Avoid Forcing SSL in Production Environment #308
Comments
|
Is setting the |
|
It could be however if a deployment is made via docker it might cause other issues for local enviroments that might not want to go into the configs. Avoids future issues imo |
I see it as a sensible default. You should tweak the environment config file before the deployment to production anyway. The already suggested use of |
|
Why not just expost all the config options as environment flags, still set
everything correctly as the fallback but not require the end user to edit
multiple configs rather than just a .env file/docker env variables/system
environment while deploying (like 90% of other open source software does)
…On Wed, Feb 7, 2024, 11:28 Ivar (aɪvɑr) ***@***.***> wrote:
Currently, the option to force SSL is hardcoded in the production
environment.
I see it as a sensible default. You should tweak the environment config
file before the deployment to production anyway.
The already suggested use of assume_ssl
<https://api.rubyonrails.org/v7.1.0/classes/ActionDispatch/AssumeSSL.html>
config seems what folks could use in this scenario.
—
Reply to this email directly, view it on GitHub
<#308 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMK42CTNXYB7RYWFS7HCFELYSNJOHAVCNFSM6AAAAABC2INTLKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZRG42DGMRTGU>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Thoughts on this solution everyone? config.assume_ssl = ENV["DISABLE_SSL"].blank?
config.force_ssl = ENV["DISABLE_SSL"].blank? |
|
Why not
.env
FORCE_SSL=true
Idk rubby but in nodejs
functSettingSslForce(process.env.FORCE_SSL || true)
So if a value exists in the environment it'll be used, otherwise fails
secure
…On Wed, Feb 7, 2024, 23:21 Zach Gollwitzer ***@***.***> wrote:
Thoughts on this solution everyone?
config.assume_ssl = ENV["DISABLE_SSL"].blank?config.force_ssl = ENV["DISABLE_SSL"].blank?
—
Reply to this email directly, view it on GitHub
<#308 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMK42CURA6TFC5VPULJOSRTYSP5AFAVCNFSM6AAAAABC2INTLKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZTGAZTIMRWGY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I think if going that way they should be independent env vars. If they were designed to be simultaneously set to the same value then the config option would have been combined in Rails. Otherwise I think this should work ok. Other suggestion would be to force a value if it isn't set in the env to whatever rails defaults are and also default it to the best state (SSL on) with it being clear that you are DISABLING it.
When DISABLE_SSL is "true", config.force_ssl becomes false, SSL is disabled. We are not FORCING something that is DEFAULT on, we are DISABLING something that is enabled by default. Edit: |
|
I was not aware it's independent. Than yeah by all means the
solution is basically what I'd expect It's nearly midnight here. Can't blame you for beeing tired ^.^ |
|
|
|
I think the negated check makes it confusing.
You're setting the config option
|
Yeah you're right. I've thought about this some more and @zachgoll's proposed solution will work perfectly for this. It defaults to secure SSL (as per rails defaults) but can be explicitly disabled. |
|
I like using a FORCE_SSL environment variable better but the e.g. |
This is actually what Campfire does in # Always be SSL'ing (unless told not to)
config.assume_ssl = ENV["DISABLE_SSL"].blank?
config.force_ssl = ENV["DISABLE_SSL"].blank? |
|
Added code changes for the same along with docker-compose for running the application. #416 Here is what I have added |
This comment was marked as spam.
This comment was marked as spam.
|
It's worth mentioning that any well-behaved reverse proxy should be setting the |
|
Going to fold this issue into #295 as it would be a good change to make alongside a Dockerfile addition. We will go ahead with this solution as discussed above: |
|
I came to those via an unrelated issue, but I just wanted to share that this is the best way in Rails (that I'm aware of) to convert ENV strings to booleans: Which allows overriding with |
|
@bensheldon thanks for sharing, I like this solution a lot. |
Description:
Currently, the option to force SSL is hardcoded in the production environment. This can lead to complications for deployments behind reverse proxies, especially when utilizing services like Cloudflare Zero Trust or Nginx, which handle certificate management.
Suggested Improvement:
Consider making the SSL enforcement a configurable option through an environment variable. This enhancement would enhance flexibility and simplify deployments for users relying on reverse proxies and external services for SSL termination.
maybe/config/environments/production.rb
Line 46 in 622fc07
Benefits:
Deployment Flexibility: Users deploying behind reverse proxies with SSL termination services can seamlessly integrate without conflicting SSL configurations.
Simplified Configuration: By allowing SSL enforcement to be set via an environment variable, deployment configurations become more straightforward, reducing potential errors.
Adaptability: Users can easily adapt the SSL enforcement setting based on their specific deployment requirements, making the application more versatile.
Additional Context:
Provide documentation updates reflecting the new environment variable and its impact on SSL enforcement. This ensures users are informed and can make informed decisions during the deployment process.
The text was updated successfully, but these errors were encountered: