How to configure HTTPS for Ruby on Rails (RoR)

Riya Sander Developer Tips, Tricks & Resources

RoR (Ruby on Rails) is a server-side web application framework. To make it more secure, use HTTPS instead of HTTP. 

Step One: Buy an SSL certificate:

First step is purchasing  an SSL certificate. There are various  types of SSL certificates, based on your requirements including: 

  • Extended Validation Certificates (EV SSL)
  • Organization Validated Certificates (OV SSL)
  • Domain Validated Certificates (DV SSL)
  • Wildcard SSL Certificate
  • Multi-Domain SSL Certificate (MDC)
  • Unified Communications Certificate (UCC)

The most popular ones are the DV SSL, EV SSL, and OV SSL. While the most expensive, the EV SSL is my favorite as it displays information like country of origin, the business name, padlock, and the HTTPS when linked to your web server. The green font is unique to EV SSL and a symbol of trust.

(image)

However, if you are concerned about unlimited subdomains, the wildcard SSL certificate is an ideal option for single protection for subdomains.

DV SSL doesn’t involve high-level validation and is easy to set up. It is also one of the most inexpensive, so if you don’t want to use a free SSL certificate, this one’s for you.

Regardless of which SSL certificate you purchase, the CA (Certificate Authority) will email you your SSL certificate and CA file bundle.  

Step Two: Enable web server to use HTTPS:

Now that you’ve purchased your SSL certificate, enable the web server to use HTTPS using the configuration  files from your CA.

For better understanding, let’s name the SSL certificate as ‘certificate’ and the private key as ‘private key.’ 

Depending on web server requirements, upload the CA bundle file and SSL certificate together.

The CA bundle is a chronological collection of SSL certificates needed. It can be from the most specific generated to the root file or the other way around.

The use of the root certificate is generally limited and usually omitted.

Now, let’s consider a scenario where the bundle contains the SSL certificate.  In that case, it is likely to appear at the top of the list.

(image)

You can choose to concatenate or link all these steps together or  using the ‘cat’ unix utility.

Once you’ve  fixed  the HTTP and shifted  it to HTTPS enabled , you can run RoR application on HTTPS.

After setting the value to ‘true,’ the configuration flag  ‘force_ssl’ can force the application to run under HTTPS. If you want to run the certificate flag on all environments, that involves a simple bit of code.

(image)

(image)

The current version 6.0 provides personalization. When extending the flag across the entire environment, all actions will run on HTTPS.

And here’s how it works: 

  • All Cookies are  flagged as secure
  • You will get the response with HTTP (HSTS) Strict Transport Security header. The HSTS redirects all the requests to HTTPS only
  • All the requests will be directed to HTTPS right away

It’s not advisable to use RoR below version 3.1, but for those who do, use rack-SSL. When compared to ‘force_ssl,’ it is more flexible. Using the ‘:exclude’ command, you can choose to use either HTTPS or HTTP on a case-by-case basis. It is  great option to run the same program on HTTP and HTTPS simultaneously to identify, locate, and fix the respective problems if any. 

However, based on security concerns, it is better to use HTTPS instead of HTTP. It increases the complexity of the controllers and limits the use of extraneous security measures like headers. Today, most providers are now distributing their resources evenly between HTTP and HTTPS.

Step Three: Monitor the performance of your RoR application

Troubleshooting issues within your RoR application can be difficult and time consuming without the proper tools.  Ensure the performance of your RoR application by using an Application Performance Management tool.  Stackify’s APM tool, Retrace, efficiently finds slow web requests, database queries, and application errors while giving you insight into your application logs.