6

I have an application which has a controller with actions which are forced to https and one exception using the following code: 

force_ssl except: :show, if: :ssl_configured?

def ssl_configured?
    Rails.logger.debug "ssl configured"
    ENV["ENABLE_HTTPS"] == "yes"
end

Within one of the views I then have the url defined to access the http link as: 

place_url(place.id, protocol: 'http')

When I run this on my local server (using an NGINX/WEBrick) all actions are redirected to HTTPS except for the show action which is remains unsecured.

However when I deploy to heroku all actions redirect to a secure connection even though the link to the place show action is shown as http.

I have not done any configuration on Heroku (other than setting the environment variable) so the app is running on the WEBrick server.

How can I establish why the exception is being ignored on Heroku? Would I be better starting by configuring a unicorn server as advised in the Heroku docs?

Richbits
  • 7,344
  • 8
  • 33
  • 38
  • Could that be a cache problem? That's often a misleading issue I see with those kind of redirect. – Damien MATHIEU Feb 26 '14 at 09:20
  • I assume that you mean the browser cache? I'm pretty sure that that is not it. I have cleared the cached web content in firefox. I've also tried Rails.cache.clear on the console returning ["/app/tmp/cache/assets"] (in case that is what you meant). Neither have made any difference. – Richbits Feb 26 '14 at 10:28
  • I've created a fresh instance of the application on Heroku and it works correctly. This obviously has solved my problem, but I would still be interested in how to investigate the original instance further. – Richbits Mar 03 '14 at 09:10
  • maybe `config.force_ssl` was set to true? – George Mar 07 '14 at 03:22
  • Thanks, I'm almost certain that this is not the case. On doing git ls-remote heroku I have exactly the same commit hash against the working and non-working versions and reviewing git config.force_ssl is commented out in both within production.rb. It would be good if there was a way to check the actual files on the server. – Richbits Mar 07 '14 at 09:37
  • I know this is late but you can actually run server commands with `heroku run` – Adam Keenan May 18 '14 at 19:17
  • 1
    thanks @adamk33n3r. I had subsequently found that.... specifically `heroku run bash` allows `ls` to see the files, but these are timed to the load time. There is no built in text editor, but this [link](http://stackoverflow.com/questions/12666799/heroku-bash-wheres-vi) notes a plugin. I've not tried it though. – Richbits May 20 '14 at 14:46
  • 1
    @Richbits I just tried it and it works pretty well. There is no colors but that's ok for a quick fix. If you also just want to see a file and not edit it you can just run `cat`. That will print the file. You could even do `cat file_name.ext | more` and push enter and space to scroll through the file. – Adam Keenan May 21 '14 at 00:08
  • Thanks @adamk33n3r that is pretty good to know. `cat` would have allowed me to check that the version of code. – Richbits May 21 '14 at 08:38

2 Answers2

0

I had similar problems as you and couldn't get it working correctly with Rails 4 on Heroku using this method. So I found and installed the 'rack-ssl-enforcer' gem, which plays very nicely with Heroku.

Just install the gem and add whatever configurations you want to your application.rb file. The only caveat is that the :except configuration from SslEnforcer was having trouble as well, so I used the :only config and set it to a regex to enforce ssl on the entire site, except for the regex lookaheads "feedback|beta-tester" (these are the routes that I do not want SSL). Here is the configuration I used:

config.middleware.use Rack::SslEnforcer, :only => %r{[\/](?!feedback|beta-tester)\S+}, :strict => true

Be sure to set :strict to true otherwise when someone navigates from as SSL page to your show page it will use SSL and vice versa for navigating from a non-ssl.

https://github.com/tobmatth/rack-ssl-enforcer

heading_to_tahiti
  • 785
  • 6
  • 15
0

Having your application switch back and forth between SSL is bad news, especially after a user has logged in. There are extra precautions that need to me made, such as securing cookies. Check out this Rialscasts episode for mode details: http://railscasts.com/episodes/357-adding-ssl.

You would be much better off serving the entire app via SSL.

[/opinion]

As for Heroku, enabling SSL on Heroku will move the app to a secured dyno. Once that is done, all requests to that dyno use SSL. I can confirm this behavior. I just deployed to Heroku SSL a vanilla rails app with Devise and force_ssl explicitly set to false. All non-SSL requests to this app redirect to SSL. This is the Heroku SSL dyno configuration doing this, not the app configuration.

So, again, on Heroku SSL all requests are redirected to SSL regardless of app configuration.

Karl Wilbur
  • 5,898
  • 3
  • 44
  • 54