RubyGems - rack-ssl-enforcer - Versions diffs - 0.2.6 → 0.2.7 - Mend

rack-ssl-enforcer 0.2.6 → 0.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +7 -0
data/LICENSE +20 -20
data/README.md +297 -272
data/lib/rack-ssl-enforcer.rb +1 -1
data/lib/rack/ssl-enforcer.rb +204 -199
data/lib/rack/ssl-enforcer/constraint.rb +42 -42
data/lib/rack/ssl-enforcer/version.rb +5 -5
metadata +7 -22

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 19f0acb60b5cc81e0f314272653283ae86b78274
+  data.tar.gz: 837d1adfe73260634e2eb8d10d157aa03b32aefd
+SHA512:
+  metadata.gz: ec0fe6c85a980f63ff9ab0cd3659e7d86a2ea819ef15d31d9763f419bf5d9f09edc5e39dd1dd03203f5c873adcf87fbe0763b100cdc32dbedbd8f0197621f2da
+  data.tar.gz: 8685bd5a1534e785a1bed177042238362c19f668ee09b85318b5f5829b8bd14db473b71d8d50040e8e2ea24c534ea31900a2fda20e17259543a4ad28302fad2d

data/LICENSE CHANGED

@@ -1,20 +1,20 @@
-Copyright (c) 2009-2012 Tobias Matthies
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Copyright (c) 2009-2012 Tobias Matthies
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md CHANGED

@@ -1,272 +1,297 @@
-# Rack::SslEnforcer [![Build Status](https://travis-ci.org/tobmatth/rack-ssl-enforcer.png?branch=master)](https://travis-ci.org/tobmatth/rack-ssl-enforcer)
-Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
-Cookies as secure by default (HSTS must be set manually).
-Tested against Ruby 1.8.7, 1.9.2, 1.9.3, ruby-head, REE and the latest versions of Rubinius & JRuby.
-## Installation
-The simplest way to install Rack::SslEnforcer is to use [Bundler](http://gembundler.com).
-Add Rack::SslEnforcer to your `Gemfile`:
-```ruby
- gem 'rack-ssl-enforcer'
-```
-### Installing on Sinatra / Padrino application
-In order for Rack::SslEnforcer to properly work it has to be at the top
-of the Rack Middleware.
-Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer
-and will prevent Rack::Ssl::Enforcer from marking cookies as secure.
-To fix this issue do not use `enable :sessions` instead add the
-Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.
-Eg:
-```ruby
-use Rack::SslEnforcer
-set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
-#Enable sinatra sessions
-use Rack::Session::Cookie, :key => '_rack_session',
-                           :path => '/',
-                           :expire_after => 2592000, # In seconds
-                           :secret => settings.session_secret
-```
-## Basic Usage
-If you don't use Bundler, be sure to require Rack::SslEnforcer manually before actually using the middleware:
-```ruby
- require 'rack/ssl-enforcer'
- use Rack::SslEnforcer
-```
-To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (`config/application.rb` for Rails 3, `config/environment.rb` for Rails 2):
-```ruby
-config.middleware.use Rack::SslEnforcer
-```
-If all you want is SSL for your whole application, you are done! Otherwise, you can specify some options described below.
-## Options
-### Host constraints
-You can enforce SSL connections only for certain hosts with `:only_hosts`, or prevent certain hosts from being forced to SSL with `:except_hosts`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
-# Please note that, for instance, both http://help.example.com/demo and https://help.example.com/demo would be accessible here
-config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
-config.middleware.use Rack::SslEnforcer, :only_hosts => [/[secure|admin]\.example\.org$/, 'api.example.com']
-```
-### Path constraints
-You can enforce SSL connections only for certain paths with `:only`, prevent certain paths from being forced to SSL with `:except`, or - if you don't care how certain paths are accessed - ignore them with `:ignore`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => '/login'
-# Please note that, for instance, both http://example.com/demo and https://example.com/demo would be accessible here
-config.middleware.use Rack::SslEnforcer, :only => %r{^/admin/}
-config.middleware.use Rack::SslEnforcer, :except => ['/demo', %r{^/public/}]
-config.middleware.use Rack::SslEnforcer, :ignore => '/assets'
-# You can also combine multiple constraints
-config.middleware.use Rack::SslEnforcer, :only => '/cart', :ignore => %r{/assets}, :strict => true
-```
-### Method constraints
-You can enforce SSL connections only for certain HTTP methods with `:only_methods`, or prevent certain HTTP methods from being forced to SSL with `:except_methods`. Constraints can be a `String` or an array of `String`, as shown in the following examples:
-```ruby
-# constraint as a String
-config.middleware.use Rack::SslEnforcer, :only_methods => 'POST'
-# Please note that, for instance, GET requests would be accessible via SSL and non-SSL connection here
-config.middleware.use Rack::SslEnforcer, :except_methods => ['GET', 'HEAD']
-```
-Note: The `:hosts` constraint takes precedence over the `:path` constraint. Please see the tests for examples.
-### Environment constraints
-You can enforce SSL connections only for certain environments with `:only_environments` or prevent certain environments from being forced to SSL with `:except_environments`.
-Environment constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :except_environments => 'development'
-config.middleware.use Rack::SslEnforcer, :except_environments => /^[0-9a-f]+_local$/i
-config.middleware.use Rack::SslEnforcer, :only_environments => ['production', /^QA/]
-```
-Note: The `:environments` constraint requires one the following environment variables to be set: `RACK_ENV`, `RAILS_ENV`, `ENV`.
-### User agent constraints
-You can enforce SSL connections only for certain user agents with `:only_agents` or prevent certain user agents from being forced to SSL with `:except_agents`.
-User agent constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :except_agents => 'Googlebot'
-config.middleware.use Rack::SslEnforcer, :except_agents => /[Googlebot|bingbot]/
-config.middleware.use Rack::SslEnforcer, :only_agents => ['test-secu-bot', /custom-crawler[0-9a-f]/]
-```
-### Force-redirection to non-SSL connection if constraint is not matched
-Use the `:strict` option to force non-SSL connection for all requests not matching the constraints you set. Examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
-# https://example.com/demo would be redirected to http://example.com/demo
-config.middleware.use Rack::SslEnforcer, :except_hosts => 'demo.example.com', :strict => true
-# https://demo.example.com would be redirected to http://demo.example.com
-```
-### Automatic method constraints
-In the case where you have matching URLs with different HTTP methods – for instance Rails RESTful routes: `GET /users`, `POST /users`, `GET /user/:id` and `PUT /user/:id` – you may need to force POST and PUT requests to SSL connection but redirect to non-SSL connection on GET.
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
-```
-The above will allow you to POST/PUT from the secure/non-secure URLs keeping the original schema.
-### HTTP Strict Transport Security (HSTS)
-To set HSTS expiry and subdomain inclusion (defaults respectively to `one year` and `true`).
-```ruby
-config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
-config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
-```
-Please note that the strict option disables HSTS.
-### Redirect to specific URL (e.g. if you're using a proxy)
-You might need the `:redirect_to` option if the requested URL can't be determined.
-```ruby
-config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
-```
-### Redirect with specific HTTP status code
-By default it redirects with HTTP status code 301(Moved Permanently). Sometimes you might need to redirect with different HTTP status code:
-```ruby
-config.middleware.use Rack::SslEnforcer, :redirect_code => 302
-```
-### Custom HTTP port
-If you're using a different port than the default (80) for HTTP, you can specify it with the `:http_port` option:
-```ruby
-config.middleware.use Rack::SslEnforcer, :http_port => 8080
-```
-### Custom HTTPS port
-If you're using a different port than the default (443) for HTTPS, you can specify it with the `:https_port` option:
-```ruby
-config.middleware.use Rack::SslEnforcer, :https_port => 444
-```
-### Secure cookies disabling
-Finally you might want to share a cookie based session between HTTP and HTTPS.
-This is not possible by default with Rack::SslEnforcer for [security reasons](http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking).
-Nevertheless, you can set the `:force_secure_cookies` option to `false` in order to be able to share a cookie based session between HTTP and HTTPS:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
-```
-But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
-This can be done using a coder with [Rack::Session::Cookie](https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42).
-### Running code before redirect
-You may want to run some code before rack-ssl-enforcer forces a redirect.  This code could do something like log that a redirect was done, or if this is used in a Rails app, keeping the flash when redirecting:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => '/login', :before_redirect => Proc.new {
-  #keep flash on redirect
-  @request.session[:flash].keep if !@request.session.nil? && @request.session.key?('flash') && !@request.session['flash'].empty?
-}
-```
-## Deployment
-If you run your application behind a proxy (e.g. Nginx) you may need to do some configuration on that side. If you don't you may experience an infinite redirect loop.
-The reason this happens is that Rack::SslEnforcer can't detect if you are running SSL or not. The solution is to have your front-end server send extra headers for Rack::SslEnforcer to identify the request protocol.
-### Nginx
-In the `location` block for your app's SSL configuration, include the following proxy header configuration:
-`proxy_set_header   X-Forwarded-Proto https;`
-### Passenger
-Or, if you're using mod_rails/passenger (which will ignore the proxy_xxx directives):
-`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;`
-If you're sharing a single `server` block for http AND https access you can add:
-`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;`
-This makes sure that Rack::SslEnforcer knows it's being accessed over SSL. Just restart Nginx for these changes to take effect.
-## TODO
-* Cleanup tests
-#### Contributors
-[https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors](https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors)
-## Credits
-Flagging cookies as secure functionality and HSTS support is greatly inspired by [Joshua Peek's Rack::SSL](https://github.com/josh/rack-ssl).
-## Note on Patches / Pull Requests
-* Fork the project.
-* Code your feature addition or bug fix.
-* **Add tests for it.** This is important so we don't break it in a future version unintentionally.
-* Commit, do not mess with Rakefile or version number. If you want to have your own version, that's fine but bump version in a commit by itself so we can ignore it when merging.
-* Send a pull request. Bonus points for topic branches.
-## Copyright
-Copyright (c) 2010-2013 Tobias Matthies. See [LICENSE](https://github.com/tobmatth/rack-ssl-enforcer/blob/master/LICENSE) for details.
+# Rack::SslEnforcer [![Build Status](https://travis-ci.org/tobmatth/rack-ssl-enforcer.png?branch=master)](https://travis-ci.org/tobmatth/rack-ssl-enforcer)
+Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
+Cookies as secure by default (HSTS must be set manually).
+Tested against Ruby 1.8.7, 1.9.2, 1.9.3, 2.0.0, 2.1.0, ruby-head, REE and the latest versions of Rubinius & JRuby.
+## Installation
+The simplest way to install Rack::SslEnforcer is to use [Bundler](http://gembundler.com).
+Add Rack::SslEnforcer to your `Gemfile`:
+```ruby
+ gem 'rack-ssl-enforcer'
+```
+### Installing on Sinatra / Padrino application
+In order for Rack::SslEnforcer to properly work it has to be at the top
+of the Rack Middleware.
+Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer
+and will prevent Rack::Ssl::Enforcer from marking cookies as secure.
+To fix this issue do not use `enable :sessions` instead add the
+Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.
+Eg:
+```ruby
+use Rack::SslEnforcer
+set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
+#Enable sinatra sessions
+use Rack::Session::Cookie, :key => '_rack_session',
+                           :path => '/',
+                           :expire_after => 2592000, # In seconds
+                           :secret => settings.session_secret
+```
+## Basic Usage
+If you don't use Bundler, be sure to require Rack::SslEnforcer manually before actually using the middleware:
+```ruby
+ require 'rack/ssl-enforcer'
+ use Rack::SslEnforcer
+```
+To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (`config/application.rb` for Rails 3 and above, `config/environment.rb` for Rails 2):
+```ruby
+config.middleware.use Rack::SslEnforcer
+```
+If all you want is SSL for your whole application, you are done! Otherwise, you can specify some options described below.
+## Options
+### Host constraints
+You can enforce SSL connections only for certain hosts with `:only_hosts`, or prevent certain hosts from being forced to SSL with `:except_hosts`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
+# Please note that, for instance, both http://help.example.com/demo and https://help.example.com/demo would be accessible here
+config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
+config.middleware.use Rack::SslEnforcer, :only_hosts => [/[secure|admin]\.example\.org$/, 'api.example.com']
+```
+### Path constraints
+You can enforce SSL connections only for certain paths with `:only`, prevent certain paths from being forced to SSL with `:except`, or - if you don't care how certain paths are accessed - ignore them with `:ignore`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login'
+# Please note that, for instance, both http://example.com/demo and https://example.com/demo would be accessible here
+config.middleware.use Rack::SslEnforcer, :only => %r{^/admin/}
+config.middleware.use Rack::SslEnforcer, :except => ['/demo', %r{^/public/}]
+config.middleware.use Rack::SslEnforcer, :ignore => '/assets'
+# You can also combine multiple constraints
+config.middleware.use Rack::SslEnforcer, :only => '/cart', :ignore => %r{/assets}, :strict => true
+```
+### Method constraints
+You can enforce SSL connections only for certain HTTP methods with `:only_methods`, or prevent certain HTTP methods from being forced to SSL with `:except_methods`. Constraints can be a `String` or an array of `String`, as shown in the following examples:
+```ruby
+# constraint as a String
+config.middleware.use Rack::SslEnforcer, :only_methods => 'POST'
+# Please note that, for instance, GET requests would be accessible via SSL and non-SSL connection here
+config.middleware.use Rack::SslEnforcer, :except_methods => ['GET', 'HEAD']
+```
+Note: The `:hosts` constraint takes precedence over the `:path` constraint. Please see the tests for examples.
+### Environment constraints
+You can enforce SSL connections only for certain environments with `:only_environments` or prevent certain environments from being forced to SSL with `:except_environments`.
+Environment constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_environments => 'development'
+config.middleware.use Rack::SslEnforcer, :except_environments => /^[0-9a-f]+_local$/i
+config.middleware.use Rack::SslEnforcer, :only_environments => ['production', /^QA/]
+```
+Note: The `:environments` constraint requires one the following environment variables to be set: `RACK_ENV`, `RAILS_ENV`, `ENV`.
+### User agent constraints
+You can enforce SSL connections only for certain user agents with `:only_agents` or prevent certain user agents from being forced to SSL with `:except_agents`.
+User agent constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_agents => 'Googlebot'
+config.middleware.use Rack::SslEnforcer, :except_agents => /[Googlebot|bingbot]/
+config.middleware.use Rack::SslEnforcer, :only_agents => ['test-secu-bot', /custom-crawler[0-9a-f]/]
+```
+### Force-redirection to non-SSL connection if constraint is not matched
+Use the `:strict` option to force non-SSL connection for all requests not matching the constraints you set. Examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
+# https://example.com/demo would be redirected to http://example.com/demo
+config.middleware.use Rack::SslEnforcer, :except_hosts => 'demo.example.com', :strict => true
+# https://demo.example.com would be redirected to http://demo.example.com
+```
+### Automatic method constraints
+In the case where you have matching URLs with different HTTP methods – for instance Rails RESTful routes: `GET /users`, `POST /users`, `GET /user/:id` and `PUT /user/:id` – you may need to force POST and PUT requests to SSL connection but redirect to non-SSL connection on GET.
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
+```
+The above will allow you to POST/PUT from the secure/non-secure URLs keeping the original schema.
+### HTTP Strict Transport Security (HSTS)
+To set HSTS expiry and subdomain inclusion (defaults respectively to `one year` and `true`).
+```ruby
+config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
+config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
+```
+Please note that the strict option disables HSTS.
+### Redirect to specific URL (e.g. if you're using a proxy)
+You might need the `:redirect_to` option if the requested URL can't be determined.
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
+```
+### Redirect with specific HTTP status code
+By default it redirects with HTTP status code 301(Moved Permanently). Sometimes you might need to redirect with different HTTP status code:
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_code => 302
+```
+### Custom HTTP port
+If you're using a different port than the default (80) for HTTP, you can specify it with the `:http_port` option:
+```ruby
+config.middleware.use Rack::SslEnforcer, :http_port => 8080
+```
+### Custom HTTPS port
+If you're using a different port than the default (443) for HTTPS, you can specify it with the `:https_port` option:
+```ruby
+config.middleware.use Rack::SslEnforcer, :https_port => 444
+```
+### Secure cookies disabling
+Finally you might want to share a cookie based session between HTTP and HTTPS.
+This is not possible by default with Rack::SslEnforcer for [security reasons](http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking).
+Nevertheless, you can set the `:force_secure_cookies` option to `false` in order to be able to share a cookie based session between HTTP and HTTPS:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
+```
+But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
+This can be done using a coder with [Rack::Session::Cookie](https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42).
+### Running code before redirect
+You may want to run some code before rack-ssl-enforcer forces a redirect.  This code could do something like log that a redirect was done, or if this is used in a Rails app, keeping the flash when redirecting:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login', :before_redirect => Proc.new { |request|
+  #keep flash on redirect
+  request.session[:flash].keep if !request.session.nil? && request.session.key?('flash') && !request.session['flash'].empty?
+}
+```
+### Custom or empty response body
+The default response body is:
+```html
+<html><body>You are being <a href="https://www.example.org/">redirected</a>.</body></html>
+```
+To supply a custom message, provide a string as `:redirect_html`:
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => 'Redirecting!'
+```
+To supply a series of responses for Rack to chunk, provide a [permissable Rack body object](http://rack.rubyforge.org/doc/SPEC.html):
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => ['<html>','<body>','Hello!','</body>','</html>']
+```
+To supply an empty response body, provide :redirect_html as false:
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => false
+```
+## Deployment
+If you run your application behind a proxy (e.g. Nginx) you may need to do some configuration on that side. If you don't you may experience an infinite redirect loop.
+The reason this happens is that Rack::SslEnforcer can't detect if you are running SSL or not. The solution is to have your front-end server send extra headers for Rack::SslEnforcer to identify the request protocol.
+### Nginx
+In the `location` block for your app's SSL configuration, include the following proxy header configuration:
+`proxy_set_header   X-Forwarded-Proto https;`
+### Passenger
+Or, if you're using mod_rails/passenger (which will ignore the proxy_xxx directives):
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;`
+If you're sharing a single `server` block for http AND https access you can add:
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;`
+This makes sure that Rack::SslEnforcer knows it's being accessed over SSL. Just restart Nginx for these changes to take effect.
+## TODO
+* Cleanup tests
+#### Contributors
+[https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors](https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors)
+## Credits
+Flagging cookies as secure functionality and HSTS support is greatly inspired by [Joshua Peek's Rack::SSL](https://github.com/josh/rack-ssl).
+## Note on Patches / Pull Requests
+* Fork the project.
+* Code your feature addition or bug fix.
+* **Add tests for it.** This is important so we don't break it in a future version unintentionally.
+* Commit, do not mess with Rakefile or version number. If you want to have your own version, that's fine but bump version in a commit by itself so we can ignore it when merging.
+* Send a pull request. Bonus points for topic branches.
+## Copyright
+Copyright (c) 2010-2013 Tobias Matthies. See [LICENSE](https://github.com/tobmatth/rack-ssl-enforcer/blob/master/LICENSE) for details.

data/lib/rack-ssl-enforcer.rb CHANGED

	@@ -1 +1 @@
1	- require 'rack/ssl-enforcer'
1	+ require 'rack/ssl-enforcer'

data/lib/rack/ssl-enforcer.rb CHANGED

@@ -1,199 +1,204 @@
-require 'rack/ssl-enforcer/constraint'
-module Rack
-  class SslEnforcer
-    CONSTRAINTS_BY_TYPE = {
-      :hosts        => [:only_hosts, :except_hosts],
-      :agents       => [:only_agents, :except_agents],
-      :path         => [:only, :except],
-      :methods      => [:only_methods, :except_methods],
-      :environments => [:only_environments, :except_environments]
-    }
-    # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
-    # are encoded and that you understand the consequences (see documentation)
-    def initialize(app, options={})
-      default_options = {
-        :redirect_to          => nil,
-        :redirect_code        => nil,
-        :strict               => false,
-        :mixed                => false,
-        :hsts                 => nil,
-        :http_port            => nil,
-        :https_port           => nil,
-        :force_secure_cookies => true,
-        :before_redirect      => nil
-      }
-      CONSTRAINTS_BY_TYPE.values.each do |constraints|
-        constraints.each { |constraint| default_options[constraint] = nil }
-      end
-      @app, @options = app, default_options.merge(options)
-    end
-    def call(env)
-      @request = Rack::Request.new(env)
-      return @app.call(env) if ignore?
-      @scheme = if enforce_ssl?
-        'https'
-      elsif enforce_non_ssl?
-        'http'
-      end
-      if redirect_required?
-        call_before_redirect
-        modify_location_and_redirect
-      elsif ssl_request?
-        status, headers, body = @app.call(env)
-        flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
-        set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
-        [status, headers, body]
-      else
-        @app.call(env)
-      end
-    end
-  private
-    def redirect_required?
-      scheme_mismatch? || host_mismatch?
-    end
-    def ignore?
-      if @options[:ignore]
-        rules = [@options[:ignore]].flatten.compact
-        rules.any? do |rule|
-          SslEnforcerConstraint.new(:ignore, rule, @request).matches?
-        end
-      else
-        false
-      end
-    end
-    def scheme_mismatch?
-      @scheme && @scheme != current_scheme
-    end
-    def host_mismatch?
-      destination_host && destination_host != @request.host
-    end
-    def call_before_redirect
-       @options[:before_redirect].call unless @options[:before_redirect].nil?
-    end
-    def modify_location_and_redirect
-      location = "#{current_scheme}://#{@request.host}#{@request.fullpath}"
-      location = replace_scheme(location, @scheme)
-      location = replace_host(location, @options[:redirect_to])
-      redirect_to(location)
-    end
-    def redirect_to(location)
-      body = "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>"
-      [@options[:redirect_code] || 301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
-    end
-    def ssl_request?
-      current_scheme == 'https'
-    end
-    def destination_host
-      if @options[:redirect_to]
-        host_parts = URI.split(@options[:redirect_to])
-        host_parts[2] || host_parts[5]
-      end
-    end
-    # Fixed in rack >= 1.3
-    def current_scheme
-      if @request.env['HTTPS'] == 'on' || @request.env['HTTP_X_SSL_REQUEST'] == 'on'
-        'https'
-      elsif @request.env['HTTP_X_FORWARDED_PROTO']
-        @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
-      else
-        @request.scheme
-      end
-    end
-    def enforce_ssl_for?(keys)
-      provided_keys = keys.select { |key| @options[key] }
-      if provided_keys.empty?
-        true
-      else
-        provided_keys.all? do |key|
-          rules = [@options[key]].flatten.compact
-          rules.send([:except_hosts, :except_agents, :except_environments, :except].include?(key) ? :all? : :any?) do |rule|
-            SslEnforcerConstraint.new(key, rule, @request).matches?
-          end
-        end
-      end
-    end
-    def enforce_non_ssl?
-      @options[:strict] || @options[:mixed] && !(@request.request_method == 'PUT' || @request.request_method == 'POST')
-    end
-    def enforce_ssl?
-      CONSTRAINTS_BY_TYPE.inject(true) do |memo, (type, keys)|
-        memo && enforce_ssl_for?(keys)
-      end
-    end
-    def replace_scheme(uri, scheme)
-      return uri if not scheme_mismatch?
-      port = adjust_port_to(scheme)
-      uri_parts = URI.split(uri)
-      uri_parts[3] = port unless port.nil?
-      uri_parts[0] = scheme
-      URI::HTTP.new(*uri_parts).to_s
-    end
-    def replace_host(uri, host)
-      return uri unless host_mismatch?
-      host_parts = URI.split(host)
-      new_host = host_parts[2] || host_parts[5]
-      uri_parts = URI.split(uri)
-      uri_parts[2] = new_host
-      URI::HTTPS.new(*uri_parts).to_s
-    end
-    def adjust_port_to(scheme)
-      if scheme == 'https'
-        @options[:https_port] if @options[:https_port] && @options[:https_port] != URI::HTTPS.default_port
-      elsif scheme == 'http'
-        @options[:http_port] if @options[:http_port] && @options[:http_port] != URI::HTTP.default_port
-      end
-    end
-    # see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking
-    def flag_cookies_as_secure!(headers)
-      if cookies = headers['Set-Cookie']
-        # Support Rails 2.3 / Rack 1.1 arrays as headers
-        unless cookies.is_a?(Array)
-          cookies = cookies.split("\n")
-        end
-        headers['Set-Cookie'] = cookies.map do |cookie|
-          cookie !~ /(^|;\s)secure($|;)/ ? "#{cookie}; secure" : cookie
-        end.join("\n")
-      end
-    end
-    # see http://en.wikipedia.org/wiki/Strict_Transport_Security
-    def set_hsts_headers!(headers)
-      opts = { :expires => 31536000, :subdomains => true }
-      opts.merge!(@options[:hsts]) if @options[:hsts].is_a? Hash
-      value  = "max-age=#{opts[:expires]}"
-      value += "; includeSubDomains" if opts[:subdomains]
-      headers.merge!({ 'Strict-Transport-Security' => value })
-    end
-  end
-end
+require 'rack/ssl-enforcer/constraint'
+module Rack
+  class SslEnforcer
+    CONSTRAINTS_BY_TYPE = {
+      :hosts        => [:only_hosts, :except_hosts],
+      :agents       => [:only_agents, :except_agents],
+      :path         => [:only, :except],
+      :methods      => [:only_methods, :except_methods],
+      :environments => [:only_environments, :except_environments]
+    }
+    # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
+    # are encoded and that you understand the consequences (see documentation)
+    def initialize(app, options={})
+      default_options = {
+        :redirect_to          => nil,
+        :redirect_code        => nil,
+        :strict               => false,
+        :mixed                => false,
+        :hsts                 => nil,
+        :http_port            => nil,
+        :https_port           => nil,
+        :force_secure_cookies => true,
+        :redirect_html        => nil,
+        :before_redirect      => nil
+      }
+      CONSTRAINTS_BY_TYPE.values.each do |constraints|
+        constraints.each { |constraint| default_options[constraint] = nil }
+      end
+      @app, @options = app, default_options.merge(options)
+    end
+    def call(env)
+      @request = Rack::Request.new(env)
+      return @app.call(env) if ignore?
+      @scheme = if enforce_ssl?
+        'https'
+      elsif enforce_non_ssl?
+        'http'
+      end
+      if redirect_required?
+        call_before_redirect
+        modify_location_and_redirect
+      elsif ssl_request?
+        status, headers, body = @app.call(env)
+        flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
+        set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
+        [status, headers, body]
+      else
+        @app.call(env)
+      end
+    end
+  private
+    def redirect_required?
+      scheme_mismatch? || host_mismatch?
+    end
+    def ignore?
+      if @options[:ignore]
+        rules = [@options[:ignore]].flatten.compact
+        rules.any? do |rule|
+          SslEnforcerConstraint.new(:ignore, rule, @request).matches?
+        end
+      else
+        false
+      end
+    end
+    def scheme_mismatch?
+      @scheme && @scheme != current_scheme
+    end
+    def host_mismatch?
+      destination_host && destination_host != @request.host
+    end
+    def call_before_redirect
+       @options[:before_redirect].call(@request) unless @options[:before_redirect].nil?
+    end
+    def modify_location_and_redirect
+      location = "#{current_scheme}://#{@request.host}#{@request.fullpath}"
+      location = replace_scheme(location, @scheme)
+      location = replace_host(location, @options[:redirect_to])
+      redirect_to(location)
+    end
+    def redirect_to(location)
+      body = []
+      body << "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>" if @options[:redirect_html].nil?
+      body << @options[:redirect_html] if @options[:redirect_html].is_a?(String)
+      body = @options[:redirect_html] if @options[:redirect_html].respond_to?('each')
+      [@options[:redirect_code] || 301, { 'Content-Type' => 'text/html', 'Location' => location }, body]
+    end
+    def ssl_request?
+      current_scheme == 'https'
+    end
+    def destination_host
+      if @options[:redirect_to]
+        host_parts = URI.split(URI.encode(@options[:redirect_to]))
+        host_parts[2] || host_parts[5]
+      end
+    end
+    # Fixed in rack >= 1.3
+    def current_scheme
+      if @request.env['HTTPS'] == 'on' || @request.env['HTTP_X_SSL_REQUEST'] == 'on'
+        'https'
+      elsif @request.env['HTTP_X_FORWARDED_PROTO']
+        @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+      else
+        @request.scheme
+      end
+    end
+    def enforce_ssl_for?(keys)
+      provided_keys = keys.select { |key| @options[key] }
+      if provided_keys.empty?
+        true
+      else
+        provided_keys.all? do |key|
+          rules = [@options[key]].flatten.compact
+          rules.send([:except_hosts, :except_agents, :except_environments, :except].include?(key) ? :all? : :any?) do |rule|
+            SslEnforcerConstraint.new(key, rule, @request).matches?
+          end
+        end
+      end
+    end
+    def enforce_non_ssl?
+      @options[:strict] || @options[:mixed] && !(@request.request_method == 'PUT' || @request.request_method == 'POST')
+    end
+    def enforce_ssl?
+      CONSTRAINTS_BY_TYPE.inject(true) do |memo, (type, keys)|
+        memo && enforce_ssl_for?(keys)
+      end
+    end
+    def replace_scheme(uri, scheme)
+      return uri if not scheme_mismatch?
+      port = adjust_port_to(scheme)
+      uri_parts = URI.split(URI.encode(uri))
+      uri_parts[3] = port unless port.nil?
+      uri_parts[0] = scheme
+      URI::HTTP.new(*uri_parts).to_s
+    end
+    def replace_host(uri, host)
+      return uri unless host_mismatch?
+      host_parts = URI.split(URI.encode(host))
+      new_host = host_parts[2] || host_parts[5]
+      uri_parts = URI.split(URI.encode(uri))
+      uri_parts[2] = new_host
+      URI::HTTPS.new(*uri_parts).to_s
+    end
+    def adjust_port_to(scheme)
+      if scheme == 'https'
+        @options[:https_port] if @options[:https_port] && @options[:https_port] != URI::HTTPS.default_port
+      elsif scheme == 'http'
+        @options[:http_port] if @options[:http_port] && @options[:http_port] != URI::HTTP.default_port
+      end
+    end
+    # see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking
+    def flag_cookies_as_secure!(headers)
+      if cookies = headers['Set-Cookie']
+        # Support Rails 2.3 / Rack 1.1 arrays as headers
+        unless cookies.is_a?(Array)
+          cookies = cookies.split("\n")
+        end
+        headers['Set-Cookie'] = cookies.map do |cookie|
+          cookie !~ /(^|;\s)secure($|;)/ ? "#{cookie}; secure" : cookie
+        end.join("\n")
+      end
+    end
+    # see http://en.wikipedia.org/wiki/Strict_Transport_Security
+    def set_hsts_headers!(headers)
+      opts = { :expires => 31536000, :subdomains => true }
+      opts.merge!(@options[:hsts]) if @options[:hsts].is_a? Hash
+      value  = "max-age=#{opts[:expires]}"
+      value += "; includeSubDomains" if opts[:subdomains]
+      headers.merge!({ 'Strict-Transport-Security' => value })
+    end
+  end
+end

data/lib/rack/ssl-enforcer/constraint.rb CHANGED

@@ -1,42 +1,42 @@
-class SslEnforcerConstraint
-  def initialize(name, rule, request)
-    @name    = name
-    @rule    = rule
-    @request = request
-  end
-  def matches?
-    if @rule.is_a?(String) && [:only, :except].include?(@name)
-      result = tested_string[0, @rule.size].send(operator, @rule)
-    else
-      result = tested_string.send(operator, @rule)
-    end
-    negate_result? ? !result : result
-  end
-private
-  def negate_result?
-    @name.to_s =~ /except/
-  end
-  def operator
-    @rule.is_a?(Regexp) ? "=~" : "=="
-  end
-  def tested_string
-    case @name.to_s
-    when /hosts/
-      @request.host
-    when /methods/
-      @request.request_method
-    when /environments/
-      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || ENV["ENV"]
-    when /agents/
-      @request.user_agent
-    else
-      @request.path
-    end
-  end
-end
+class SslEnforcerConstraint
+  def initialize(name, rule, request)
+    @name    = name
+    @rule    = rule
+    @request = request
+  end
+  def matches?
+    if @rule.is_a?(String) && [:only, :except].include?(@name)
+      result = tested_string[0, @rule.size].send(operator, @rule)
+    else
+      result = tested_string.send(operator, @rule)
+    end
+    negate_result? ? !result : result
+  end
+private
+  def negate_result?
+    @name.to_s =~ /except/
+  end
+  def operator
+    @rule.is_a?(Regexp) ? "=~" : "=="
+  end
+  def tested_string
+    case @name.to_s
+    when /hosts/
+      @request.host
+    when /methods/
+      @request.request_method
+    when /environments/
+      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || ENV["ENV"]
+    when /agents/
+      @request.user_agent
+    else
+      @request.path
+    end
+  end
+end

data/lib/rack/ssl-enforcer/version.rb CHANGED

@@ -1,5 +1,5 @@
-module Rack
-  class SslEnforcer
-    VERSION = "0.2.6"
-  end
-end
+module Rack
+  class SslEnforcer
+    VERSION = "0.2.7"
+  end
+end

metadata CHANGED

@@ -1,8 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-ssl-enforcer
 version: !ruby/object:Gem::Version
-  version: 0.2.6
-  prerelease:
+  version: 0.2.7
 platform: ruby
 authors:
 - Tobias Matthies
@@ -10,12 +9,11 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-09-18 00:00:00.000000000 Z
+date: 2014-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -23,7 +21,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -31,7 +28,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -39,7 +35,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -47,7 +42,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -55,7 +49,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -63,7 +56,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -71,7 +63,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -79,7 +70,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -87,7 +77,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -108,29 +97,25 @@ files:
 - README.md
 homepage: http://github.com/tobmatth/rack-ssl-enforcer
 licenses: []
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 1004214355
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
 rubyforge_project: rack-ssl-enforcer
-rubygems_version: 1.8.25
+rubygems_version: 2.0.4
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: A simple Rack middleware to enforce SSL
 test_files: []