Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Vito Botta's Profile

GitHub User: vitobotta

Site: http://vitobotta.com

Comments by Vito Botta

Avatar

Back to this article... has anyone used this technique with Puma?

Avatar

If someone is interested, I wrote a blog post on how to implement multi tenancy with Devise and default scope but without subdomains. This is useful when you don't want or can't use subdomains or for example when you only enable subdomains as a premium feature, meaning that your application needs to have multi tenancy both with and without subdomains.

http://vitobotta.com/rails-multi-tenancy-devise-default-scope/

Avatar

It depends on which web server you're using (Apache? Nginx?). You ask for "step by step" instructions, but did you watch the screencast at all? It does explain this stuff...

Anyway I think you should chain / bundle the certs in the following order in your case:

WWW.EXAMPLE.COM.crt
NetworkSolutions_CA.crt
UTNAddTrustServer_CA.crt
AddTrustExternalCARoot.crt

Like

bash
cat WWW.EXAMPLE.COM.crt NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt AddTrustExternalCARoot.crt > cert-bundle.crt

Then just follow the directions in the screencast.

Avatar

Great episode, as usual. This one and the previous are particularly useful as so many people just don't pay enough attention to these issues.

I usually prefer forcing https with nginx directly, though, rather than in the application; it's simpler, somewhat "lighter" and I don't need to have to worry about this being properly configured and tested in the app. It's more like set it and forget it.

E.g. I usually have two "server" blocks, one for http and the other with https enabled, and the http block only contains:

nginx
`rewrite ^(.*) https://$server_name$1 permanent;`

Besides, I don't think it's a good idea either to only force SSL for some sections of an application: cookies travel with all http requests, regardless of whether https is in use or not. In theory if there is even a single thing on a site that requires authentication, the whole app should run under https, not only some sections for this very reason. I blogged about this not long ago.

A couple tips:

  1. there's a gem called powder that makes it easier/nicer to work with Pow.

  2. I can't remember whether it was this episode or the previous one that suggested to hardcode 'https' in links and refs to images when needed. Something like:

ruby
image_tag "https://...."

You can also just omit the protocol altogether - this will make sure that all the resources loaded / linked on the page "follow" the protocol used by the page itself, i.e.:

ruby
image_tag "//...."

This way all images etc will use http or https depending on the protocol used by the page itself.