RubyGems - rack-ssl-enforcer - Versions diffs - 0.2.6 → 0.2.7 - Mend

rack-ssl-enforcer 0.2.6 → 0.2.7

Files changed (8) hide show

checksums.yaml +7 -0
data/LICENSE +20 -20
data/README.md +297 -272
data/lib/rack-ssl-enforcer.rb +1 -1
data/lib/rack/ssl-enforcer.rb +204 -199
data/lib/rack/ssl-enforcer/constraint.rb +42 -42
data/lib/rack/ssl-enforcer/version.rb +5 -5
metadata +7 -22

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 19f0acb60b5cc81e0f314272653283ae86b78274
+  data.tar.gz: 837d1adfe73260634e2eb8d10d157aa03b32aefd
+SHA512:
+  metadata.gz: ec0fe6c85a980f63ff9ab0cd3659e7d86a2ea819ef15d31d9763f419bf5d9f09edc5e39dd1dd03203f5c873adcf87fbe0763b100cdc32dbedbd8f0197621f2da
+  data.tar.gz: 8685bd5a1534e785a1bed177042238362c19f668ee09b85318b5f5829b8bd14db473b71d8d50040e8e2ea24c534ea31900a2fda20e17259543a4ad28302fad2d

data/LICENSE CHANGED

@@ -1,20 +1,20 @@
-Copyright (c) 2009-2012 Tobias Matthies
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+Copyright (c) 2009-2012 Tobias Matthies
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md CHANGED

@@ -1,272 +1,297 @@
-# Rack::SslEnforcer [![Build Status](https://travis-ci.org/tobmatth/rack-ssl-enforcer.png?branch=master)](https://travis-ci.org/tobmatth/rack-ssl-enforcer)
-Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
-Cookies as secure by default (HSTS must be set manually).
-Tested against Ruby 1.8.7, 1.9.2, 1.9.3, ruby-head, REE and the latest versions of Rubinius & JRuby.
-## Installation
-The simplest way to install Rack::SslEnforcer is to use [Bundler](http://gembundler.com).
-Add Rack::SslEnforcer to your `Gemfile`:
-```ruby
- gem 'rack-ssl-enforcer'
-```
-### Installing on Sinatra / Padrino application
-In order for Rack::SslEnforcer to properly work it has to be at the top
-of the Rack Middleware.
-Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer
-and will prevent Rack::Ssl::Enforcer from marking cookies as secure.
-To fix this issue do not use `enable :sessions` instead add the
-Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.
-Eg:
-```ruby
-use Rack::SslEnforcer
-set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
-#Enable sinatra sessions
-use Rack::Session::Cookie, :key => '_rack_session',
-                           :path => '/',
-                           :expire_after => 2592000, # In seconds
-                           :secret => settings.session_secret
-```
-## Basic Usage
-If you don't use Bundler, be sure to require Rack::SslEnforcer manually before actually using the middleware:
-```ruby
- require 'rack/ssl-enforcer'
- use Rack::SslEnforcer
-```
-To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (`config/application.rb` for Rails 3, `config/environment.rb` for Rails 2):
-```ruby
-config.middleware.use Rack::SslEnforcer
-```
-If all you want is SSL for your whole application, you are done! Otherwise, you can specify some options described below.
-## Options
-### Host constraints
-You can enforce SSL connections only for certain hosts with `:only_hosts`, or prevent certain hosts from being forced to SSL with `:except_hosts`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
-# Please note that, for instance, both http://help.example.com/demo and https://help.example.com/demo would be accessible here
-config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
-config.middleware.use Rack::SslEnforcer, :only_hosts => [/[secure|admin]\.example\.org$/, 'api.example.com']
-```
-### Path constraints
-You can enforce SSL connections only for certain paths with `:only`, prevent certain paths from being forced to SSL with `:except`, or - if you don't care how certain paths are accessed - ignore them with `:ignore`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => '/login'
-# Please note that, for instance, both http://example.com/demo and https://example.com/demo would be accessible here
-config.middleware.use Rack::SslEnforcer, :only => %r{^/admin/}
-config.middleware.use Rack::SslEnforcer, :except => ['/demo', %r{^/public/}]
-config.middleware.use Rack::SslEnforcer, :ignore => '/assets'
-# You can also combine multiple constraints
-config.middleware.use Rack::SslEnforcer, :only => '/cart', :ignore => %r{/assets}, :strict => true
-```
-### Method constraints
-You can enforce SSL connections only for certain HTTP methods with `:only_methods`, or prevent certain HTTP methods from being forced to SSL with `:except_methods`. Constraints can be a `String` or an array of `String`, as shown in the following examples:
-```ruby
-# constraint as a String
-config.middleware.use Rack::SslEnforcer, :only_methods => 'POST'
-# Please note that, for instance, GET requests would be accessible via SSL and non-SSL connection here
-config.middleware.use Rack::SslEnforcer, :except_methods => ['GET', 'HEAD']
-```
-Note: The `:hosts` constraint takes precedence over the `:path` constraint. Please see the tests for examples.
-### Environment constraints
-You can enforce SSL connections only for certain environments with `:only_environments` or prevent certain environments from being forced to SSL with `:except_environments`.
-Environment constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :except_environments => 'development'
-config.middleware.use Rack::SslEnforcer, :except_environments => /^[0-9a-f]+_local$/i
-config.middleware.use Rack::SslEnforcer, :only_environments => ['production', /^QA/]
-```
-Note: The `:environments` constraint requires one the following environment variables to be set: `RACK_ENV`, `RAILS_ENV`, `ENV`.
-### User agent constraints
-You can enforce SSL connections only for certain user agents with `:only_agents` or prevent certain user agents from being forced to SSL with `:except_agents`.
-User agent constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :except_agents => 'Googlebot'
-config.middleware.use Rack::SslEnforcer, :except_agents => /[Googlebot|bingbot]/
-config.middleware.use Rack::SslEnforcer, :only_agents => ['test-secu-bot', /custom-crawler[0-9a-f]/]
-```
-### Force-redirection to non-SSL connection if constraint is not matched
-Use the `:strict` option to force non-SSL connection for all requests not matching the constraints you set. Examples:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
-# https://example.com/demo would be redirected to http://example.com/demo
-config.middleware.use Rack::SslEnforcer, :except_hosts => 'demo.example.com', :strict => true
-# https://demo.example.com would be redirected to http://demo.example.com
-```
-### Automatic method constraints
-In the case where you have matching URLs with different HTTP methods – for instance Rails RESTful routes: `GET /users`, `POST /users`, `GET /user/:id` and `PUT /user/:id` – you may need to force POST and PUT requests to SSL connection but redirect to non-SSL connection on GET.
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
-```
-The above will allow you to POST/PUT from the secure/non-secure URLs keeping the original schema.
-### HTTP Strict Transport Security (HSTS)
-To set HSTS expiry and subdomain inclusion (defaults respectively to `one year` and `true`).
-```ruby
-config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
-config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
-```
-Please note that the strict option disables HSTS.
-### Redirect to specific URL (e.g. if you're using a proxy)
-You might need the `:redirect_to` option if the requested URL can't be determined.
-```ruby
-config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
-```
-### Redirect with specific HTTP status code
-By default it redirects with HTTP status code 301(Moved Permanently). Sometimes you might need to redirect with different HTTP status code:
-```ruby
-config.middleware.use Rack::SslEnforcer, :redirect_code => 302
-```
-### Custom HTTP port
-If you're using a different port than the default (80) for HTTP, you can specify it with the `:http_port` option:
-```ruby
-config.middleware.use Rack::SslEnforcer, :http_port => 8080
-```
-### Custom HTTPS port
-If you're using a different port than the default (443) for HTTPS, you can specify it with the `:https_port` option:
-```ruby
-config.middleware.use Rack::SslEnforcer, :https_port => 444
-```
-### Secure cookies disabling
-Finally you might want to share a cookie based session between HTTP and HTTPS.
-This is not possible by default with Rack::SslEnforcer for [security reasons](http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking).
-Nevertheless, you can set the `:force_secure_cookies` option to `false` in order to be able to share a cookie based session between HTTP and HTTPS:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
-```
-But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
-This can be done using a coder with [Rack::Session::Cookie](https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42).
-### Running code before redirect
-You may want to run some code before rack-ssl-enforcer forces a redirect.  This code could do something like log that a redirect was done, or if this is used in a Rails app, keeping the flash when redirecting:
-```ruby
-config.middleware.use Rack::SslEnforcer, :only => '/login', :before_redirect => Proc.new {
-  #keep flash on redirect
-  @request.session[:flash].keep if !@request.session.nil? && @request.session.key?('flash') && !@request.session['flash'].empty?
-}
-```
-## Deployment
-If you run your application behind a proxy (e.g. Nginx) you may need to do some configuration on that side. If you don't you may experience an infinite redirect loop.
-The reason this happens is that Rack::SslEnforcer can't detect if you are running SSL or not. The solution is to have your front-end server send extra headers for Rack::SslEnforcer to identify the request protocol.
-### Nginx
-In the `location` block for your app's SSL configuration, include the following proxy header configuration:
-`proxy_set_header   X-Forwarded-Proto https;`
-### Passenger
-Or, if you're using mod_rails/passenger (which will ignore the proxy_xxx directives):
-`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;`
-If you're sharing a single `server` block for http AND https access you can add:
-`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;`
-This makes sure that Rack::SslEnforcer knows it's being accessed over SSL. Just restart Nginx for these changes to take effect.
-## TODO
-* Cleanup tests
-#### Contributors
-[https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors](https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors)
-## Credits
-Flagging cookies as secure functionality and HSTS support is greatly inspired by [Joshua Peek's Rack::SSL](https://github.com/josh/rack-ssl).
-## Note on Patches / Pull Requests
-* Fork the project.
-* Code your feature addition or bug fix.
-* **Add tests for it.** This is important so we don't break it in a future version unintentionally.
-* Commit, do not mess with Rakefile or version number. If you want to have your own version, that's fine but bump version in a commit by itself so we can ignore it when merging.
-* Send a pull request. Bonus points for topic branches.
-## Copyright
-Copyright (c) 2010-2013 Tobias Matthies. See [LICENSE](https://github.com/tobmatth/rack-ssl-enforcer/blob/master/LICENSE) for details.
+# Rack::SslEnforcer [![Build Status](https://travis-ci.org/tobmatth/rack-ssl-enforcer.png?branch=master)](https://travis-ci.org/tobmatth/rack-ssl-enforcer)
+Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks
+Cookies as secure by default (HSTS must be set manually).
+Tested against Ruby 1.8.7, 1.9.2, 1.9.3, 2.0.0, 2.1.0, ruby-head, REE and the latest versions of Rubinius & JRuby.
+## Installation
+The simplest way to install Rack::SslEnforcer is to use [Bundler](http://gembundler.com).
+Add Rack::SslEnforcer to your `Gemfile`:
+```ruby
+ gem 'rack-ssl-enforcer'
+```
+### Installing on Sinatra / Padrino application
+In order for Rack::SslEnforcer to properly work it has to be at the top
+of the Rack Middleware.
+Using `enable :session` will place Rack::Session::Cookie before Rack::Ssl::Enforcer
+and will prevent Rack::Ssl::Enforcer from marking cookies as secure.
+To fix this issue do not use `enable :sessions` instead add the
+Rack::Session::Cookie middleware after Rack::Ssl::Enforcer.
+Eg:
+```ruby
+use Rack::SslEnforcer
+set :session_secret, 'asdfa2342923422f1adc05c837fa234230e3594b93824b00e930ab0fb94b'
+#Enable sinatra sessions
+use Rack::Session::Cookie, :key => '_rack_session',
+                           :path => '/',
+                           :expire_after => 2592000, # In seconds
+                           :secret => settings.session_secret
+```
+## Basic Usage
+If you don't use Bundler, be sure to require Rack::SslEnforcer manually before actually using the middleware:
+```ruby
+ require 'rack/ssl-enforcer'
+ use Rack::SslEnforcer
+```
+To use Rack::SslEnforcer in your Rails application, add the following line to your application config file (`config/application.rb` for Rails 3 and above, `config/environment.rb` for Rails 2):
+```ruby
+config.middleware.use Rack::SslEnforcer
+```
+If all you want is SSL for your whole application, you are done! Otherwise, you can specify some options described below.
+## Options
+### Host constraints
+You can enforce SSL connections only for certain hosts with `:only_hosts`, or prevent certain hosts from being forced to SSL with `:except_hosts`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only_hosts => 'api.example.com'
+# Please note that, for instance, both http://help.example.com/demo and https://help.example.com/demo would be accessible here
+config.middleware.use Rack::SslEnforcer, :except_hosts => /[help|blog]\.example\.com$/
+config.middleware.use Rack::SslEnforcer, :only_hosts => [/[secure|admin]\.example\.org$/, 'api.example.com']
+```
+### Path constraints
+You can enforce SSL connections only for certain paths with `:only`, prevent certain paths from being forced to SSL with `:except`, or - if you don't care how certain paths are accessed - ignore them with `:ignore`. Constraints can be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login'
+# Please note that, for instance, both http://example.com/demo and https://example.com/demo would be accessible here
+config.middleware.use Rack::SslEnforcer, :only => %r{^/admin/}
+config.middleware.use Rack::SslEnforcer, :except => ['/demo', %r{^/public/}]
+config.middleware.use Rack::SslEnforcer, :ignore => '/assets'
+# You can also combine multiple constraints
+config.middleware.use Rack::SslEnforcer, :only => '/cart', :ignore => %r{/assets}, :strict => true
+```
+### Method constraints
+You can enforce SSL connections only for certain HTTP methods with `:only_methods`, or prevent certain HTTP methods from being forced to SSL with `:except_methods`. Constraints can be a `String` or an array of `String`, as shown in the following examples:
+```ruby
+# constraint as a String
+config.middleware.use Rack::SslEnforcer, :only_methods => 'POST'
+# Please note that, for instance, GET requests would be accessible via SSL and non-SSL connection here
+config.middleware.use Rack::SslEnforcer, :except_methods => ['GET', 'HEAD']
+```
+Note: The `:hosts` constraint takes precedence over the `:path` constraint. Please see the tests for examples.
+### Environment constraints
+You can enforce SSL connections only for certain environments with `:only_environments` or prevent certain environments from being forced to SSL with `:except_environments`.
+Environment constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_environments => 'development'
+config.middleware.use Rack::SslEnforcer, :except_environments => /^[0-9a-f]+_local$/i
+config.middleware.use Rack::SslEnforcer, :only_environments => ['production', /^QA/]
+```
+Note: The `:environments` constraint requires one the following environment variables to be set: `RACK_ENV`, `RAILS_ENV`, `ENV`.
+### User agent constraints
+You can enforce SSL connections only for certain user agents with `:only_agents` or prevent certain user agents from being forced to SSL with `:except_agents`.
+User agent constraints may be a `String`, a `Regex` or an array of `String` or `Regex` (possibly mixed), as shown in the following examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :except_agents => 'Googlebot'
+config.middleware.use Rack::SslEnforcer, :except_agents => /[Googlebot|bingbot]/
+config.middleware.use Rack::SslEnforcer, :only_agents => ['test-secu-bot', /custom-crawler[0-9a-f]/]
+```
+### Force-redirection to non-SSL connection if constraint is not matched
+Use the `:strict` option to force non-SSL connection for all requests not matching the constraints you set. Examples:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => ["/login", /\.xml$/], :strict => true
+# https://example.com/demo would be redirected to http://example.com/demo
+config.middleware.use Rack::SslEnforcer, :except_hosts => 'demo.example.com', :strict => true
+# https://demo.example.com would be redirected to http://demo.example.com
+```
+### Automatic method constraints
+In the case where you have matching URLs with different HTTP methods – for instance Rails RESTful routes: `GET /users`, `POST /users`, `GET /user/:id` and `PUT /user/:id` – you may need to force POST and PUT requests to SSL connection but redirect to non-SSL connection on GET.
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => [%r{^/users/}], :mixed => true
+```
+The above will allow you to POST/PUT from the secure/non-secure URLs keeping the original schema.
+### HTTP Strict Transport Security (HSTS)
+To set HSTS expiry and subdomain inclusion (defaults respectively to `one year` and `true`).
+```ruby
+config.middleware.use Rack::SslEnforcer, :hsts => { :expires => 500, :subdomains => false }
+config.middleware.use Rack::SslEnforcer, :hsts => true # equivalent to { :expires => 31536000, :subdomains => true }
+```
+Please note that the strict option disables HSTS.
+### Redirect to specific URL (e.g. if you're using a proxy)
+You might need the `:redirect_to` option if the requested URL can't be determined.
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_to => 'https://example.org'
+```
+### Redirect with specific HTTP status code
+By default it redirects with HTTP status code 301(Moved Permanently). Sometimes you might need to redirect with different HTTP status code:
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_code => 302
+```
+### Custom HTTP port
+If you're using a different port than the default (80) for HTTP, you can specify it with the `:http_port` option:
+```ruby
+config.middleware.use Rack::SslEnforcer, :http_port => 8080
+```
+### Custom HTTPS port
+If you're using a different port than the default (443) for HTTPS, you can specify it with the `:https_port` option:
+```ruby
+config.middleware.use Rack::SslEnforcer, :https_port => 444
+```
+### Secure cookies disabling
+Finally you might want to share a cookie based session between HTTP and HTTPS.
+This is not possible by default with Rack::SslEnforcer for [security reasons](http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking).
+Nevertheless, you can set the `:force_secure_cookies` option to `false` in order to be able to share a cookie based session between HTTP and HTTPS:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => "/login", :force_secure_cookies => false
+```
+But be aware that if you do so, you have to make sure that the content of you cookie is encoded.
+This can be done using a coder with [Rack::Session::Cookie](https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L28-42).
+### Running code before redirect
+You may want to run some code before rack-ssl-enforcer forces a redirect.  This code could do something like log that a redirect was done, or if this is used in a Rails app, keeping the flash when redirecting:
+```ruby
+config.middleware.use Rack::SslEnforcer, :only => '/login', :before_redirect => Proc.new { |request|
+  #keep flash on redirect
+  request.session[:flash].keep if !request.session.nil? && request.session.key?('flash') && !request.session['flash'].empty?
+}
+```
+### Custom or empty response body
+The default response body is:
+```html
+<html><body>You are being <a href="https://www.example.org/">redirected</a>.</body></html>
+```
+To supply a custom message, provide a string as `:redirect_html`:
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => 'Redirecting!'
+```
+To supply a series of responses for Rack to chunk, provide a [permissable Rack body object](http://rack.rubyforge.org/doc/SPEC.html):
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => ['<html>','<body>','Hello!','</body>','</html>']
+```
+To supply an empty response body, provide :redirect_html as false:
+```ruby
+config.middleware.use Rack::SslEnforcer, :redirect_html => false
+```
+## Deployment
+If you run your application behind a proxy (e.g. Nginx) you may need to do some configuration on that side. If you don't you may experience an infinite redirect loop.
+The reason this happens is that Rack::SslEnforcer can't detect if you are running SSL or not. The solution is to have your front-end server send extra headers for Rack::SslEnforcer to identify the request protocol.
+### Nginx
+In the `location` block for your app's SSL configuration, include the following proxy header configuration:
+`proxy_set_header   X-Forwarded-Proto https;`
+### Passenger
+Or, if you're using mod_rails/passenger (which will ignore the proxy_xxx directives):
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;`
+If you're sharing a single `server` block for http AND https access you can add:
+`passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;`
+This makes sure that Rack::SslEnforcer knows it's being accessed over SSL. Just restart Nginx for these changes to take effect.
+## TODO
+* Cleanup tests
+#### Contributors
+[https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors](https://github.com/tobmatth/rack-ssl-enforcer/graphs/contributors)
+## Credits
+Flagging cookies as secure functionality and HSTS support is greatly inspired by [Joshua Peek's Rack::SSL](https://github.com/josh/rack-ssl).
+## Note on Patches / Pull Requests
+* Fork the project.
+* Code your feature addition or bug fix.
+* **Add tests for it.** This is important so we don't break it in a future version unintentionally.
+* Commit, do not mess with Rakefile or version number. If you want to have your own version, that's fine but bump version in a commit by itself so we can ignore it when merging.
+* Send a pull request. Bonus points for topic branches.
+## Copyright
+Copyright (c) 2010-2013 Tobias Matthies. See [LICENSE](https://github.com/tobmatth/rack-ssl-enforcer/blob/master/LICENSE) for details.

data/lib/rack-ssl-enforcer.rb CHANGED

	@@ -1 +1 @@
1	- require 'rack/ssl-enforcer'
1	+ require 'rack/ssl-enforcer'

data/lib/rack/ssl-enforcer.rb CHANGED

@@ -1,199 +1,204 @@
-require 'rack/ssl-enforcer/constraint'
-module Rack
-  class SslEnforcer
-    CONSTRAINTS_BY_TYPE = {
-      :hosts        => [:only_hosts, :except_hosts],
-      :agents       => [:only_agents, :except_agents],
-      :path         => [:only, :except],
-      :methods      => [:only_methods, :except_methods],
-      :environments => [:only_environments, :except_environments]
-    }
-    # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
-    # are encoded and that you understand the consequences (see documentation)
-    def initialize(app, options={})
-      default_options = {
-        :redirect_to          => nil,
-        :redirect_code        => nil,
-        :strict               => false,
-        :mixed                => false,
-        :hsts                 => nil,
-        :http_port            => nil,
-        :https_port           => nil,
-        :force_secure_cookies => true,
-        :before_redirect      => nil
-      }
-      CONSTRAINTS_BY_TYPE.values.each do |constraints|
-        constraints.each { |constraint| default_options[constraint] = nil }
-      end
-      @app, @options = app, default_options.merge(options)
-    end
-    def call(env)
-      @request = Rack::Request.new(env)
-      return @app.call(env) if ignore?
-      @scheme = if enforce_ssl?
-        'https'
-      elsif enforce_non_ssl?
-        'http'
-      end
-      if redirect_required?
-        call_before_redirect
-        modify_location_and_redirect
-      elsif ssl_request?
-        status, headers, body = @app.call(env)
-        flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
-        set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
-        [status, headers, body]
-      else
-        @app.call(env)
-      end
-    end
-  private
-    def redirect_required?
-      scheme_mismatch? || host_mismatch?
-    end
-    def ignore?
-      if @options[:ignore]
-        rules = [@options[:ignore]].flatten.compact
-        rules.any? do |rule|
-          SslEnforcerConstraint.new(:ignore, rule, @request).matches?
-        end
-      else
-        false
-      end
-    end
-    def scheme_mismatch?
-      @scheme && @scheme != current_scheme
-    end
-    def host_mismatch?
-      destination_host && destination_host != @request.host
-    end
-    def call_before_redirect
-       @options[:before_redirect].call unless @options[:before_redirect].nil?
-    end
-    def modify_location_and_redirect
-      location = "#{current_scheme}://#{@request.host}#{@request.fullpath}"
-      location = replace_scheme(location, @scheme)
-      location = replace_host(location, @options[:redirect_to])
-      redirect_to(location)
-    end
-    def redirect_to(location)
-      body = "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>"
-      [@options[:redirect_code] || 301, { 'Content-Type' => 'text/html', 'Location' => location }, [body]]
-    end
-    def ssl_request?
-      current_scheme == 'https'
-    end
-    def destination_host
-      if @options[:redirect_to]
-        host_parts = URI.split(@options[:redirect_to])
-        host_parts[2] || host_parts[5]
-      end
-    end
-    # Fixed in rack >= 1.3
-    def current_scheme
-      if @request.env['HTTPS'] == 'on' || @request.env['HTTP_X_SSL_REQUEST'] == 'on'
-        'https'
-      elsif @request.env['HTTP_X_FORWARDED_PROTO']
-        @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
-      else
-        @request.scheme
-      end
-    end
-    def enforce_ssl_for?(keys)
-      provided_keys = keys.select { |key| @options[key] }
-      if provided_keys.empty?
-        true
-      else
-        provided_keys.all? do |key|
-          rules = [@options[key]].flatten.compact
-          rules.send([:except_hosts, :except_agents, :except_environments, :except].include?(key) ? :all? : :any?) do |rule|
-            SslEnforcerConstraint.new(key, rule, @request).matches?
-          end
-        end
-      end
-    end
-    def enforce_non_ssl?
-      @options[:strict] || @options[:mixed] && !(@request.request_method == 'PUT' || @request.request_method == 'POST')
-    end
-    def enforce_ssl?
-      CONSTRAINTS_BY_TYPE.inject(true) do |memo, (type, keys)|
-        memo && enforce_ssl_for?(keys)
-      end
-    end
-    def replace_scheme(uri, scheme)
-      return uri if not scheme_mismatch?
-      port = adjust_port_to(scheme)
-      uri_parts = URI.split(uri)
-      uri_parts[3] = port unless port.nil?
-      uri_parts[0] = scheme
-      URI::HTTP.new(*uri_parts).to_s
-    end
-    def replace_host(uri, host)
-      return uri unless host_mismatch?
-      host_parts = URI.split(host)
-      new_host = host_parts[2] || host_parts[5]
-      uri_parts = URI.split(uri)
-      uri_parts[2] = new_host
-      URI::HTTPS.new(*uri_parts).to_s
-    end
-    def adjust_port_to(scheme)
-      if scheme == 'https'
-        @options[:https_port] if @options[:https_port] && @options[:https_port] != URI::HTTPS.default_port
-      elsif scheme == 'http'
-        @options[:http_port] if @options[:http_port] && @options[:http_port] != URI::HTTP.default_port
-      end
-    end
-    # see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking
-    def flag_cookies_as_secure!(headers)
-      if cookies = headers['Set-Cookie']
-        # Support Rails 2.3 / Rack 1.1 arrays as headers
-        unless cookies.is_a?(Array)
-          cookies = cookies.split("\n")
-        end
-        headers['Set-Cookie'] = cookies.map do |cookie|
-          cookie !~ /(^|;\s)secure($|;)/ ? "#{cookie}; secure" : cookie
-        end.join("\n")
-      end
-    end
-    # see http://en.wikipedia.org/wiki/Strict_Transport_Security
-    def set_hsts_headers!(headers)
-      opts = { :expires => 31536000, :subdomains => true }
-      opts.merge!(@options[:hsts]) if @options[:hsts].is_a? Hash
-      value  = "max-age=#{opts[:expires]}"
-      value += "; includeSubDomains" if opts[:subdomains]
-      headers.merge!({ 'Strict-Transport-Security' => value })
-    end
-  end
-end
+require 'rack/ssl-enforcer/constraint'
+module Rack
+  class SslEnforcer
+    CONSTRAINTS_BY_TYPE = {
+      :hosts        => [:only_hosts, :except_hosts],
+      :agents       => [:only_agents, :except_agents],
+      :path         => [:only, :except],
+      :methods      => [:only_methods, :except_methods],
+      :environments => [:only_environments, :except_environments]
+    }
+    # Warning: If you set the option force_secure_cookies to false, make sure that your cookies
+    # are encoded and that you understand the consequences (see documentation)
+    def initialize(app, options={})
+      default_options = {
+        :redirect_to          => nil,
+        :redirect_code        => nil,
+        :strict               => false,
+        :mixed                => false,
+        :hsts                 => nil,
+        :http_port            => nil,
+        :https_port           => nil,
+        :force_secure_cookies => true,
+        :redirect_html        => nil,
+        :before_redirect      => nil
+      }
+      CONSTRAINTS_BY_TYPE.values.each do |constraints|
+        constraints.each { |constraint| default_options[constraint] = nil }
+      end
+      @app, @options = app, default_options.merge(options)
+    end
+    def call(env)
+      @request = Rack::Request.new(env)
+      return @app.call(env) if ignore?
+      @scheme = if enforce_ssl?
+        'https'
+      elsif enforce_non_ssl?
+        'http'
+      end
+      if redirect_required?
+        call_before_redirect
+        modify_location_and_redirect
+      elsif ssl_request?
+        status, headers, body = @app.call(env)
+        flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
+        set_hsts_headers!(headers) if @options[:hsts] && !@options[:strict]
+        [status, headers, body]
+      else
+        @app.call(env)
+      end
+    end
+  private
+    def redirect_required?
+      scheme_mismatch? || host_mismatch?
+    end
+    def ignore?
+      if @options[:ignore]
+        rules = [@options[:ignore]].flatten.compact
+        rules.any? do |rule|
+          SslEnforcerConstraint.new(:ignore, rule, @request).matches?
+        end
+      else
+        false
+      end
+    end
+    def scheme_mismatch?
+      @scheme && @scheme != current_scheme
+    end
+    def host_mismatch?
+      destination_host && destination_host != @request.host
+    end
+    def call_before_redirect
+       @options[:before_redirect].call(@request) unless @options[:before_redirect].nil?
+    end
+    def modify_location_and_redirect
+      location = "#{current_scheme}://#{@request.host}#{@request.fullpath}"
+      location = replace_scheme(location, @scheme)
+      location = replace_host(location, @options[:redirect_to])
+      redirect_to(location)
+    end
+    def redirect_to(location)
+      body = []
+      body << "<html><body>You are being <a href=\"#{location}\">redirected</a>.</body></html>" if @options[:redirect_html].nil?
+      body << @options[:redirect_html] if @options[:redirect_html].is_a?(String)
+      body = @options[:redirect_html] if @options[:redirect_html].respond_to?('each')
+      [@options[:redirect_code] || 301, { 'Content-Type' => 'text/html', 'Location' => location }, body]
+    end
+    def ssl_request?
+      current_scheme == 'https'
+    end
+    def destination_host
+      if @options[:redirect_to]
+        host_parts = URI.split(URI.encode(@options[:redirect_to]))
+        host_parts[2] || host_parts[5]
+      end
+    end
+    # Fixed in rack >= 1.3
+    def current_scheme
+      if @request.env['HTTPS'] == 'on' || @request.env['HTTP_X_SSL_REQUEST'] == 'on'
+        'https'
+      elsif @request.env['HTTP_X_FORWARDED_PROTO']
+        @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+      else
+        @request.scheme
+      end
+    end
+    def enforce_ssl_for?(keys)
+      provided_keys = keys.select { |key| @options[key] }
+      if provided_keys.empty?
+        true
+      else
+        provided_keys.all? do |key|
+          rules = [@options[key]].flatten.compact
+          rules.send([:except_hosts, :except_agents, :except_environments, :except].include?(key) ? :all? : :any?) do |rule|
+            SslEnforcerConstraint.new(key, rule, @request).matches?
+          end
+        end
+      end
+    end
+    def enforce_non_ssl?
+      @options[:strict] || @options[:mixed] && !(@request.request_method == 'PUT' || @request.request_method == 'POST')
+    end
+    def enforce_ssl?
+      CONSTRAINTS_BY_TYPE.inject(true) do |memo, (type, keys)|
+        memo && enforce_ssl_for?(keys)
+      end
+    end
+    def replace_scheme(uri, scheme)
+      return uri if not scheme_mismatch?
+      port = adjust_port_to(scheme)
+      uri_parts = URI.split(URI.encode(uri))
+      uri_parts[3] = port unless port.nil?
+      uri_parts[0] = scheme
+      URI::HTTP.new(*uri_parts).to_s
+    end
+    def replace_host(uri, host)
+      return uri unless host_mismatch?
+      host_parts = URI.split(URI.encode(host))
+      new_host = host_parts[2] || host_parts[5]
+      uri_parts = URI.split(URI.encode(uri))
+      uri_parts[2] = new_host
+      URI::HTTPS.new(*uri_parts).to_s
+    end
+    def adjust_port_to(scheme)
+      if scheme == 'https'
+        @options[:https_port] if @options[:https_port] && @options[:https_port] != URI::HTTPS.default_port
+      elsif scheme == 'http'
+        @options[:http_port] if @options[:http_port] && @options[:http_port] != URI::HTTP.default_port
+      end
+    end
+    # see http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking
+    def flag_cookies_as_secure!(headers)
+      if cookies = headers['Set-Cookie']
+        # Support Rails 2.3 / Rack 1.1 arrays as headers
+        unless cookies.is_a?(Array)
+          cookies = cookies.split("\n")
+        end
+        headers['Set-Cookie'] = cookies.map do |cookie|
+          cookie !~ /(^|;\s)secure($|;)/ ? "#{cookie}; secure" : cookie
+        end.join("\n")
+      end
+    end
+    # see http://en.wikipedia.org/wiki/Strict_Transport_Security
+    def set_hsts_headers!(headers)
+      opts = { :expires => 31536000, :subdomains => true }
+      opts.merge!(@options[:hsts]) if @options[:hsts].is_a? Hash
+      value  = "max-age=#{opts[:expires]}"
+      value += "; includeSubDomains" if opts[:subdomains]
+      headers.merge!({ 'Strict-Transport-Security' => value })
+    end
+  end
+end

data/lib/rack/ssl-enforcer/constraint.rb CHANGED

@@ -1,42 +1,42 @@
-class SslEnforcerConstraint
-  def initialize(name, rule, request)
-    @name    = name
-    @rule    = rule
-    @request = request
-  end
-  def matches?
-    if @rule.is_a?(String) && [:only, :except].include?(@name)
-      result = tested_string[0, @rule.size].send(operator, @rule)
-    else
-      result = tested_string.send(operator, @rule)
-    end
-    negate_result? ? !result : result
-  end
-private
-  def negate_result?
-    @name.to_s =~ /except/
-  end
-  def operator
-    @rule.is_a?(Regexp) ? "=~" : "=="
-  end
-  def tested_string
-    case @name.to_s
-    when /hosts/
-      @request.host
-    when /methods/
-      @request.request_method
-    when /environments/
-      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || ENV["ENV"]
-    when /agents/
-      @request.user_agent
-    else
-      @request.path
-    end
-  end
-end
+class SslEnforcerConstraint
+  def initialize(name, rule, request)
+    @name    = name
+    @rule    = rule
+    @request = request
+  end
+  def matches?
+    if @rule.is_a?(String) && [:only, :except].include?(@name)
+      result = tested_string[0, @rule.size].send(operator, @rule)
+    else
+      result = tested_string.send(operator, @rule)
+    end
+    negate_result? ? !result : result
+  end
+private
+  def negate_result?
+    @name.to_s =~ /except/
+  end
+  def operator
+    @rule.is_a?(Regexp) ? "=~" : "=="
+  end
+  def tested_string
+    case @name.to_s
+    when /hosts/
+      @request.host
+    when /methods/
+      @request.request_method
+    when /environments/
+      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || ENV["ENV"]
+    when /agents/
+      @request.user_agent
+    else
+      @request.path
+    end
+  end
+end

data/lib/rack/ssl-enforcer/version.rb CHANGED

@@ -1,5 +1,5 @@
-module Rack
-  class SslEnforcer
-    VERSION = "0.2.6"
-  end
-end
+module Rack
+  class SslEnforcer
+    VERSION = "0.2.7"
+  end
+end

metadata CHANGED

@@ -1,8 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-ssl-enforcer
 version: !ruby/object:Gem::Version
-  version: 0.2.6
-  prerelease:
+  version: 0.2.7
 platform: ruby
 authors:
 - Tobias Matthies
@@ -10,12 +9,11 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-09-18 00:00:00.000000000 Z
+date: 2014-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -23,7 +21,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -31,7 +28,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -39,7 +35,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -47,7 +42,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -55,7 +49,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -63,7 +56,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -71,7 +63,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -79,7 +70,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -87,7 +77,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -108,29 +97,25 @@ files:
 - README.md
 homepage: http://github.com/tobmatth/rack-ssl-enforcer
 licenses: []
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 1004214355
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
 rubyforge_project: rack-ssl-enforcer
-rubygems_version: 1.8.25
+rubygems_version: 2.0.4
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: A simple Rack middleware to enforce SSL
 test_files: []