Rails SSL redirection via gem versus Apache level

Question

I'm researching the best approach for implementing SSL to secure my rails app. The recommendation of the day seems to be to use SSL all the time. There seem to be two current ways of doing it:

1. Use a gem such as Rack::SSL or Rack::SslEnforcer, discussed in detail here: http://collectiveidea.com/blog/archives/2010/11/29/ssl-with-rails/

2. Redirect at the webserver level, recommended here: Rails + SSL: Per controller or application-wide?

I'm convinced that redirecting at the Apache level (assuming one is running Apache) must be the way to go, both to simplify implementation and performance.

What I don't understand and haven't seen addressed is why there is so much effort and attention devoted to doing it at the application layer using gems? There is even a comment from DHH (last comment in first link above) stating "Rails 3.1 will now have force_ssl baked in at both the app and controller level." So what am I missing?

Why would one choose to use one of the gems to use SSL all the time?

Answer 1

force_ssl is a config property added to Rails 3. It makes the app use the Rack::SSL middleware. reference: http://edgeguides.rubyonrails.org/configuring.html

So config.force_ssl is a convenience that lets you avoid messing with the Rack stack; it's done for you.

In Rails 2.X apps you would not have force_ssl and would have to inject Rack::SSL or Rack::SslEnforcer yourself.

Answer 2

One, it's an easy standard for the Rails community to settle on. Now, whenever you want to require https for a Rails app, you can flip this single switch, and it'll work regardless of what server or other architecture you might be using.

Two, if you're on a hosting service like Heroku, you won't have access to server configuration settings anyway.