rack-ssl-enforcer 0.2.8 → 0.2.9

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: fee98e208302ce4570d8308c0a7c2c2bfe15ca0c
4
+ data.tar.gz: 3fc3e066e40919a1d4a011931db1ad3cc0c85bc5
5
+ SHA512:
6
+ metadata.gz: 6ab296839b4c4969dc0dd98570185d6553884e106b45c795658fde104f4494ccdcb40b1cfcf6636b855cbe1932bb2cf35269bdb9ab4c08df84a8e44554d42943
7
+ data.tar.gz: 599f268fe46a56b99d6e26d57d0b341b7547a89e3d772dd7f838dc9d49a6a3271b516a4639166d4114af3d635e4b43db5b3a844e52a6fb84d486c77e31aa56f6
data/README.md CHANGED
@@ -263,6 +263,25 @@ In the `location` block for your app's SSL configuration, include the following
263
263
 
264
264
  `proxy_set_header X-Forwarded-Proto https;`
265
265
 
266
+ ### Nginx behind Load Balancer
267
+
268
+ The following instruction has been tested behind AWS ELB, but can be adapted to work behind any load balancer.
269
+ Specifically, the options below account for termination of SSL at the load balancer (HTTP only communication between load balancer and server), and HTTP only health checks.
270
+
271
+ In the `location` block for your app's SSL configuration, reference the following proxy header configurations:
272
+
273
+ `proxy_set_header X-Forwarded-Proto $scheme;` & `proxy_redirect off;` & `proxy_set_header Host $http_host;` & `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
274
+
275
+ In `config/application.rb` for Rails 3 and above, `config/environment.rb` for Rails 2, work off the following line:
276
+
277
+ ```ruby
278
+ config.middleware.use Rack::SslEnforcer, ignore: lambda { |request| request.env["HTTP_X_FORWARDED_PROTO"].blank? }, strict: true
279
+ ```
280
+
281
+ This ignores ELB healthchecks and development environment as ELB healthchecks aren't forwarded requests, so it wouldn't have the forwarded proto header.
282
+
283
+ Same goes for when running without a proxy (like developemnt locally), making `:except_environments => 'development'` unecessary.
284
+
266
285
  ### Passenger
267
286
 
268
287
  Or, if you're using mod_rails/passenger (which will ignore the proxy_xxx directives):
@@ -47,7 +47,7 @@ module Rack
47
47
 
48
48
  if redirect_required?
49
49
  call_before_redirect
50
- modify_location_and_redirect
50
+ modify_location_and_redirect
51
51
  elsif ssl_request?
52
52
  status, headers, body = @app.call(env)
53
53
  flag_cookies_as_secure!(headers) if @options[:force_secure_cookies]
@@ -92,6 +92,8 @@ module Rack
92
92
  location = replace_scheme(location, @scheme)
93
93
  location = replace_host(location, @options[:redirect_to])
94
94
  redirect_to(location)
95
+ rescue URI::InvalidURIError
96
+ [400, { 'Content-Type' => 'text/plain'}, []]
95
97
  end
96
98
 
97
99
  def redirect_to(location)
@@ -119,7 +121,7 @@ module Rack
119
121
  if @request.env['HTTPS'] == 'on' || @request.env['HTTP_X_SSL_REQUEST'] == 'on'
120
122
  'https'
121
123
  elsif @request.env['HTTP_X_FORWARDED_PROTO']
122
- @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
124
+ @request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0] || @request.scheme
123
125
  else
124
126
  @request.scheme
125
127
  end
@@ -193,10 +195,11 @@ module Rack
193
195
 
194
196
  # see http://en.wikipedia.org/wiki/Strict_Transport_Security
195
197
  def set_hsts_headers!(headers)
196
- opts = { :expires => 31536000, :subdomains => true }
198
+ opts = { :expires => 31536000, :subdomains => true, :preload => false }
197
199
  opts.merge!(@options[:hsts]) if @options[:hsts].is_a? Hash
198
200
  value = "max-age=#{opts[:expires]}"
199
201
  value += "; includeSubDomains" if opts[:subdomains]
202
+ value += "; preload" if opts[:preload]
200
203
  headers.merge!({ 'Strict-Transport-Security' => value })
201
204
  end
202
205
 
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  class SslEnforcer
3
- VERSION = "0.2.8"
3
+ VERSION = "0.2.9"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,8 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-ssl-enforcer
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.8
5
- prerelease:
4
+ version: 0.2.9
6
5
  platform: ruby
7
6
  authors:
8
7
  - Tobias Matthies
@@ -10,86 +9,76 @@ authors:
10
9
  autorequire:
11
10
  bindir: bin
12
11
  cert_chain: []
13
- date: 2014-07-18 00:00:00.000000000 Z
12
+ date: 2015-07-22 00:00:00.000000000 Z
14
13
  dependencies:
15
14
  - !ruby/object:Gem::Dependency
16
15
  name: bundler
17
16
  requirement: !ruby/object:Gem::Requirement
18
- none: false
19
17
  requirements:
20
- - - ~>
18
+ - - "~>"
21
19
  - !ruby/object:Gem::Version
22
20
  version: '1.0'
23
21
  type: :development
24
22
  prerelease: false
25
23
  version_requirements: !ruby/object:Gem::Requirement
26
- none: false
27
24
  requirements:
28
- - - ~>
25
+ - - "~>"
29
26
  - !ruby/object:Gem::Version
30
27
  version: '1.0'
31
28
  - !ruby/object:Gem::Dependency
32
29
  name: test-unit
33
30
  requirement: !ruby/object:Gem::Requirement
34
- none: false
35
31
  requirements:
36
- - - ~>
32
+ - - "~>"
37
33
  - !ruby/object:Gem::Version
38
34
  version: '2.3'
39
35
  type: :development
40
36
  prerelease: false
41
37
  version_requirements: !ruby/object:Gem::Requirement
42
- none: false
43
38
  requirements:
44
- - - ~>
39
+ - - "~>"
45
40
  - !ruby/object:Gem::Version
46
41
  version: '2.3'
47
42
  - !ruby/object:Gem::Dependency
48
43
  name: shoulda
49
44
  requirement: !ruby/object:Gem::Requirement
50
- none: false
51
45
  requirements:
52
- - - ~>
46
+ - - "~>"
53
47
  - !ruby/object:Gem::Version
54
48
  version: 2.11.3
55
49
  type: :development
56
50
  prerelease: false
57
51
  version_requirements: !ruby/object:Gem::Requirement
58
- none: false
59
52
  requirements:
60
- - - ~>
53
+ - - "~>"
61
54
  - !ruby/object:Gem::Version
62
55
  version: 2.11.3
63
56
  - !ruby/object:Gem::Dependency
64
57
  name: rack
65
58
  requirement: !ruby/object:Gem::Requirement
66
- none: false
67
59
  requirements:
68
- - - ~>
60
+ - - "~>"
69
61
  - !ruby/object:Gem::Version
70
62
  version: 1.2.0
71
63
  type: :development
72
64
  prerelease: false
73
65
  version_requirements: !ruby/object:Gem::Requirement
74
- none: false
75
66
  requirements:
76
- - - ~>
67
+ - - "~>"
77
68
  - !ruby/object:Gem::Version
78
69
  version: 1.2.0
79
70
  - !ruby/object:Gem::Dependency
80
71
  name: rack-test
81
72
  requirement: !ruby/object:Gem::Requirement
82
- none: false
83
73
  requirements:
84
- - - ~>
74
+ - - "~>"
85
75
  - !ruby/object:Gem::Version
86
76
  version: 0.5.4
87
77
  type: :development
88
78
  prerelease: false
89
79
  version_requirements: !ruby/object:Gem::Requirement
90
- none: false
91
80
  requirements:
92
- - - ~>
81
+ - - "~>"
93
82
  - !ruby/object:Gem::Version
94
83
  version: 0.5.4
95
84
  description: Rack::SslEnforcer is a simple Rack middleware to enforce ssl connections
@@ -100,37 +89,33 @@ executables: []
100
89
  extensions: []
101
90
  extra_rdoc_files: []
102
91
  files:
103
- - lib/rack/ssl-enforcer/constraint.rb
104
- - lib/rack/ssl-enforcer/version.rb
105
- - lib/rack/ssl-enforcer.rb
106
- - lib/rack-ssl-enforcer.rb
107
92
  - LICENSE
108
93
  - README.md
94
+ - lib/rack-ssl-enforcer.rb
95
+ - lib/rack/ssl-enforcer.rb
96
+ - lib/rack/ssl-enforcer/constraint.rb
97
+ - lib/rack/ssl-enforcer/version.rb
109
98
  homepage: http://github.com/tobmatth/rack-ssl-enforcer
110
99
  licenses: []
100
+ metadata: {}
111
101
  post_install_message:
112
102
  rdoc_options: []
113
103
  require_paths:
114
104
  - lib
115
105
  required_ruby_version: !ruby/object:Gem::Requirement
116
- none: false
117
106
  requirements:
118
- - - ! '>='
107
+ - - ">="
119
108
  - !ruby/object:Gem::Version
120
109
  version: '0'
121
- segments:
122
- - 0
123
- hash: -530063583
124
110
  required_rubygems_version: !ruby/object:Gem::Requirement
125
- none: false
126
111
  requirements:
127
- - - ! '>='
112
+ - - ">="
128
113
  - !ruby/object:Gem::Version
129
114
  version: 1.3.6
130
115
  requirements: []
131
116
  rubyforge_project: rack-ssl-enforcer
132
- rubygems_version: 1.8.25
117
+ rubygems_version: 2.4.8
133
118
  signing_key:
134
- specification_version: 3
119
+ specification_version: 4
135
120
  summary: A simple Rack middleware to enforce SSL
136
121
  test_files: []