SSL Certificates In Ruby Server


(Hank G) #1

I’m beginning my API development by interacting with the existing API branch and working my way through all the OpenID stuff and hopefully, ultimately, getting an existing service (such as like) to work. By “existing” I’m talking about code off of the API branch in Frank Rousseau’s fork which I’m contributing to until we get that longer lived feature branch etc. in the main repo (if we decide to do that). As it stands right now if I disable the HTTPS requirement and make a call into the authentication system I’m getting a “Can’t verify CSRF token authenticity” error in the OpenID authorization control. This sounds to me like an artifact of not having an HTTPS connection. I therefore enabled HTTPS only but FireFox is complaining about a failed connection because of the error SSL_ERROR_RX_RECORD_TOO_LONG. I’m trying to determine how to install the SSL certificates in the app that fires up when you call script/server but I haven’t been able to figure it out. Can someone point me to where I’m missing that step in the documentation I’m missing it or shed some light on where in the configuration I tell it which certificates to use?

Thanks!


(Hank G) #2

I didn’t end up needing to get this running over HTTPS to get the API dev moving forward. I’m still curious about how to do this though.


(Benjamin Neff) #3

Why don’t you just do it with a reverse-proxy (nginx/apache) as for a prod setup. That’s probably much easier, at least that’s what I do on my dev setup if I need SSL for some reason.


(Hank G) #4

When I get back around to setting this up I could if I need to. It just seemed like for an API-only server it’s one extra hop and configuration that is unnecessary. This project is my first Ruby experience. I’m used to Java and Node.js backends where you can do the HTTPS-by-proxy type thing you mentioned or direct configuration in the server. I’m surprised this isn’t as straight forward in Rails.


(Benjamin Neff) #5

This has nothing to do with rails, it depends on the app-server you use (with java it’s also different how to configure it if you use jetty or tomcat, I don’t know about node, but I guess there it’s the same). Diaspora uses unicorn by default, I use puma on my own prod pod, but I don’t know how to configure SSL on both, because I use nginx for SSL on both.


(CSammy) #6

I’m very much against doing SSL in Ruby. It’s more code to maintain, and a huge security hole if we do it wrong or do not maintain it properly. With Nginx there is a free and lightweight alternative that does the job perfectly well and protects the Ruby installation by opening only defined ports etc.

“Seperation of Concerns” is the principle I’m referring to here.


(Hank G) #7

@supertux88 @csammy I wasn’t advocating coding up anything but leveraging the existing SSL infrastructure of the server. I didn’t realize we had control over how we were hosting Diaspora’s ruby server…interesting…