HostingRails.com

Basically, if you have an SSL certificate installed on www.example.com then your site can be accessed WITHOUT the SSL certificate via http://www.example.com and WITH the SSL certificate active via https://www.example.com
Once you have your SSL certificate installed and up and running, you may want to ensure that visitors to your ordering pages are always taken through the secure SSL/https system - even if they have entered the insecure http:// URL.

You can do this by using mod_rewrite commands in a .htaccess file. For example, if you have your shopping cart as http://www.example.com/catalog , open up /public_html/catalog/.htaccess via cPanel's File Manager or via FTP (if the file does not exist, create a new text file called .htaccess) and add the lines:

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^catalog/$ https://www.example.com/catalog/ [R,L]

If you are using Mongrel, you cannot use rewrite rules in .htaccess.  The support staff can do it for you, they can set the rewrite rules in the vhost entry in httpd.conf.

I asked support to set a rewrite for www.mydomain.com to mydomain.com, because my cert is for mydomain.com. That way, I can flip back and forth between https and http without worrying about it choking on www.mydomain.com.

I'm having a similar problem... it looks like this one was resolved by using rewrite rules in .htaccess? Does that mean you are no longer using ssl_required?

I am using ssl_required and am getting the same endless redirects. Ideally I'd like to make the ssl_required solution work so that I don't have to keep bothering staff about adding rewrite rules (i'm also using mongrel). Anyway tracking things down in my case it seems like the reason that ssl_required is redirecting endlessly is because the test request.ssl? seems to always be returning false on my site even if I access the page with https:// to start with.

The implementation of ssl? is:

   def ssl?
     @env['HTTPS'] == 'on' || @env['HTTP_X_FORWARDED_PROTO'] == 'https'
   end

Can anyone think of why that would fail to return true when I access one of my pages with https://? This problem seemed to start when I changed from a self signed certificate to an authority signed certificate. But now that I look at the date of this original post I think that's about the same time I started seeing problems. So possibly it's not related to my certificate change and instead is a due to a config change on hosting rails? I'm on spurgeon.

Thanks for any help. My sites been pretty broken for the last few days because of this.

Jesse

I use mongrel.
I use SSL Required.
I have a go-daddy turbo cert for mydomain.com (not for www.mydomain.com).
I asked support to set up a rewrite: www.mydomain.com to mydomain.com
It all works nicely.

I do not use request.host, here is what I did in the lib:

 private
   def ensure_proper_protocol
       env = RAILS_ENV
       case env
       when 'test', 'development'
           return true
       when 'production'
           return true if ssl_allowed?
           if ssl_required? && !request.ssl?
               redirect_to "https://" + "[put your domain here]" + request.request_uri
               return false
           elsif request.ssl? && !ssl_required?
               redirect_to "http://" + "[put your domain here]" + request.request_uri
               return false
           end
       end
   end

Thanks for your help. I have a similar setup, in fact I've just copied your code directly, but I'm still seeing problems. I just setup a test that demonstrates what is happening. I've created two test_ssl urls:

https://hogbaysoftware.com/store/test_ssl1
https://hogbaysoftware.com/store/test_ssl2

When viewed they should display the current request.env. For the first one (test_ssl1) I'm using ssl_required to enforce https:// access. But when you try to access it you'll get redirect recursion and the request will eventually fail. For the second I'm not using ssl_require, so that the request will succeed and you'll be able to see the request.env.

I think the reason that I'm getting redirect recursion when using ssl_require is because in my app request.ssl? seems to always return false. That means that (with your above code) I get redirect recursion even if I'm accessing a page via https://

The implementation of request.ssl? looks like this:

def ssl?
 @env['HTTPS'] == 'on' || @env['HTTP_X_FORWARDED_PROTO'] == 'https'
end

And if you access the second url above https://hogbaysoftware.com/store/test_ssl2) you'll see that neither HTTPS or HTTP_X_FORWARDED_PROTO seem to be set even though the url is https://... so that explains why ssl? is always returning false, and explains the recursion.

But I don't understand why those environment variables are not being set... does anyone have ideas that I should try?

Thanks,
Jesse

I'm pretty sure that is what happened to me, and support had to muck with apache mod_headers. I would file a support ticket. (Remind them you are running on mongrel, that .htaccess mods are not relevant.)

Hi there - Yes, please post a support request so we can set up the redirect entries under your Vhost to see if the problem goes away.

Thanks! This seems to have been a configuration problem that only support could fix. It's fixed now. Thanks!!!

This is an old thread, but for the sake of future searchers, the solution is to add the following line inside your VirtualHost block for the SSL site:

RequestHeader set X_FORWARDED_PROTO 'https'

This adds a header that the Rails code can use to determine that the original request used HTTPS, and prevents the infinite redirect loop.

This is mentioned in the Mongrel docs for Apache, under SSL Requirements.

http://mongrel.rubyforge.org/docs/apache.html