I have a Ruby on Rails app running on Heroku server. As I'm testing the app with SSL certificate, I added a non-paid one like this tutorial explains, and forced the server app to use SSL with RackSSL gem.
So, I also have an Android client and I have some doubts:
How do I verify if the client request is using the same certificate?
How do I force SSL only on specific Rails routes?
Thanks in advance!
Ad. 1, do as suggested in the guide: Visit the endpoint and look at the certificate that gets served up (it should be the one you added). Note that the certificate is not different depending on the client accessing Heroku, it's something that Heroku serves up to clients accessing the endpoint so you can verify this using either a normal desktop browser or your smartphone.
Ad. 2, check out this answer which suggests rack-ssl-enforcer.
Related
I have a Heroku app and am using a custom subdomain to point to it. Let's say my subdomain is blog.mysite.com.
When I navigate to the site, chrome throws the error: ERR_SSL_PROTOCOL_ERROR. In the address bar, it automatically reroutes to https://blog.mysite.com. Is this the issue? Why is it not just http://blog.mysite.com?
My domain is through bluehost if that matters.
If you are running a free dyno, you will not get TLS support on your custom subdomain. Upgrade it to at least the "Hobby" tier and it will provision a free certificate to match your custom subdomain.
As for why it automatically reroutes, that's something happening within your application or custom process configuration. Heroku doesn't automatically re-route from http to https.
For me, I'd neglected to set up Automated Certificate Management in Heroku. Enabling this fixed the problem.
I am developing rails 4 project with some API,
And I need to configure two-way SSL authentication for these API requests.
I know that two-way SSL means that:
client and server have certificates
server check client's sertificate
client check server's sertificate
if everything is OK client send a request
if everything is OK server send a response
But how it can be implement in rails?
And how can it be implemented only for rails API (requests with /api/.. prefix etc.)?
Or I am not right and it should be implemented on Nginx layer....?
Does any ruby gems for two-way SSL authentication exists?
with easy to understand documentation :)
This problem should not be solved on application layer.
Please, find example of nginx settings in the answer of this question.
I have a reverse proxy that authenticates users using SSL Client Side certificates. I am trying to make Sonar V4 use the credentials that are passed in by the certificate from the reverse proxy. However, I haven't had much luck so far with Sonar.
However, I did get this working with Jenkins and Trac already.
Couldn't find one out there. So I just made my own over a few days.
https://github.com/trajano/reverse-proxy-auth-sonar-plugin
Personally wasn't too thrilled to have to resort to dealing with Ruby on Rails within a Java app and learning the current API on the fly, but it seemed to work since the authentication is managed by Ruby on Rails rather than Java.
I can't for the life of me find how to configure client certificate validation with Heroku SSL endpoint. Is is supported at all? Is there an alternative add-on that does support it?
I asked their support about this and this was their answer: https://help.heroku.com/tickets/128194
So it would appear that server side verification of client certificates isn't supported by heroku right now if you rely upon their web server. I.e. having a server hosted on heroku check the client certificate provided by the connecting client. This requires a check at the web server level.
However I did come across this for nodejs:
https://www.npmjs.org/package/client-certificate-auth
which would lead me to believe that for nodejs is should be possible, since you have full access to the http(s) server. I haven't tried it though
I'm trying to enable rails SSL on one specific path. The rest of the website should render in http.
Also this connection is made between the rails server and an android device. The android device should send his information in SSL with a own created certificate.
Is this possible in Rails or not?
You should try ssl_requirement gem. It enables specific actions to run under SSL.