need a crash course in HTTPS / SSL for Rails

Question

I've got our Ruby on Rails app up and running on Heroku using HTTP. Now it's time to use HTTPS during the login process and for all transactions after the user is logged in. But I'm not sure where to start.

configuration

We're using:

Ruby (1.9.2)
Rails (3.0.5)
Devise (1.5.3)

Our domain (registered by GoDaddy) is oursite.com (not its real name), which resolves to oursite.herokuapp.com. I want secure transactions to be performed in a subdomain https://secure.oursite.com. I've purchased an SSL certificate from GoDaddy, created the key files, signed up for the Zerigo DNS service and set oursite.com nameservers to point at Zergo's servers. And on Heroku, I've done:

heroku domains:add secure.oursite.com
heroku ssl:add final.crt site.key
heroku addons:add ssl:hostname

the questions

• If a user arrives at our site under http://oursite.com, how (and when) do I switch to https://secure.oursite.com?
• How do I enforce using https for any secure transaction (e.g. submitting a password)?
• How does one test this stuff using localhost:3000?

Concrete answers, general answers, and pointers to tutorials and examples are equally welcome. Thanks!

Answer 1

First:

redirecting from http://example.com to https://example.mysite.com

... is a very specific question that supersedes this very general question. I'll summarize the best bits of info I found in the last 24 hours, as it may be helpful to someone else.

• The Heroku article on SSL is a must-read if you're deploying on Heroku.
• Heroku also has an article describing how to purchase an SSL certificate from a general vendor as well an article describing how to purchase an SSL certificate from GoDaddy.
• I was stuck for a while trying to configure the CNAME records for my Zerigo DNS service. The punch line is that if you create your Zerigo account using the Heroku dashboard, then you must configure your CNAME records using the Heroku dashboard as well. Gory details listed here.
• If you're planning on upgrading to Rails 3.1, this is a good time to do so, since it has a built-in force_ssl method that is a clean replacement for various add-in gems (notably ssl_requirement).
• Having said as much, the implementation of ssl_requirement in https://github.com/rails/ssl_requirement/blob/master/lib/ssl_requirement.rb is worth looking at, just to see how it uses redirect_to and the request object.
• Simone Carletti has a comprehensive blog entry Configuring Rails 3 to use HTTPS and SSL, covering both Rails 3.0 and Rails 3.1.

Hope this is helpful...

Answer 2

I would have a look at ssl_requirement. This allows you to secure various parts of your application thus forcing you to only serve certain pages over HTTPS.

https://github.com/rails/ssl_requirement

With local development, you'll need to setup some sort of Apache / NGinx setup with a locally signed cert bolted on. A quick google uncovered this:

http://www.subelsky.com/2007/11/testing-rails-ssl-requirements-on-your.html