Rails 3.1 offers a handy way to secure your entire application behind https: just add config.force_ssl = true in your environment configuration file, and all requests will be directed to https. Under the covers this handy snippet of code is loading the Rack::SSL middleware. What happens if you want to exclude certain URL patterns from this restriction? The Rack::SSL middleware accepts options that allow you to do this – you can pass it a Proc containing a regular expression which will alter the behavior of Rack::SSL on particular requests.
For example, if instead of using config.force_ssl = true, you used the following snippet your code it would not force ssl on pages under the path /public:
require "rack/ssl"
config.middleware.insert_before ActionDispatch::Static, Rack::SSL, :exclude => proc { |env| env['PATH_INFO'].start_with?('/public') }
Instead of jumping through these hoops in your configuration file, I thought that Rails should allow you to pass options to Rack::SSL. I submitted a pull request with my changes which was promptly accepted by José Valim, so if you’re either using edge Rails or 3.2 when it comes out you’ll be able to do the following to configure SSL in your application:
config.force_ssl = true
config.ssl_options = { :exclude => proc { |env| env['PATH_INFO'].start_with?('/public') } }
I hope that this change makes configuring your application to be safe a bit easier. Happy SSL’ing!
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.