What is the best way to go about upgrading a rails app to support Facebook SSL?

Question

With the upcoming SSL migration at Facebook on 1 October, all apps will have to support connections over HTTPS and for that you'll need an SSL certificate.

• Is there a run-down anywhere of how a person should patch an app?
• Will you have to use Apache and Passenger, xginx or other server?
• Are there any free trusted certificates?

Answer 1

Is there a run-down anywhere of how a person should patch an app?

Not really. Why? Because it all depends on what version of rails you are running.

For Rails 2.x, I've read/heard of techniques including:

1. ModRewrite - use the webserver's ability to detect and rewrite HTTP to HTTPS. This technique is more general and could apply to a whole host of technologies, not just rails (python, java or even .net).
2. Use ssl_requirement gem - this allows you to declaratively add instructions in your controllers to redirect to https if the protocol is http (https://github.com/retr0h/ssl_requirement). Although simple, your ruby app will have to handle the request, and I'm not sure how quick ssl_requirement is.
3. Use rack middleware (rack-ssl, rack-ssl-enforcer gem) - this patches the request handling of rails, so that the redirect is handled well before it hits any controller. This is configureable too (you can match based on path etc) and is probably better than option 2.

For Rails 3.1, it's backed into the framework. You just need to do this:

# config/application.rb
module MyApp
  class Application < Rails::Application
    config.force_ssl = true
  end
end

Will you have to use Apache and Passenger?

Not necessarily. There are other options like NGinx and Passenger. But in general, yes you will probably need a proper web server sitting in front, handling the SSL portion of the request.

Typically, a web server is required to sit in front of your app. It needs to be configured to handle SSL traffic, and direct the requests to your app (http and https). Here you can use Apache or NGinx.

Passenger sits as a "plugin" in Apache/NGinx to handle requests through to your application. At this point, SSL isn't usually a concern (ie. the request is now unencrypted.). What your app has to then do, is handle the request. Here's where you detect if the protocol is http or https and instruct the browser to redirect if necessary.

Are there any free trusted certificates?

No. Trusted certs are usually signed by a Certificate Authority. These guys typically have to check that your domain and the company or individual that holds the domain are genuine and real. To do that, you pay money. There are plenty of providers out there that can issue you an SSL cert for around $100 USD. Some more, some less.

Certs are typically locked to a domain. And you pay more for wildcard domain matches (e.g. *.myapp.com). If you're after a cert for development, you can generate a self signed certificate.

I've written an article showing you how to get HTTPS going on your local dev instance. Many of the steps are also common for production. The article shows you how to set it up for POW and NGinx, but setting up for Apache and Passenger isn't too dissimilar. The Apache config is different. But Passenger install and setup should be just the same as a http environment. Just need to make sure the secure virtual host in your Apache config points to your application.