Adding SSL to Your Rails 4 App

There are a few different ways you can configure ssl into your rails app. I prefer the options where the least amount of configurations are required. The following is an example of getting a particular page in your rails app to handle things like purchasing with a secure protocol in nginx.

First create a folder in your etc/ssl directory and name it localcerts.

Then go into that folder and generate a self signed certificate that you will later send to an SSL provider with the following commands:

cd /etc/ssl/localcerts

openssl req -new -nodes -days 365 -keyout www.mydomain.com.key -out www.mydomain.com.csr

Once your SSL provider sends you the signed certificate, add it to your localcerts folder.

Now add the following to your nginx.conf file below the default server listening on port 80:

server {
  listen                443;
  server_name           mydomain.com;
  ssl                   on;
  ssl_certificate       /etc/ssl/localcerts/www.mydomain.com.crt;
  ssl_certificate_key   /etc/ssl/localcerts/www.mydomain.com.key;
  ssl_protocols         SSLv2 SSLv3 TLSv1;
  ssl_ciphers           ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
  ssl_session_cache     shared:SSL:10m;
 
  root /home/root/apps/mydomain/current/public;
 
  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }
 
  try_files $uri/index.html $uri @unicorn;
  location @unicorn {
    proxy_set_header  X-Real-IP       $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_set_header  Host $http_host;
    proxy_redirect    off;
    proxy_pass        http://unicorn;
  }
 
  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;
}

Run:

sudo service nginx restart

If your server won’t restart, run the following to debug:

sudo nginx -t

Now you can see if your server accepts https requests by prefixing any page on your site with it.

If everything is in order go to the controller of the page that you want secured and add the following:

force_ssl only: :purchasing unless Rails.env.development?

The first part will require an https connection on all actions in that controller and you can pass in options to specify the actions you want to require an https connection with the second part. See the documentation here.

The latter part restricts ssl to the production environment.

Now the last thing you have to do is change the routes in your headers, footers, or sidebars that are linked from the secured page with the url_path helper to something like:

root_url(:protocol => 'http')

This ensures that all the pages you do not want served over an ssl connection to be served via http.

That’s it! Now you’re ready to start accepting payments and adding users to your production app!

Here is also a tutorial to set your conf file for a wordpress blog.


One response to “Adding SSL to Your Rails 4 App”
  1. […] you’ve read my post on adding ssl to your rails app and you have a similar nginx configuration, you’ll want to add some rules to use FastCGI to […]