2

I'm trying to add SSL to a legacy rails project (rails 2.3.15, ruby 1.8.7). I'm a little out of my comfort zone in all honesty as a very junior java developer(!), learning as I go about ruby and rails and hosting and security (i.e. every aspect of this job.)

I've sorted the configuration for AWS and Apache, and now have to handle all the requests the app makes to presently non-secure content via http.

The gem https://github.com/josh/rack-ssl looks like it might be exactly what I want, but looking at that page I had no idea where to actually type the "use" and "require" command- it seems as if it's to do with Rack middleware which we aren't using in this project. I don't know if there would be issues installing Rack given the ageing dependencies of our project?

I came across that via https://www.pluralsight.com/guides/ruby-ruby-on-rails/using-https-with-ruby-on-rails but I can't follow the instructions there due to the age of this codebase (as in "we don't have a gemfile, or a file called config/application.rb" old)- I can install gems manually, but don't know where to begin with any other options.

Short of manually changing every loaded resource in the project, any advice on how to proceed would be enormously gratefully recieved!

rwold
  • 2,216
  • 1
  • 14
  • 22
  • If I were you, I would try to upgrade to rails 4.0 at least. Because things like your requirement will come all the time and you can't find enough people to answer questions like how to do this in rails 2.x. More info here http://stackoverflow.com/a/17641442/1395129 – gates Apr 11 '17 at 13:16
  • For immediate solution try this http://stackoverflow.com/a/3862679/1395129 – gates Apr 11 '17 at 13:18
  • Perhaps you should delegate the SSL management to the Apache server, instead of Rails. Try reading [this](https://www.digicert.com/ssl-certificate-installation-apache.htm). – Wikiti Apr 11 '17 at 13:19
  • Thanks for the replies. As for the upgrade: We're working on a new website based on Spring, seeing as we're really a team of java devs. The upgrade seems tricky with changes both to the project structure and ruby syntax, and we've heard of it taking up to a year -especially as we have basically no unit tests... – rwold Apr 11 '17 at 13:28
  • @Wikiti I've followed the steps there to serve the website on https, but the result is broken. The main page etc and some features work, but it seems to be trying to load 3rd party scripts that aren't secured. We also have multiple backend projects pushing info to the website that don't seem to be working, for reasons that I don't yet know are to do with them or the website... – rwold Apr 11 '17 at 13:34
  • @rworld There are some drawbacks here that I should have mentioned: https is not compatible with http; any website loaded vía https won't be able to load http resources (stylesheets, javascripts, nor fonts). Therefore, you need to update 3rd party resources links to use https if the site is served vía https. This won't be fixed even by using external gems; you need to update them manually to use a helper. Also, to keep the backend projects working, you may want to keep both schemes of the application; serve it via [http and https at the same time](http://serverfault.com/questions/303744). – Wikiti Apr 11 '17 at 13:46
  • Also, you may want to check [this article](https://www.keycdn.com/blog/http-to-https/). – Wikiti Apr 11 '17 at 13:50
  • 1
    @Wikiti I can't upvote comments, but thanks. With the 301 redirection apache seems capable of handling managing almost everything after all. There are some Java servlets in a related project my website can't seem to talk to at the moment but that probably isn't related to my antiquated ruby (rather likely to be some protocol issue) so I may make a separate post about those. – rwold Apr 12 '17 at 15:35

0 Answers0