Comments (11)
Hi,
this feature was merged, but to be honest I'm not quite sure what's the correct behavior.
In your example, it should redirect all http PUT and POST requests on /login to https requests? Right?
I'm really wondering why this feature is needed in the first place?
from rack-ssl-enforcer.
My client wants to minimize use of SSL. So, for example, he wants to present the login form via HTTP but have it submitted via HTTPS (and then return to HTTP on success). At the moment both actions use the same URL. We could change the submission URL, but :mixed seemed like an easy way to acccomplish the goal. Only it turns out it isn't.
My impression is that the original submitter was using resource-based routes (in Rails) and wanted to be able to do something similar. Say, a "view user" page via HTTP and an "update user" action that allows you to change your password via HTTPS.
I like the idea of being able to use different protocols for different methods, but I'm not sold on the current design and implementation.
from rack-ssl-enforcer.
I couldn't agree more..
I'll try to fix this if you can wait until this evening (CET).
On 19 avr. 2011, at 06:36, [email protected] wrote:
My client wants to minimize use of SSL. So, for example, he wants to present the login form via HTTP but have it submitted via HTTPS (and then return to HTTP on success). At the moment both actions use the same URL. We could change the submission URL, but :mixed seemed like an easy way to acccomplish the goal. Only it turns out it isn't.
My impression is that the original submitter was using resource-based routes (in Rails) and wanted to be able to do something similar. Say, a "view user" page via HTTP and an "update user" action that allows you to change your password via HTTPS.
I like the idea of being able to use different protocols for different methods, but I'm not sold on the current design and implementation.
Reply to this email directly or view it on GitHub:
#21 (comment)
from rack-ssl-enforcer.
Hi,
I've just pushed a commit that should fixed the behavior of the :mixed
option: d5b3bb3
Let me know what do you think of it now.
from rack-ssl-enforcer.
@eostrom You are using it incorrectly. Don't include it in the :only array. You will be able to PUT or POST to the /login url securely without any magic and the GET will be forced http.
@rymai You actually broke it with that commit.
BTW it was my implementation. So basically the point is to leave PUT and POST methods alone just because of restful routes. Documentation could probably use some further clarification on how to use it.
from rack-ssl-enforcer.
Here is the original commit: SHA: cb2959a
It is working flawlessly on a very large production site.
from rack-ssl-enforcer.
@lardawge Thanks for the clarification. It seems like if I don't pass an :only argument, it will apply the :mixed behavior to /login, but also to every other URL. That's not what I was looking for, although I understand that it meets your needs.
I'd prefer that the :mixed parameter apply to the URLs specified by :only/:except. I'm not demanding anyone implement that for me. I was just trying to understand what the code is supposed to do, and whether it does it.
You mentioned the latest commit broke your expectations of :mixed; could you describe what broke?
from rack-ssl-enforcer.
Mixed is a mixed version of strict so by default will make every request redirect to http unless you pass in specific paths using :only. From you description, you want login to be GET#login => insecure
, POST#/login => secure
. Don't pass in anything to :only but set mixed to true. Then any other paths you want to secure you would pass in using the :only option. In your login form you would need to pass a protocol into the url helper login_url(:protocol => 'https')
. This should automatically redirect back to http if the redirect path is not used in only.
What I just described is exactly how I use the mixed option and why I implemented it. There are about 12 sections of the site I use it on that have this need. Because of mixed content warnings form ads I cannot go full ssl and I need it to redirect back to http.
The commit I referred to that broke this, made all my tests fail because it now ignores :only for get requests if :mixed => true.
from rack-ssl-enforcer.
As a correction to the above, you will need something in :only for mixed or strict to work which makes sense... There would be no reason for the plugin otherwise.
from rack-ssl-enforcer.
This reflects an overall design issue with the gem; it effectively whitelists paths or hosts for HTTPS, but allows exceptions for requests that can be HTTP. What is more useful is a behavior like the ssl_requirement plugin that works with Rails 2, in which you can define all three scenarios: ssl_required, ssl_allowed, and ssl_exceptions.
Iβve built a quick fork that provides this ability: https://github.com/parhamr/rack-ssl-enforcer
Its configurations accept paths or hosts that must be http or https, and then allows all other requests to maintain their current protocols.
Itβs not fully tested or integrated with the leading features of this Rack gem, but I think it adequately adjusts the logic.
from rack-ssl-enforcer.
Hi,
I'm closing this thread due to inactivity. Also, the gem has received many improvements since then so it's most likely that the original use case can now be implemented.
Feel free to re-open (or open a new pull-request directly) if you feel there's still something to change in the gem.
from rack-ssl-enforcer.
Related Issues (20)
- Forcing HTTPS only on certain paths or methods might be a security problem
- Load balancer health check redirected; not making it to the app HOT 5
- Middleware use vs. insert_before HOT 1
- Does rack-ssl-enforcer have support for ssl client verification? HOT 1
- Increase the default HSTS max-age to 2 years
- Running code before redirect not working HOT 3
- Support for ruby 2.0 and Rails 4 HOT 2
- Release new version! <3 HOT 2
- Already encoded url parameters get encoded again when redirecting
- How to handle URI::InvalidURIError? HOT 7
- POST requests HOT 5
- Issue with IE only... strict true not working HOT 3
- Issue with Redirects HOT 3
- Infinite redirects behind AWS ELB HOT 5
- ERR_CONNECTION_REFUSED HOT 2
- use_redirect always forcing redirect, even for HTTPS HOT 2
- HSTS and secure cookies w/o redirect? HOT 2
- Does not set session cookie as secure HOT 6
- HSTS Implementation HOT 1
- Is there a changelog? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rack-ssl-enforcer.