maximum expiry
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
expires 1y;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
break;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 127.0.0.1:9292;
}
server {
listen 8020;
location / {
proxy_pass http://127.0.0.1:9292/push;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
This link should provide a little insight into how it works.
https://chrislea.com/2013/02/23/proxying-websockets-with-nginx/
You can also reference the Faye github for some guidance on setting it up with Passenger.
Also, if you followed the Digital Ocean tutorials for initial server setup and ended up enabling your firewall, please ensure you allow the ports you have Faye/websockets running on. (See here under configuring a basic firewall: Additional Recommended Steps for New Ubuntu 14.04 Servers
My alternative method involves running Faye in a separate screen on the server. A few commands you will need to manage screens on an ubuntu server are:
screen -S <pick screen name> (new screen)
screen -ls (lists screens)
screen -r <screen number> (attach screen)
to quit from a screen, ctrl + a THEN "d" (detach screen)
Once you have a new screen running, run the Faye server in that screen using rackup: rackup faye.ru -s thin -E production
As a note, with this option, every time you restart your Digital Ocean server (i.e. if you create a screenshot as a backup), you will need to create a new screen and run the faye server again; however, using something like Daemon would be a better implementation to circumvent this (I merely haven't implemented it yet...). Head over to Github and look for FooBarWidget/daemon_controller.
Let me know if you have any other questions and I'll try to help out!

Rails and Nginx: Overwritten images not reloaded

I have a web server with Nginx and Passenger.
I have uploaded my rails app and got it running. Everything was great, but then I decided to change an image (overwrite it with another one). I did that, and then deployed again. I have verified that the new image was at the assets/images folder.
The problem is that I refreshed the web app, and the html was referencing the old image. It was like this, until I restarted nginx. Isn't any other way to reloading this? Because if i have multiple web app on the same server, I don't want to restarting them all just because I updated one web assets.
My nginx conf:
server {
# Path to ruby version
passenger_ruby /home/ubuntu/.rvm/gems/ruby-2.2.1/wrappers/ruby;
listen 80;
server_name mydomain.com;
passenger_enabled on;
root /var/www/myrailsapp/current/public;
rails_env production;
location ~ ^/assets/ {
expires 1y;
add_header Cache-Control public;
add_header ETag "";
break;
}
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
Do you know what is the problem and how can I avoid to restart nginx for reloading the new image?
For further references, with the help of #SeanHuber what I had to do was restart just the app on passenger.
I did it running the command:
passenger-config restart-app
For more information: https://www.phusionpassenger.com/library/admin/nginx/restart_app.html#restart-txt
Instead of restarting nginx, just restart passenger:
touch <app_dir>/tmp/restart.txt

Error code: ssl_error_rx_record_too_long for https in nginx on ruby on rails application

am using rails 3.2 and ruby 1.9 for my app, have to run application in https with domain name like https://welcome.com on my system. so i configure my nginx by creating ssl certificate for domain name and https
snapshort of ssl:
# HTTPS server
#
server {
listen 443 ssl;
server_name welcome.com;
root html;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
}
i can able to saw nginx home page by calling welcome.com and https://welcome.com. without running the rails application
My application also running in port 443 successfully, but after querying in browser like https://welcome.com
Rails terminal showing error:
ERROR bad Request-Line `\x16\x03\x01\x00�\x01\x00\x00�\
ERROR bad URI `._i\b8\x10�yA�^6�v�M|
In browser throwing error:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
Even tried by clearing browser history repeatedly, but the result is same.
Am not sure what i made wrong, can any one help me?
have i made any wrong in certificate creation ?
You can't have both listen 443 ssl; and ssl on;, remove the ssl on; line and restart nginx.

Resources