I have a Heroku e-commerce site I'm building, and have the Piggyback ssl installed by following the Heroku Piggyback tutorial. I'm planning to upgrade to SNI or host-name SSL after sales come in to support it.
I can't find any tutorials or examples of best way to handle where the SSL is integrated for the processing (just checkout I believe).
Are there any tutorials, or process workflows to setup a controller and view to abstract for handling the actual checkout experience, and redirecting confirmation or failure when using the piggyback ssl on Heroku? And keep in mind upgrading the system in the future for upgraded SSL (using SNI or Hostname SSL)?
The best explanation I found was from this question, but it wasn't a walk-through, tutorial, or real explanation explain how to solve the url creation for links on the Piggybacked url (appname.heroku.com). I was looking for more detail in implementation.
Piggyback SSL is identical to regular SSL, except for the fact that only heroku.com or herokuapp.com domains (dependant on your stack) are secured by the cert that you have setup for you.
In order to run a page securely, just run it over HTTPS.
However, with Rails you have the option of using the SSL_requirement plugin from DHH which lets you tell rails which controller actions MUST be handled securely, and which are fair game for HTTP. By using SSL requirement you can forget in your routing about SSL as SSL_requirement will take care of it for you.
Related
I've been an amateur developer for quite some time now and this is the first time I've actually needed to set up the domain and SSL for a website. I already bought a domain name from GoDaddy and I'm using my rails as my backend. But it seems that on almost all of the guides online (the ones I've come to search) is for the Heroku paid dynos (I'm on the free tier) or has their website hosted somewhere else/bought the domain somewhere else. As of now, I'm not actually sure how straightforward this should be but any guide to free SSL cert generation and free setup would be nice.
You have 2 options here:
Use Heroku domain app.herokuapp.com as this is encrypted and served through https.
If you want to use a custom domain. There is no way but to use a paid dyno. There were some tutorials on how to do this manually and a couple of projects that allowed you to do so on free dynos but they are all outdated/deprecated.
There is no need to configure anything on Heroku's side if you start off with a paid dyno.
ACM is enabled by default for all Common Runtime apps created after March 21, 2017 that run on Hobby or Professional dynos.
To upgrade, simply run heroku ps:resize web=hobby via heroku cli. Then, to enable letsencrypt automated certificate, simply run heroku certs:auto:enable. Just make sure your DNS is activly pointing to the currect address before doing so or you'll need to verify your DNS target.
Docs: https://devcenter.heroku.com/articles/automated-certificate-management
deprecated project: https://github.com/dmathieu/sabayon
outdated tutorial: https://github.com/dwyl/learn-heroku/blob/master/SSL-certificate-step-by-step-setup-instructions.md
I have used the same setup for my heroku app. By default heroku free tier gives ssl on your web app.
Like if you hit url yourwebsite.herokuapp.com, it is encrypted and provides ssl for free.
But when you will add a custom domain name to your heroku app, then its without ssl. You cannot use ssl on it unless you moved to hobby dyno(paid)
Here is what heroku says
I have a web app (ASP.NET MVC4) and I need to enable HTTPS/SSL to it.
I checked a lot of articles and tutorials on how to do it, but I didn't get one thing:
Some places talks only about the configuration of IIS :
RapidSSL:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO22345
Nice blog:
http://weblogs.asp.net/scottgu/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates
And some places talks only about code (within the app):
TrailMax:
http://tech.trailmax.info/2014/02/implemnting-https-everywhere-in-asp-net-mvc-application/
So my question is how I need to approach this topic?
I want to enable the HTTPS with a temporary self-signed certificate and then buy a real certificate, what do I need to do? Configure IIS? Configure my code? Both?
If someone could guide me through this.
Thank you
The first article describes how to install a new rapidSSL certificate
The second describes how to install a self-signed certificate (not signed with any trusted certificate authority, mainly used for testing purposes) - you want to do this
The last article describes what to do if you want to restrict your mvc website only to https (http requests will ben not possible then). Steps 1 or 2 must be completed before you start to work on this. It depends on your requirements if you need to restrict your site only to https.
With the upcoming SSL migration at Facebook on 1 October, all apps will have to support connections over HTTPS and for that you'll need an SSL certificate.
Is there a run-down anywhere of how a person should patch an app?
Will you have to use Apache and Passenger, xginx or other server?
Are there any free trusted certificates?
Is there a run-down anywhere of how a person should patch an app?
Not really. Why? Because it all depends on what version of rails you are running.
For Rails 2.x, I've read/heard of techniques including:
ModRewrite - use the webserver's ability to detect and rewrite HTTP to HTTPS. This technique is more general and could apply to a whole host of technologies, not just rails (python, java or even .net).
Use ssl_requirement gem - this allows you to declaratively add instructions in your controllers to redirect to https if the protocol is http (https://github.com/retr0h/ssl_requirement). Although simple, your ruby app will have to handle the request, and I'm not sure how quick ssl_requirement is.
Use rack middleware (rack-ssl, rack-ssl-enforcer gem) - this patches the request handling of rails, so that the redirect is handled well before it hits any controller. This is configureable too (you can match based on path etc) and is probably better than option 2.
For Rails 3.1, it's backed into the framework. You just need to do this:
# config/application.rb
module MyApp
class Application < Rails::Application
config.force_ssl = true
end
end
Will you have to use Apache and Passenger?
Not necessarily. There are other options like NGinx and Passenger. But in general, yes you will probably need a proper web server sitting in front, handling the SSL portion of the request.
Typically, a web server is required to sit in front of your app. It needs to be configured to handle SSL traffic, and direct the requests to your app (http and https). Here you can use Apache or NGinx.
Passenger sits as a "plugin" in Apache/NGinx to handle requests through to your application. At this point, SSL isn't usually a concern (ie. the request is now unencrypted.). What your app has to then do, is handle the request. Here's where you detect if the protocol is http or https and instruct the browser to redirect if necessary.
Are there any free trusted certificates?
No. Trusted certs are usually signed by a Certificate Authority. These guys typically have to check that your domain and the company or individual that holds the domain are genuine and real. To do that, you pay money. There are plenty of providers out there that can issue you an SSL cert for around $100 USD. Some more, some less.
Certs are typically locked to a domain. And you pay more for wildcard domain matches (e.g. *.myapp.com). If you're after a cert for development, you can generate a self signed certificate.
I've written an article showing you how to get HTTPS going on your local dev instance. Many of the steps are also common for production. The article shows you how to set it up for POW and NGinx, but setting up for Apache and Passenger isn't too dissimilar. The Apache config is different. But Passenger install and setup should be just the same as a http environment. Just need to make sure the secure virtual host in your Apache config points to your application.
I have a rails 3 app hosted on heroku which contains sensitive data which is why i want to implement SSL. The info I learned from google searching doesn't exactly match my use case as I want to SSL the entire site. I'd like your help understanding the following.
Is there a simple way to force all app requests to use SSL? I want the landing page to even have SSL as the landing page has a sign in form. It seems like it'd be a lot simpler to SSL everything than select SSL on a per page basis. That being said, do I need a gem for this?
Thank you
Look for a Rack middleware that accomplishes this.
https://github.com/tobmatth/rack-ssl-enforcer
I found this post today which is updated and looks like a good solution:
http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/
I am using SSL Enforcer with Heroku and it works great. However, I had a lot of trouble setting up SSL on my dev machine (Ubuntu 11.04).
First, Webrick did not work with SSL, so I found a hack which worked for a while. But then I had a weird javascript and Google Visualization API problem with it.
Now I installed Thin (which was easy), but it is not working with SSL Enforcer.
If you have the time to install and configure Apache, SSL will work. But I don't think Heroku uses Apache, so that's not so good...
I can see why people don't want to figure out how to run SSL on their local machine...maybe it's not worth it if you have a staging or QA server that does run SSL.
I'm using InstantRails (on Vista), and I'm at the stage where I'm looking to integrate a Rails app with PayPal (recurring billing via web payments standard - no ActiveMerchant needed). What is the best step-by-step process for enabling HTTPS for my local development/testing purposes?
I'm using the default Mongrel/Apache setup that comes with InstantRails.
Thanks in advance for any help.
Use openSSL to generate a private key and self-signed certificate.
Good instructions here: http://www.akadia.com/services/ssh_test_certificate.html
OpenSSL HOWTO: http://www.openssl.org/docs/HOWTO/certificates.txt
There is a plugin for rails also called ssl_requirement which you can use to very easily tell the application which actions will need to be done over ssl. It's pretty handy, I think DHH wrote it.