combine strict and non strict behaviour

[ghost]

I would like to force the user to use ssl on the sign_in page, to allow to use ssl and non ssl for /api/* and non ssl only for the rest of the urls.
Currently I have these two lines in my configuation:

config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/sign_in/}], :ignore => %r{/assets}, :strict => true, :except_environments => 'development'

config.middleware.use Rack::SslEnforcer, :only => [%r{^/api/}], :ignore => %r{/assets}, :except_environments => 'development'

However, I cannot connect to non-ssl of the api/* urls anymore.

Do I do something wrong here or is this an internal issue?

Thank you very much for your feedback!

[ghost]

No ideas?

[tobmatth]

Sorry for the delayed response, i was quite busy. With this rulesets, i'd expect the following to happen:

1. Request to https://example.org/api/ressource.json
2. Request is forced to http://example.org/api/ressource.json (as you use :strict in the first ruleset)
3. Then, the second ruleset forces it back to https://example.org/api/ressource.json
4. See 1.

This should work for your setup

config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/sign_in/}], :ignore => [%r{/assets}, %r{/api}], :strict => true, :except_environments => 'development'

[ghost]

great, thank you so much!