SSL :ignore ignored for routable addresses, but works for static addresses #43
Comments
|
Your setup should be fine and in fact it shouldn't matter whether a static asset or some Rails controller is called in the end. Just a shot in the dark: did you try some other way to force ssl before, maybe a forgotten before filter or something? |
|
Well to be honest I am working with someone else's code base, so there is a possibility there is something hidden away that I am not aware of. Oddly though SSL is not required when Rack::SslEnforcer is not required, so it does make me wonder how anything could be hidden away. I also thought that it should not make any difference whether the URL matches a Rails route or not, but clearly it is somehow. I will explore further and report back. |
|
Meh, my fault. Static assets are served by ActionDispatch::Static, which kicks in before Rack::SslEnforcer unless you explicitly insert it at a specific position (see rake middleware), so that's why your static assets work. In addition, you are using a String path constraint, which will match explicitly /crossdomain, but won't match crossdomain.xml. So just use a Regex and you should be good to go... |
|
I'm closing here, feel free to reopen if you run into further problems. |
|
Thanks for your help @tobmatth, the issue was related to the Rack load order, so I am now using this instead:
I realised the string crossdomain would not work, but I was getting desperate and trying all sorts of stuff! BTW. I found the :ignore statement didn't behave as expected, hence why I went with the above. Thanks again, all sorted. |
Hi
I have set up Rack::SslEnforcer as follows:
use Rack::SslEnforcer, :ignore => [/^\/assets/, '/crossdomain', '/test']As expected, any assets are served with both SSL and not SSL. /test which serves the static HTML file /public/test.html, also supports both SSL & non-SSL requests.
However, the reference to crossdomain is in fact a Rails route which points to a standard view that is rendered. Oddly, no matter what I do, it appears crossdomain requires SSL, whereas for any static assets the :ignore option is working.
Example of failure:
Example of expected behaviour:
I have tried loading the middleware in application.rb, in the config environment file, and even in config.ru, and it makes no difference. No matter what I do, all Rails routable addresses always require SSL, whereas static files respect the :ignore option. I have also tried removing
Rack::SslEnforceraltogether, and /crossdomain.xml works on both HTTP and HTTPS.Am I missing something obvious here?
Thanks for your help.
The text was updated successfully, but these errors were encountered: