#357 Adding SSL pro

Jun 08, 2012 | 14 minutes | Security

It is important to protect a user's private information with HTTPS. Here you will learn how to get it working on your local machine, configure Rack SSL, install certificates for production, and more.

Click to Play Video ▶

Download:
source codeProject Files in Zip (99.9 KB)
mp4Full Size H.264 Video (38.9 MB)
m4vSmaller H.264 Video (17.7 MB)
webmFull Size VP8 Video (19.4 MB)
ogvFull Size Theora Video (38.8 MB)

Aditya Sanghi over 12 years ago

Wow Ryan! That was some fast turnaround! I only emailed you a couple of days back on this request.

Just adding a bit more.

I really wanted to keep my HTTP server block configuration DRY for nginx.

You can keep the HTTP and HTTPS server block in nginx configuration the same by simply adding a listen for port 80 and port 443 in the same block. Further you can add the ssl options in that same block as well. All you need to change is the X-Forwarded-Proto to be set to $scheme instead of http or https.

Doug Puchalski over 12 years ago

I tweaked my setup a bit to do this, but also to set up an easy mapping to port 3000 for when I'm switching between apps. Add the host 3000.local to your /etc/hosts and then for nginx:

-Doug
www.fullware.net

          
        
    upstream local_3000 {
      server 127.0.0.1:3000;
    }
    
    server {
      server_name  3000.local;
      listen       80;
      listen       443 default ssl;
      send_timeout 3600; # For debugging with breakpoints

      #ssl                  on;
      ssl_certificate      server.crt;
      ssl_certificate_key  server.key;

      ssl_session_timeout  5m;

      ssl_protocols  SSLv2 SSLv3 TLSv1;
      ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
      ssl_prefer_server_ciphers   on;

      access_log  /usr/local/var/log/nginx/3000_access.log;
      error_log   /usr/local/var/log/nginx/3000_error.log;

      location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
        proxy_pass http://local_3000;
      }
      
    }

collegeplus-it over 12 years ago

Why not use something like Powder to manage your Pow projects?

Thomas Cioppettini over 12 years ago

If you are going to use pow at all you should be using the powder gem, it will make your life 1000% easier.

Vito Botta over 12 years ago

Great episode, as usual. This one and the previous are particularly useful as so many people just don't pay enough attention to these issues.

I usually prefer forcing https with nginx directly, though, rather than in the application; it's simpler, somewhat "lighter" and I don't need to have to worry about this being properly configured and tested in the app. It's more like set it and forget it.

E.g. I usually have two "server" blocks, one for http and the other with https enabled, and the http block only contains:

          nginx
        
`rewrite ^(.*) https://$server_name$1 permanent;`

Besides, I don't think it's a good idea either to only force SSL for some sections of an application: cookies travel with all http requests, regardless of whether https is in use or not. In theory if there is even a single thing on a site that requires authentication, the whole app should run under https, not only some sections for this very reason. I blogged about this not long ago.

A couple tips:

there's a gem called powder that makes it easier/nicer to work with Pow.
I can't remember whether it was this episode or the previous one that suggested to hardcode 'https' in links and refs to images when needed. Something like:

          ruby
        
image_tag "https://...."

You can also just omit the protocol altogether - this will make sure that all the resources loaded / linked on the page "follow" the protocol used by the page itself, i.e.:

          ruby
        
image_tag "//...."

This way all images etc will use http or https depending on the protocol used by the page itself.

SaraVanaN over 12 years ago

Hi everyone

I buy ssl certificate from Network Solution. They gave four files

AddTrustExternalCARoot.crt
NetworkSolutions_CA.crt
UTNAddTrustServer_CA.crt
WWW.EXAMPLE.COM.crt

Can you guys please help me, how can i install or setup SSL to my rails app to run https://example.com by step-by-step. :)

Important: I am using heroku and i add the ssl endpoint add-on.

i am using ubuntu 11.04 OS.

Thanks

Vito Botta over 12 years ago

It depends on which web server you're using (Apache? Nginx?). You ask for "step by step" instructions, but did you watch the screencast at all? It does explain this stuff...

Anyway I think you should chain / bundle the certs in the following order in your case:

WWW.EXAMPLE.COM.crt
NetworkSolutions_CA.crt
UTNAddTrustServer_CA.crt
AddTrustExternalCARoot.crt

          bash
        
cat WWW.EXAMPLE.COM.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt AddTrustExternalCARoot.crt > cert-bundle.crt

Then just follow the directions in the screencast.

SaraVanaN over 12 years ago

:)
I am using Apache.
I watched this screencast. Its explained in Nginx server.

In heroku want to do like below

cat WWW.EXAMPLE.COM.crt UTNAddTrustServer_CA.crt NetworkSolutions_CA.crt AddTrustExternalCARoot.crt >> combined.pem

then

heroku certs:add combined.pem ca.key

Here i didnt have .key file( i.e private key ).
I dont know, Is I want to generate private key or Network Solution want to give private.key?

Thanks

Michael Buckbee over 10 years ago

If you don't want to deal with them I wrote a Heroku Add-on that handles them for you: https://addons.heroku.com/expeditedssl

Tom Harrison over 12 years ago

Awesome screencast, as always, and timely considering the recent LinkedIn and eHarmony hacks -- we should all use these instances as a reminder to get secure and locked down!

If you're using AWS (EC2) for hosting, there's a very interesting option using their elastic load balancer (ELB): install your certificate there and configure traffic on port 443 to be sent to an instance via port 80. This simplifies configuration in a lot of cases because you don't need to mess with Apache or Nginx or set up keys for each of your servers, and locally everything can run on simple HTTP.

There are a couple of cases where things can get tricky, but for our use-case, this method is working beautifully.

By the way, just because you have a load balancer doesn't mean you need to have more than one server, which is great for staging and other environments.

jfoo over 12 years ago

Tom, Do you have any reference that you can point to for the ELB SSL setup?

Thanks

Anatoly Mikhailov over 12 years ago

SSL offload is a common practice to reduce load on non-edge servers

Nik over 12 years ago

Just got myself two certificates on GoDaddy for $12.99 each; just wherever you get yours, first search on sites like RetailMeNot.com for coupons and stuff. Those godaddy certs were a whopping $70 a year before the coupons.

Andrew Wang over 12 years ago

Thanks Nik! The GoDaddy coupon code for the $12.99 1-year SSL certs from retailmenot.com still worked (2012-07-13). But during checkout, if you extend it from a 1-year cert to more years, the discount applies to each year! I got a 5-year cert for only $64.95! For once, I'm glad GoDaddy is so crappy.

(If you start with the 5-year cert, then it only applies the discount to the first year though).

pixelpaulaus over 10 years ago

godaddy certs seems so cheap and nasty tho. whenever i see a site with a cert from them i know they are cheap. i myself use comodo ones as to me they seem more of a trusted brand. they do a good deal of internet security products these days, and the good thing is you can get them for cheap their SSLs.
i use ssltrustthese days to get them as they are a reseller of comodo so you get them a LOT cheaper but you can still use the comodo phone support and online support if you need to.

pixelpaulaus over 10 years ago

Anatoly Mikhailov over 12 years ago

ssl_protocols SSLv2 SSLv3 TLSv1;

Ryan, are you sure about SSLv2? It's pretty unsecured protocol.
I spent a time on Nginx security and would like to share my config

          nginx (http block)
        
    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               RC4:HIGH:!aNULL:!MD5;
    add_header                Strict-Transport-Security "max-age=16070400; includeSubdomains";
    add_header                X-Frame-Options DENY;

To enable TLS 1.1/1.2 protocols you need to compile Nginx with openssl > 1.0.x.
Some useful headers can help with interaction through HTTPS only (from all feature requests) and prevent an option to load your site into iframe.

          bash
        
  $ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
  $ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
  $ configure --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c

No-krb5 to disable Kerberos 5 authentication protocol which causes Nginx segfaults by Internet Explorer request (rarely bug)

Qualys SSL test can help in the search for vulnerabilities in web-server configuration.

Anatoly Mikhailov over 12 years ago

for non-heroku users: If you want to get an access all-site through HTTPS-only what is the reason to handle SSL detection through Rack and ActionDispatch? All that code can be simplified by using redirection through web-server 301 permanent redirect.

          nginx (http block)
        
server {
    listen       80;
    server_name  host.com *.host.com;
    rewrite ^(.*) https://$host$1 permanent;

    access_log /dev/null;
    error_log /dev/null;
}

A specific header Strict-Transport-Security tells the browser that all future requests (and cookies as well) should go through SSL only. Don't use SSL for partly access, because cookies can be hacked while you are non-SSL page.

Don't forget about scaling patterns such as SSL offload, so every application servers should not used an SSL, but edge load balancers only. So permanent redirection on web-server side only (not application) can help with scaling without any modifications of Rails codebase.

Kaz Walker over 12 years ago

Thanks for the great screencast, but I'm not sure why you write off StartSSL as "isn't for serious use". StartSSL uses all the same algorithms as the bigger providers and even uses better ones in certain cases (eg. connections will default to 256-bit instead of the usual 128-bit), plus they enforce better security practices than most providers (eg. you must use an SSL client certificate to login, there's no username/password).

To top it off, the free certificates are even insured for up to $10,000 in damages, with paid ones providing more insurance.

Thanks again for the very useful screencast, but you should do a bit more research before saying something "isn't for serious use", as your opinion carries much weight for many individuals. :-)

plowdawg over 12 years ago

Got mine from Cheap SSLs. I'm using Apache because the Ubuntu installations I've worked with have already had it ore-installed. My app is Rails 3.2 so all I did was put a config.force_ssl = true into my production.rb file.

jeffreyrose over 12 years ago

You override the https requirement for all the actions in a controller with:

private
def use_https?
false
end

How would you do it on an single action or a subset of all the actions in a controller?

Thanks

Daniel Docki over 12 years ago

How do assets to work with https and http?

baruchlubinsky about 12 years ago

Does this setup with pow and nginx interfere with mongoid?

I get a routing error with "uninitialized constant Model::Mongoid" when I use a Mongoid model.

The only thing I can think of is that the proxy some how gets in the way.

Has any one else experienced this?

Patrick Howard Wiseman about 12 years ago

Ryan,

Did you know about (or borrow from) this?

https://github.com/yardstick/ssl_requirement

omidmt almost 12 years ago

I tried install with mac port, but conf verification failed with this error,

nginx: [emerg] unknown directive "ssl" in /opt/local/etc/nginx/nginx.conf:102

Found out that should install nginx with ssl option, it is not there by default

sudo port install nginx +ssl

Benjamin Reed almost 12 years ago

Thank you so much. This really helped me out. So glad you made this podcast. :)

Chris Toynbee over 11 years ago

If you have a problem with assets not showing make sure you remove the "http://" from this line:

config.action_controller.asset_host = "http://" + config.domain

sachinga over 11 years ago

Hi Ryan,

I am using this pattern to do the appropriate redirects to http if my controller and action doesn't need to be secure.

However, I am hitting this error - Filter chain halted as :https_redirect rendered or redirected

I am using apache and seems like something fairly basic I am missing.

...
...
ServerName XXXX
ProxyRequests Off
ProxyPreserveHost On
ProxyPassReverse / http://www.XXX.com/

RewriteEngine On
RewriteRule ^(.*) - [E=CLIENT_IP:%{REMOTE_ADDR},L]
RequestHeader set X-Forwarded-For %{CLIENT_IP}e
RequestHeader set X-Forwarded-Proto "https"

if i disable the filter, https works just fine.

any pointers on what may be wrong?

thanks

sachinga over 11 years ago

nevermind, mistake on my end in following the pattern suggested. thanks

Reymond over 11 years ago

I am using windows on my development machine ,,,any one having experience on adding ssl while developing on windows ,,please help me ..thanks

Aen Tan over 11 years ago

My nginx.conf is OK and nginx seems to start but my https URL in Google Chrome gives me an this error:

SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

When I do a lsof -i:443 I see this:

          
        
COMMAND     PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
apsd         71   root    9u  IPv4 0xcb28d77b1a14342f      0t0  TCP 10.0.1.32:54135->17.172.232.214:https (ESTABLISHED)
nginx     11899   root    6u  IPv4 0xcb28d77b188cb1a7      0t0  TCP *:https (LISTEN)
nginx     11900 nobody    6u  IPv4 0xcb28d77b188cb1a7      0t0  TCP *:https (LISTEN)
Google    68100    Aen   43u  IPv4 0xcb28d77b16b478df      0t0  TCP 10.0.1.32:54191->ni-in-f125.1e100.net:https (ESTABLISHED)
Google    71302    Aen  155u  IPv4 0xcb28d77b1b2201a7      0t0  TCP 10.0.1.32:55087->sin04s01-in-f30.1e100.net:https (ESTABLISHED)
Google    71302    Aen  173u  IPv4 0xcb28d77b1b236017      0t0  TCP 10.0.1.32:55065->ni-in-f147.1e100.net:https (ESTABLISHED)
Google    71302    Aen  185u  IPv4 0xcb28d77b175de42f      0t0  TCP 10.0.1.32:55123->github.com:https (ESTABLISHED)
Google    71302    Aen  194u  IPv4 0xcb28d77b1b23b74f      0t0  TCP 10.0.1.32:55127->ec2-204-236-241-186.compute-1.amazonaws.com:https (ESTABLISHED)
Google    71302    Aen  217u  IPv4 0xcb28d77b1b1d88df      0t0  TCP 10.0.1.32:54361->sin01s05-in-f2.1e100.net:https (ESTABLISHED)
Google    71302    Aen  260u  IPv4 0xcb28d77b1b245017      0t0  TCP 10.0.1.32:55078->a23-15-10-57.deploy.akamaitechnologies.com:https (ESTABLISHED)
Dropbox   95185    Aen   18u  IPv4 0xcb28d77b1b240017      0t0  TCP 10.0.1.32:55130->108.160.160.177:https (CLOSE_WAIT)

Do I have other crap listening on 443?

Vallard Benincosa over 11 years ago

I had a few issues with installing pow that I was finally able to resolve. My biggest issue was that apache was running so whenever it redirected, I would get the "It Works!" screen. Then the only way I could redirect was to go to http://myapp.dev:3000 (clearly not what I wanted!)
By stopping apache and preventing it from starting up I was able to get pow running. Took a while, so hopefully that will help someone else out.

bparanj about 10 years ago

I have documented How to Install Alpha SSL certificate using Moonshine for Rails 4.1