Rack ssl not working with Thin - ruby-on-rails

I installed rack ssl for Rails 3.07 per these instructions: http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/
It is not working. The first https request (for the login page) is made and the page is served securely, but when you login it redirects to a non-secure http URL.
I am running Thin server. Does it work for Thin? What about Webrick?
Any ideas? Thanks.

For Thin, you can pass your SSL information in using the following options:
$ thin --help
SSL options:
--ssl Enables SSL
--ssl-key-file PATH Path to private key
--ssl-cert-file PATH Path to certificate
--ssl-verify Enables SSL certificate verification
If you would like to configure Webrick to use SSL, this article from this question seems to work.

Related

Make Faye working with SSL and Rails

I'm developing a chat-based app with Ruby on Rails.
Since I have to make the app show the messages in realtime, I decided to implement pub/sub with the gem "render_sync".
That gem is using Faye as server to handle push notifications.
So I configured everything like here's explained (https://github.com/chrismccord/render_sync), started the main server at port 3000, the faye server at port 9292, and it works seamlessly.
But when I decided to move my app under SSL (with a self signed certificate), it is not working anymore.
I created a self-signed certificate for the main server and a configuration file:
server.yml
port: 3000
ssl: true
ssl_key_file: server.key
ssl_cert_file: server.crt
then I started the main server with the command:
> thin -C config/server.yml start
At this point the app is working under SSL, but the push notifications don't.
So - looking at the chapter Serving Faye over HTTPS (with Thin) from the link posted above -, I edited "server" and "adapter_javascript_url" fields in sync.yml file, and I tried to create a configuration file for the Faye server like this:
sync_thin.yml
port: 4443
ssl: true
ssl_key_file: faye.key
ssl_cert_file: faye.crt
environment: production
rackup: sync.ru
but I can't figure out what should I put in ssl_key_file and ssl_cert_file fields!
Should I put the same .key and .crt files generated for the main server? Or do I must generate another couple of key e cert?
I tried to generate another couple of those, but the browser warns me saying that the cert is invalid.
Can anyone help me, or show me an example of a working faye ssl server somewhere?

Ruby on Rails Thin and force_ssl, empty response over HTTP

I've set up several Ruby on Rails servers lately on CentOS 7.x using Thin as the web server and an SSL Certificate from Comodo.
I have enabled the force_ssl option in my config/environments/production.rb file, and I'm running my server with the command:
RAILS_ENV=production thin start -a <IP> -p 3000 --ssl --ssl-key-file <KEY FILE PATH> --ssl-cert-file <CERT FILE PATH>
I'm using devise, so in config/initializers/devise.rb I set
config.rememberable_options = { secure: true }
I also set some config in config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store, key: '_secure_<domain>_session', httponly: true, secure: true
When I first access my server over HTTP from an internet browser I get an empty response message (tested with multiple browsers and multiple computers). When I access it over https directly it resolves fine (and SSL is working perfectly), and when I next try to access over http it redirects just fine. I'm not certain what I can do to fix this bar using nginx or Apache.
Here are the other questions I've read:
Rails with thin and ssl: http request not auto-redirected to https
Ruby on rails: force_ssl not redirecting from http to https when using thin start --ssl
Thin can only listen on one port and can only serve either SSL or non-SSL requests per instance. When thin is started with --ssl it attempts to process inbound connections as TLS connections, and will drop those which it can't negotiate (ie, plain HTTP requests).
You need to use nginx (or some other reverse proxy) to listen on multiple ports and terminate SSL, and then forward to Thin. Otherwise, you'll need to run multiple Thin instances, one serving SSL and the other not.

Why my app asks to choose to authenticate myself for my Rails app with HTTPS?

Env
Rails 4.0.4
Using SSL certificates for HTTPS connections
In my config/environments/production.rb
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = true
This is how I start my server:
thin start -e production -d -p 3001 -P ./tmp/pids/thin_https.pid --ssl --ssl-key-file /etc/ssl/current/www_domain_io.key --ssl-cert-file /etc/ssl/current/WWW.DOMAIN.IO.crt
Then I am getting this screen when accessing my production website:
I click OK, and I land on my page https://www.domain.io page successfully. The entity is verified and the https: show in green. So I am good ... but why do I get that "Select a certificate to authenticate to www.domain.io:443` ? I figured that once my entity was verified I should land automatically on my page ? Any ideas?
UPDATE
The documention shows --ssl-disable-verify option that is actually not available on thin 1.6.2 codename Doc Brown
SSL options:
--ssl Enables SSL
--ssl-key-file PATH Path to private key
--ssl-cert-file PATH Path to certificate
--ssl-disable-verify Disables (optional) client cert requests <=== this is NOT available
I have posted an issue on github
Thin lighthouse ticket about --ssl-disable-verify
Existing ticket on GitHub
I just don't understand how to get the version of thin where this option is available.
A similar post on SO suggests your .crt file includes the root CA certificate for your certificate chain. Remove it, and you should be good to go.
Intermediate certifcates should still remain in the .crt file, presumably.
You're starting your thin server on port 3001, but you're connecting to the regular https URL, which by default connects to port 443. So I assume you have a web server instance (Apache/nginx) proxying requests for thin.
If that's the case, you should disable SSL for thin, as this will be handled by the proxy server in front of your thin instance.
If you don't have a reverse proxy, and want to use just thin, you should specify the port where thin is listening in the URL (https://example.com:3001).

Development Rails server that's compatible with both HTTP and HTTPS

My application isn't quite ready to go full SSL so in the meantime, I am allowing SSL but not requiring it. I do require SSL for certain controllers and force redirects to HTTPS for actions in such controllers.
I can start a thin server using SSL via thin start --ssl. This works great for SSL testing. However, I cannot have HTTP and HTTPS running simultaneously on the same port. Obviously, this makes testing redirects from HTTP to HTTPS quite frustrating. I can run an Apache or nginx server on top but I don't really want to go through the trouble of doing that in my development environment.
To start two servers, one for SSL and without, I use foreman like so:
web: rails server
ssl: thin start --ssl -p 3001
This starts the HTTP server on port 3000 and HTTPS server on 3001. Now my question is. How do I create a "smart redirect" policy only on my development environment only such that redirects from HTTP to HTTPS intelligently changes the port from 3000 to 3001? Thanks!

Ruby on rails: force_ssl not redirecting from http to https when using thin start --ssl

I have been trying to configure my rails project to use SSL (as application wide) with thin (by adding thin gem and placing config.force_ssl = true to application.rb) but as a result, I have an annoying problem.
When I start my rails server using rails s and try to access http://localhost:3000 it redirects to https://localhost:3000 which is correct, however it will complain about missing SSL certification..
SSL connection error
Unable to make a secure connection to the server. This may be a
problem with the server, or it may be requiring a client
authentication certificate that you don't have.
On the other hand, If I start my application using thin start --ssl and try to access http://localhost:3000 it doesn't redirect to https://localhost:3000 and complains about this:
No data received
Unable to load the webpage because the server sent no data.
but by accessing https://localhost:3000 it just shows certificate warning but it all works after agreeing to continue.
So my question is, How can I make http to https redirection work when using SSL with thin in (development mode)?
Perfect answer would contain possibility to start server normally by using rails s while SSL would be enabled application wide and accessing http redirects to https and all works! :)
Thanks in advance, have been searching for hours but cant find an answer.
You should install your own openssl signed certificate.
You can find more information on this page
Your PC as (localhost) can self sign SSL certificate and your browser can accept it, but i think that browser will not automatically accept certificate with security on that layer. Maybe to try to add your localhost certificate to the browser ?
Verify config/environments/development.rb has the following line
config.force_ssl = true
Refer the post thin with ssl support and ruby debug and the responses(from nathan and shree) that has more information on this subject:
Use ngrok (https://ngrok.com/). It's free. Installation is easy.
Just start up your server, then in another terminal window run
ngrok http 3000
ngrok will give you an address that loops back to your dev machine - something like http://randomstringhere.ngrok.io
Put that in your browser and you'll see it redirect to https://randomstringhere.ngrok.io, still routing to your server on port 3000
Here is the simplest solution.
https://makandracards.com/makandra/15903-using-thin-for-development-with-ssl

Resources