On rails4.2.1 and the latest rack-ssl-enforcer.

This my setup, in application.rb

    config.middleware.use Rack::SslEnforcer, :only_environments => ['production','staging'], :only => [ %r{^/admin}, %r{^/account}, %r{^/checkout}, %r{^/ckeditor} ], :except => ["/account/sign_out"], :strict => true

When i use chrome, and visit mydomain.com/account/sign_in it forwards to HTTPS https://mydomain.com/account/sign_in properly.

However, when i visit that same URL in ie11 (version 11.0.9600.17728), it stays HTTP. I have a devise ajax login on this page, so it then tries to post to HTTP which causes issues. Whats really odd, and frustrating is that seems isolated to specific IE version

IE9: works
IE10: works
IE11: version 11.0.9600.17728 DOES NOT WORK
IE11: version 11.0.9600.17420 works!

Am I doing something wrong here or is this a bug

The documentation currently says this gem is only supported up to ruby 1.9.3, and has instructions for a "Rails 3" app.

It would be great if this officially supported Ruby 2.0.0+ and Rails 4. As part of this feature, the Travis configuration would test this against ruby 2.0.0+ versions

I am trying to get the enforcer to work on heroku but it does not work :

config.middleware.use Rack::SslEnforcer, :only => %r{^/cart_items/}, :strict => true, :force_secure_cookies => false

I also have tried with simpler version :

config.middleware.use Rack::SslEnforcer, :only => %r{^/cart_items/}

SSL works work if redirected through rails

Any idea?

Just looking at the code as I'm doing something similar
There's a regex here

/ secure;/

I'm pretty sure it should be

/; secure/

As the current case does not handle secure being the last piece of the header.
Maybe it's not an issue in how rack or rails does things, but it seems like you could end up with it there twice.

Hi,

I have the following configuration :-
if ENV['FORCE_SSL'] == 'true' config.middleware.use Rack::SslEnforcer, :except => [ /endpoint], :ignore => '/another_endpoint' end

Now I want to implement HSTS and I know that it is a browser specific header.

So my question is that if at all I implement hsts , Do I need to remove all the endpoints from :except or for the endpoints there in :except , this header will be automatically removed?

I need to verify a client with an SSL certificate, is that possible to enable with this gem? I don't need it for the whole site but only for some paths.

Thanks in advance!

Noticed this today. If I include a model_url link in a notifier template, the URL is not being rendered as SSL even if I'm enforcing SSL site-wide.

Whatever options you put like :only_environments => 'production' or :only_hosts => 'blahblah', these will NOT be respected if you use 'localhost'. However, using 127.0.0.1 will behave correctly!

This would be a flexible way enable doing things such as:
Keep Flash on Redirect

(Currently working on this)

A changelog would help when reviewing releases. For example looking at 0.2.8 to 0.2.9, a changelog would make the changes more clear than a git diff.

Thanks! :-)

Apologies if this is the wrong place to ask this question, but I couldn't find an answer on SO or in Issues.

Question not the sensibility, but we are moving to the following network scheme: Load Balancer (ELB, HTTPS) -> Firewall (HTTP) -> ELB (HTTP) -> Rails

We currently have one ELB and it terminates SSL which creates the appropriate header for Rails' force_ssl = true to work properly. The new scheme doesn't provide that header, and the HTTPS redirect is handled by the firewall. We would still like to have HSTS and secure cookies enabled.

After reading through Rails' ssl.rb and ssl-enforcer.rb, it doesn't look possible to avoid the redirect. Have I missed something, is this "impossible", or just stupid (suck it up and put the cert on all the things)?

Hi,

that shouldnt be actually an issue, rather an improvement. I've tried to deal with AJAX requests and both, ssl as well as non-ssl requests combined with :strict option. That of course leads my AJAX request to redirection, depending on additional options specified (:only or :except). So, for instance, if I'll add a rule to :only array that matches my ajax request url, it will work if current page is served via https and will fail via http.

Next thing I did, I tried to implement additional :skip option (an array of rules; if any rule matches, then such request won't be processed at all and just skipped) which would help in these cases, while dealing with ajax requests on both ssl and non-ssl pages using :strict option. However, my current problem is that such :skip option does not apply to current implementation at all or I dont know how to deal with it. Perhaps it is completely wrong approach and it might be solved much easier and I just don't know how... Do you have an idea how to deal with it, I mean using :strict with ssl and plain requests?

This file lib/rack/rack-ssl-enforcer.rb should be inside lib/ rather than lib/rack/ to avoid the useless :require => 'rack/ssl-enforcer' in Gemfile.

Thx.

When you already have encoded url parameters, and rack-ssl-enforcer performs a redirect, the parameters get encoded again.

So if you have a url such as:
http://www.app.com/email?email=someemail%40somedomain.com
It gets encoded and redirected to:
https://www.app.com/email?email=someemail%254040somedomain.com

This is not desirable behavior.

This bug is caused by this commit: 1ef4515

Caused by any bad URL like http://example.com/<lan

stacktrace:

/usr/lib/ruby/2.1.0/uri/common.rb:176→ split
/usr/lib/ruby/2.1.0/uri/common.rb:712→ split
rack-ssl-enforcer-0.2.8/lib/rack/ssl-enforcer.rb:156→ replace_scheme
rack-ssl-enforcer-0.2.8/lib/rack/ssl-enforcer.rb:92→ modify_location_and_redirect
rack-ssl-enforcer-0.2.8/lib/rack/ssl-enforcer.rb:50→ call

If I'm understanding the documentation right, this configuration should allow (and maybe enforce) HTTP for /login requests via the GET method:

config.middleware.use(Rack::SslEnforcer, :only => [%r{^/login}], :mixed => true)

However, when I try to GET /login, I am redirected to HTTPS. The :mixed option is checked only in enforcement_non_ssl?, which is called only if enforce_ssl? returns false. But since enforce_ssl? doesn't check :mixed, it returns true, and enforcement_non_ssl? never runs.

This may be rails/bundler related, but when using sslenforcer with rails/bundler you actually have to use require 'rack/ssl-enforcer' and not 'rack-ssl-enforcer'.

Maybe I'm missing something but thats the only way I could get it to work... may help someone else :)

Hi

I am using rails 3.2.17 and ruby 1.9.3-p484, when I tried to keep the flash with method you have given in README section Running code before redirect not working its giving @request variable as nil object. Here is my application code:-

config.middleware.use Rack::SslEnforcer, :only => [%r{^/bla/bla/bla/}], :mixed => true, :before_redirect => Proc.new { #keep flash on redirect @request.session[:flash].keep if [email protected]? && @request.session.key?('flash') && [email protected]['flash'].empty? }

Using rack-ssl-enforcer 0.2.6 getting error undefined method "session" for nill Class. Tried to inspect the @request object in Proc it is giving nil. Can you please help me with this issue?

The except_hosts option looks like it should work with an array of hosts, similar to the other options, however this does not work.

Will submit a patch soon...

The :strict option and enabling HSTS by default are incompatible with each other and will result in infinite loops. As :strict tries to redirect the browser to http, the user's browser tries to redirect to https due to HSTS affecting any URL on the site.

As HSTS is fairly new and only supported by Chrome and Firefox nightlies, there should be a warning or the option to disable it when used together with :strict.

I have a sign_out link that has a DELETE HTTP method (browser posted it as POST with _method=delete in the query string). Because its url matches the SslEnforcer, so its protocol gets modified to https. However, the browser displays 404 and my server logs say:
ActionController::RoutingError (No route matches [GET] "/users/sign_out")
It means that it is rerouted but the method was changed to GET instead of POST, and rails didn't find this route.

d0b882a#L0R32, which made scheme an instance variable, seems to allow the scheme to 'leak' across requests.

Consider the following:

• Request 1 @scheme is set to 'http'
• Request 2 triggers neither enforce_ssl? or enforce_non_ssl?, @scheme remains as 'http'

Have I missed something here?

Hi,

i'm using the gem to force the "profile" actions of my Rails application to SSL, so i've put the following snippet of code into "application.rb":

config.middleware.use Rack::SslEnforcer, :only => /^/profile//, :strict => true

Everything seems to function well, but i've now noticed that SSL redirection completely brokes my AJAX calls!

In Chrome, i've logged the error response from the jQuery error() callback, it says:
statusText: "Error: NETWORK_ERR: XMLHttpRequest Exception 101"

Also my Rails action will never be reached by the Ajax call.
Disabling SSL-Enforcer will solve the problem (i've also tried to run my application all in SSL and it does operate).

I'm working with:
ruby (1.9.2)
nginx+passenger (3.0.11)
rails (3.0.7)
rack (1.2.5)
rack-ssl-enforcer (0.2.4)

Any known issues?
Thanks
Mike

Currently, I have the following configuration:

use Rack::SslEnforcer, hsts: true, redirect_to: 'https://www.example.com'

I'm using redirect_to because the site is behind a reverse proxy that routes different paths to different hosts, so the Host header that gets passed to this particular server is something totally different and not user-friendly, like ec2-1234.aws.amazon.com. I really only want Rack::SslEnforcer to redirect if the protocol is http instead of https. But currently because of redirect_required?, this actually causes a redirect loop. Is this behavior intentional? It seems like it's beyond the scope of this gem to always canonicalize the hostname.

I can work around the problem like this: ignore: -> (request) { request.env['HTTP_X_FORWARDED_PROTO'] == 'https' }

Hi. Apologies if this is the wrong location for this question.

We are trying to use your gem to create a single exception for a single endpoint in our use of SSL in our app. We want to allow a port 80 health check inquiry from a load balancer (LB) but we can't seem to configure your gem (or maybe nginx?) correctly to accomplish this. Rails (nginx?) keeps redirecting the LB's health request with a 301 regardless of our rack-ssl-enforcer configuration.

Before attempting to use your gem, we had our app working fine in the Elastic BeanStalk environment of AWS, with an LB configured to handle SSL termination (and with the default TCP LB healthcheck). We configured the app for SSL with the "config.force_ssl = true" setting so that the app only had to deal with port 80 traffic, and we didn't modify the default nginx configuration at all. With this setup, Rails works fine and accepts only port 80 traffic with a special header HTTP_X_FORWARDED_PROTO indicating that the LB has terminated the 443 traffic and routed it on to the app on port 80. And this works fine for us.

But now, we desire the LB to do a health check on our HTTP /alive endpoint. But we found that this didn't work, since the health check from the LB (sent on port 80) comes in WITH OUT that special header the LB usually adds to requests from a browser. Rails sees no head so it does a 301 redirect to HPPTS. The LB then considers the health check to have failed. :-(

To fix this, we had hoped to use your gem to configure our app to allow our /alive endpoint to be hit without the HTTP_X_FORWARDED_PROTO header. So, we removed the Rails "config.force_ssl = true" line, and added these two lines of configuration for your gem:

• config.middleware.use Rack::SslEnforcer, ignore: lambda { |request| request.env["HTTP_X_FORWARDED_PROTO"].blank? }, strict: true
• config.middleware.insert_before ActionDispatch::Cookies, Rack::SslEnforcer

We expected that this would simply allow non-SSL traffic to hit our /alive endpoint. But instead, we always see a 301 redirect for the LB health check, and never see the lambda code get called. We tried applying some of the nginx config settings your README suggests, but did not find them to accomplish anything.

If you could offer us any advice, that would sure be appreciated. Thank you very much!

We're using rack-ssl-enforcer 0.2.5 on Heroku Cedar. Recently someone went to this url:

http://ourapp.herokuapp.com/store/events/539?__utmz=(direct)|whatever

And our app raised URI::InvalidURIError. I isolated the problem to the vertical pipe character in the query string.

We don't have control over this link, unfortunately. Some external service is linking to us and appending a bunch of parameters.

I'll start messing with a patch unless someone has a quick fix.

Here is the stack trace:

/usr/local/lib/ruby/1.9.1/uri/common.rb:156:in split' /usr/local/lib/ruby/1.9.1/uri/common.rb:593:insplit'
/app/vendor/bundle/ruby/1.9.1/gems/rack-ssl-enforcer-0.2.5/lib/rack/ssl-enforcer.rb:140:in replace_scheme' /app/vendor/bundle/ruby/1.9.1/gems/rack-ssl-enforcer-0.2.5/lib/rack/ssl-enforcer.rb:80:inmodify_location_and_redirect'
/app/vendor/bundle/ruby/1.9.1/gems/rack-ssl-enforcer-0.2.5/lib/rack/ssl-enforcer.rb:42:in call' /app/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.12/lib/active_record/query_cache.rb:64:incall'
/app/vendor/bundle/ruby/1.9.1/gems/rack-canonical-host-0.0.3/lib/rack-canonical-host.rb:13:in call' /app/vendor/bundle/ruby/1.9.1/gems/activerecord-3.2.12/lib/active_record/connection_adapters/abstract/connection_pool.rb:479:incall'
/app/vendor/bundle/ruby/1.9.1/gems/actionpack-3.2.12/lib/action_dispatch/middleware/callbacks.rb:28:in block in call' /app/vendor/bundle/ruby/1.9.1/gems/activesupport-3.2.12/lib/active_support/callbacks.rb:405:in_run__3420600692611624337__call__1248271218107338857__callbacks'
/app/vendor/bundle/ruby/1.9.1/gems/activesupport-3.2.12/lib/active

There doesn't seem to be a way to have the following configuration

(1) /admin (SSL Only)
(2) /public (Either SSL or HTTP)
(3) everything else (HTTP only)

Am I missing something?

I think this is a pretty common scenario with Ajax. E.g., this seems to be similar to issue #36.

If I am correct, would it be simpler to get rid of the "force" option, and instead have a rule-type, i.e. one of {SSL, HTTP, Mixed}?

Due to issues out of our control right now, I have some logged in pages that are https and some that are http. After reading through the github readme, it would seem that i would have to disable force_secure_cookies for this to function properly.

https://github.com/tobmatth/rack-ssl-enforcer#secure-cookies-disabling

That being said I am able to jump between logged in http and https pages without being logged out. My configuration looks like:

config.middleware.use Rack::SslEnforcer, only: ['/users/sign_in', %r{/users/password/*}, %r{^/user_profile.*}], ignore: [%r{^/assets}], strict: true 

Am I misinterpreting the readme?

thx!

Hello,

I have a POST request that is not being redirected correctly because it seems that the redirection is always using GET. Weird right?

I'm using Rails 3.2 and enforcer 0.2.8.

11:17:38 web.1      | 127.0.0.1 - - [27/Mar/2015 11:17:38] "POST /api/method HTTP/1.1" 301 - 0.2573
11:17:44 web.1      | 127.0.0.1 - - [27/Mar/2015 11:17:44] "GET /api/method HTTP/1.0" 404 781 6.2435

Thanks

First of all - thanks for this neat piece of software 😍

Any chances for new stable version soon? I mostly interested in this commit c39a72b (airbrake errors are driving me nuts, damn internet spiders :P) but I would like to avoid using yet another fork / github branch in my Gemfile (it's a pain to maintain in the long run).

Cheers!

Hey guys, I have tried everything that I can read online about SSL::Enforcer, Nginx and Unicorn, but no matter what I try, I always get an infinite loop. If I use Nginx to enforce SSL, it works just fine, but I would really prefer a software based solution. Is there a recommended example Nginx ssl confg? I appreciate any and all help!

routes.rb

MyApp::Application.routes.draw do
  scope '(:locale)' do
    #my resources here...
  end
end

I have languages: en, es, ar, de...etc, and urls:

mydomain.com/en/blog, mydomain.com/es/users, mydomain.com/de/products...etc

How force to https all urls with this locales and specify an action or a controller?

Thank you!

Hello.

The topic shall be self-explanatory, but I could gladly comment on it more.

The API allows (and maybe even encourages) users to exclude certain paths and HTTP methods
from using/enforcing ssl.

This might lead to security problems and shall be highly recommended against.

There is however no mention of it in documentation and the methods are welcoming.

I would rename the methods to contain _insecure or _dangerous, and mention in the docu
that their usage is a bad idea.

After following the instructions adding:
in gemfile: gem 'rack-ssl-enforcer' (and run bundle install)
in sinatra.rb
require 'rack/ssl-enforcer'
use Rack::SslEnforcer
set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'

Enable sinatra sessions

use Rack::Session::Cookie, :key => '_rack_session',
:path => '/',
:expire_after => 2592000, # In seconds
:secret => :session_secret

When starting (by default in port 4567), always connection refused.
I tried adding the :http_port => 4567 but same result.

Hi

I have set up Rack::SslEnforcer as follows:

use Rack::SslEnforcer, :ignore => [/^\/assets/, '/crossdomain', '/test']

As expected, any assets are served with both SSL and not SSL. /test which serves the static HTML file /public/test.html, also supports both SSL & non-SSL requests.

However, the reference to crossdomain is in fact a Rails route which points to a standard view that is rendered. Oddly, no matter what I do, it appears crossdomain requires SSL, whereas for any static assets the :ignore option is working.

Example of failure:

$ curl http://localhost:3000/crossdomain.xml
<html><body>You are being <a href="https://localhost/crossdomain.xml">redirected</a>.</body></html>

Example of expected behaviour:

$ curl http://localhost:3000//test.html
<html>test</html>

I have tried loading the middleware in application.rb, in the config environment file, and even in config.ru, and it makes no difference. No matter what I do, all Rails routable addresses always require SSL, whereas static files respect the :ignore option. I have also tried removing Rack::SslEnforcer altogether, and /crossdomain.xml works on both HTTP and HTTPS.

Am I missing something obvious here?

Thanks for your help.

Hi guys

I am trying to get rack ssl enforcer to redirect some parts of a rails 3 application to https using rack ssl but all I get is an indefintie loop

the apache configs seem to be working fine - its only when it hits the rails app that the loop starts

I have followed all the tips and tricks out there but still can;t get it to workk - any suggestions is most grateful

thanks

chee

I would like to force the user to use ssl on the sign_in page, to allow to use ssl and non ssl for /api/* and non ssl only for the rest of the urls.
Currently I have these two lines in my configuation:

config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/sign_in/}], :ignore => %r{/assets}, :strict => true, :except_environments => 'development'

config.middleware.use Rack::SslEnforcer, :only => [%r{^/api/}], :ignore => %r{/assets}, :except_environments => 'development'

However, I cannot connect to non-ssl of the api/* urls anymore.

Do I do something wrong here or is this an internal issue?

Thank you very much for your feedback!

I'm trying to use this gem to enforce the SSL on the site. If I got to mydomain.com, it correctly redirects me to https://www.mydomain.com. Once I'm there, if I take off the www. and just go to http://mydomain.com, it renders the site at http://mydomain.com, which breaks the SSL since the SSL only works with the WWW subdomain.

Here's what I have in my production.rb file:

config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://www.mydomain.com', :strict => true

Any thoughts on how I can force the site to always render https://www.mydomain.com?

Thanks!

I struggled with the "except_environments" option for an hour this morning before realizing that the version on Rubygems (0.2.5) was too old and didn't have that option.

I've got it installing directly from git for now, but it would be really great if you could push a new version to rubygems.

Thanks for the gem!
Micah

There doesn't seem to be a way to have the following configuration

(1) /admin (SSL Only)
(2) /public (Either SSL or HTTP)
(3) everything else (HTTP only)

Am I missing something?

I think this is a pretty common scenario with Ajax. E.g., this seems to be similar to issue #36.

If I am correct, would it be simpler to get rid of the "strict" option, and instead have a rule-type, i.e. one of {SSL, HTTP, Mixed}?

Based on the README file, the SslEnforcer should be prepended into the middleware chain via insert_before:

config.middleware.insert_before  ActionDispatch::Cookies, Rack::SslEnforcer

But then all subsequent examples rely on use:

config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
...

Could you please explain what the proper/expected way of setting up the middleware is?

Hi
Below are the things I did:

1. Installed rack-ssl-enforcer gem
2. In config/environment.rb (I have a Rails 2.3.2 app) added below two lines:
   require 'rack/ssl-enforcer'
   config.middleware.use Rack::SslEnforcer
3. Configured my web server(i.e. Apache) to send HSTS response header.

But still my session_id is not set as secure as verified in chrome developer console.

Pretty sure I have NGINX config correct.

Started with config.middleware.use Rack::SslEnforcer, :except_environments => 'development', :except => [/.*\/demo$/, /.*\/preview$/, /.*\/debug$/], :force_secure_cookies => false, :strict => true, and wasn't hitting AWS ELB.

So I decided to take baby steps instead...

Switched over to config.middleware.use Rack::SslEnforcer, :redirect_to => "http(s)://project_url" as proposed by the behind a proxy section, and found out that ELB wasn't able to pass health checks because they are always done via http.

So I added :except_agents => 'ELB-HealthChecker/1.0' in order to exempt the ELB health checks, and am now getting redirects again.

I'm going to resume solving this tomorrow with fresh idea, but any help would be appreciated!

So I have SSL Enforcer configured in my application like so:

config.middleware.use Rack::SslEnforcer, :only_hosts => 'photos.example.com'

When I check the URL redirects in the browser when going to http://photos.example.com, I get the following redirect chain:

1) http://photos.example.com
2) Redirects to https://photos.example.com
3) Redirects to http://photos.example.com/account_sessions
4) Redirects to https://photos.example.com/account_sessions

Is there a way to eliminate step 3, as in going from:

2) Redirects to https://photos.example.com
3) Redirects to https://photos.example.com/account_sessions

My initial thought was that once a host is specified in the configurations, then it only enforces SSL/HTTPS protocol for that domain, and doesn't allow redirects to an HTTP protocol.

I get:
TypeError (can't convert true into Hash)

I have a Rails 2.3.11 application that I'm trying to replace ssl-requirement with rack-ssl-enforcer.

In my Gemfile, I have:

gem 'rack-ssl-enforcer'

(I've also tried)

gem 'rack-ssl-enforcer', :require => 'rack/ssl-enforcer'

And in config/environment.rb, in the Rails::Initializer.run section, I have:

config.middleware.use Rack::SslEnforcer

But whenever I try to access the site, I get the Passenger 500 page saying:

uninitialized constant Rack::SslEnforcer

Am I missing something obvious? That seems to be what the docs are saying as to how to enable it.

Hello

I have a site where I want SSL only on these routes:

https://api.example.com
https://example.com/users/sign_in
https://example.com/users/sign_up

and rest URLs should run without SSL. I am not able to figure out a way to combine only_hosts and only together. Tried these:

config.middleware.use Rack::SslEnforcer,
                          only_hosts: %r{api.example.com},
                          only: %r{/users},
                          ignore: %r{/assets},
                          strict: true

also tried with mutiple statements together:

    config.middleware.use Rack::SslEnforcer,
                          except_hosts: %r{api.example.com},
                          only: %r{/users},
                          ignore: %r{/assets},
                          strict: true

    config.middleware.use Rack::SslEnforcer,
                          only_hosts: %r{api.example.com}

but no luck. any suggestion on how I can achieve it?

Thanks

Hello,

I wanted to talk to you about a problem I had with SslEnforcer recently. I could fork it and make a pull request as it is easy to change but I wanted to have your opinion before.

Basically I needed to share a cookie based session between http and https on an application and the only way I found so far is to have a non secure cookie. Unfortunately SslEnforcer inevitably sets the secure flag on cookies.

I perfectly understand why the flag is forced and the security breach behind that but I thought that leaving the option (obviously defaulting to false) would not be that bad considering the fact that it is still possible to encode the information by passing a coder class to Rack::Session::Cookie with the :coder option.
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42

Please let me know what you think about that.

Thank you very much,
mig

Would be great if I could prevent it from forcing SSL in my dev environment. Maybe add some constraints like :only_environments and :except_environments that would consider the value of RACK_ENV or RAILS_ENV.

Hey

I have a site where users, settings pages required SSL, rest pages I don't want to run on SSL. both the pages shows some images. So I want assets, system directory to ignore SSL, this is the config I tried with no luck:

config.middleware.use Rack::SslEnforcer, only: ['/users/', '/settings/'], ignore:  ['/assets/', '/system/'], strict: true

Is this scenario possible with rack-ssl-enforcer?