0

I'm currently trying to find out a way to force http for some routes (faster, no need for security) and forcing https for more sensitive pages. I saw the answer to this: Rails 3 SSL Deprecation , but it doesn't seem to work.

I added a scope around my root url:

scope :constraints => { :protocol => 'http' } do
  root :to => 'site#index'
end

But it just threw the error No route matches [GET] "/" when I tried to go to localhost:3000.

Is there a clean way to force http in some places and force https in others (I could use force_ssl in my controller, but is there a force_http?) The scope around the routes looks clean, but it isn't working for me. Am I doing it wrong?

How about a method like this?

CONTROLLERS_THAT_REQUIRE_SSL = ['check_out']
def ensure_proper_protocol
  unless Rails.env.development? || Rails.env.test?
    if request.protocol["https"] && !CONTROLLERS_THAT_REQUIRE_SSL.include?(params[:controller])
      redirect_to "http://" + request.host + request.path
    end
  end
end
Community
  • 1
  • 1
bigpotato
  • 26,262
  • 56
  • 178
  • 334

2 Answers2

0

Not sure if this blog will be of any use to you: Always-On HTTPS With Rails Behind an ELB also this may also be of use to you considering you are trying to force some parts of your application to use https. SSL Requirement. It details under the section about SSL requirement adds a declarative way of specifying that certain actions should only be allow to run under SSL. Should you want to specify the entire controller in SSL then call ssl_exceptions

Alternatively you could try and write a before_filter by doing something like 

class ApplicationController < ActionController::Base
  before_filter do
    if request.ssl? || Rails.env.production? 
      redirect_to :protocol => 'http://', status => :moved_permanently
    end
   end 
 end

Hope this helps

Community
  • 1
  • 1
Deej
  • 5,334
  • 12
  • 44
  • 68
0

After looking for an answer it doesn't look like it exists, so I created a force_http gem... it's my first gem, and I didn't really test it out, but take a look if any of you are facing the same issues:

Install it with gem install force_http or you can find it here: https://github.com/EdmundMai/force_http . You just put force_http in the controller as you would with force_ssl. It's essentially just the opposite. I looked at the source code and just configured it to redirect to http:// instead of https:// when request.ssl?

bigpotato
  • 26,262
  • 56
  • 178
  • 334