Rails + SSL：每个控制器还是整个​​应用程序？ [英] Rails + SSL: Per controller or application-wide?

问题描述

我可以使用任何使用过Rails和SSL的开发人员的智慧。我有一个相当简单的应用程序，我正在实施付款处理。显然支付处理需要SSL，所以我现在正在设置它。

我今天开始研究这个问题的目的是找到在特定控制器操作上强制执行SSL的最简单/最干净的方法 - 即任何事情与付款有关。我认为没有理由在SSL上运行我的其余网站。

I could use some wisdom from any developers who have worked with Rails and SSL. I have a fairly simple app and I'm in the process of implementing payment processing. Obviously payment processing calls for SSL, so I'm setting that up now.
My intention when I started working on this today was to find the simplest / cleanest way to enforce SSL on specific controller actions - namely anything having to do with payment. I figured there was no reason to run the rest of my site on SSL.

我发现 ssl_requirement gem 似乎在没有太大困难的情况下设置SSL每个控制器动作，所以这很好。我还发现了这个问题，这似乎表明使用gem处理SSL现在已经不存在了-style。

我还发现了几个答案/评论等，暗示一个网站应该只使用Rack中间件，如 Rack-SSL 强制整个网站进入SSL模式。

I found the ssl_requirement gem which seems to take care of setting SSL per-controller-action without much difficulty, so that's good. I also found this question which seems to indicate that handling SSL with a gem is now out-of-style.
I also found several answers / comments etc. suggesting that a site should just use Rack middleware like Rack-SSL to force the entire site to SSL mode.

所以现在我有点困惑，不知道我是什么应该做。任何有使用Rails 3和SSL经验的人都可以帮助我理解：

So now I'm kind of confused, and not sure what I should do. Could anyone with experience working with Rails 3 and SSL help me understand:

1. 我是否应该强制整个网站使用SSL，或者只是确定行动。


2. 陷阱要注意在Rails中使用SSL（我之前从未做过）。


3. 如果每个控制器都是可行的方法，那么使用 ssl-requirement gem是否合理，或者我是否应该使用新的路由和链接帮助程序选项。 。

1. Whether I should force the whole site to SSL, or only per certain actions.
2. What gotchas to look out for using SSL in Rails (I've never done it before).
3. If per-controller is the way to go, whether it makes sense to use the ssl-requirement gem or whether I should just use the new routing and link helper options...

我非常感谢您的见解，这对我来说已经成为一个瘫痪的决定。谢谢！

I'd very much appreciate your insight, this has become a paralyzing decision for me. Thanks!

推荐答案

过去这个决定我发现自己瘫痪了，这就是我每次想到的。

I've found myself "paralyzed" by this decision in the past, and here's what I think about each time.

首先，请记住，如果您继续切换到SSL，或者如果您提供某些内容（页面），某些浏览器会抛出弹出警告使用SSL和其他内容（图像，CSS）没有。显然这对用户来说不是一个好的体验。

First, keep in mind that some browsers will throw pop-up warnings if you keep switching out of and into SSL, or if you serve some content (the page) with SSL and other content (images, css) without. Obviously that's not a good experience for users.

1. 要求SSL无处不在的唯一可能的缺点就是性能。但除非你期望每天有1000多名用户会做很多*不需要SSL的事情，否则这是微不足道的。

1. The only possible downside to requiring SSL everywhere is performance. But unless you're expecting 1000+ users/day who will be doing lots of things that *don't * require SSL, this is negligible.

SSL在Apache / Nginx /任何级别处理。因此，如果您决定将整个应用程序置于SSL之后，最适合在Web服务器级别处理它（将http：/yoursite.com重定向到 https://yoursite.com 。

SSL is handled at the Apache/Nginx/whatever level. So if you decide to put your entire app behind SSL, it makes most sense to deal with it at the Webserver level (redirect http:/yoursite.com to https://yoursite.com.

如果出于性能原因，您决定不将所有内容放在SSL后面，然后在Web服务器级别处理SSL重定向仍然有意义。允许用户通过您的Web服务器，然后通过半个Rails堆栈发送给他，只是为了引导他退出重新开始是非常浪费的。

And if, for performance reasons, you decide not to put everything behind SSL, then it still could make sense to handle SSL redirects at the Webserver level. Allowing your user through your Webserver, then sending him through half Rails stack, just to boot him back out to start over again is very wasteful.

当然，为了简单和知识领域，有一些东西可以说，这表明在你的Rails应用程序或中间件中处理重定向，它知道什么是安全和不安全的。

Of course there's something to be said for simplicity and domains of knowledge, which would suggest handling redirects in your Rails app or middleware, since it "knows" what's safe and unsafe.

但这些是你必须自己衡量的东西。这取决于原始性能或开发/维护的简单性是否更多很重要。

But those are things you'll have to weigh yourself. It depends on whether raw performance or simplicity of development/maintenance is more important.

我通常最终会这样做 http://mysite.com 的虚拟主机，它将所有内容（有时只是某些uris）重定向到 https://mysite.com/ 1美元。希望这很有用。

I usually end up with a virtual host for http://mysite.com which redirects everything (or sometimes only certain uris) to https://mysite.com/$1. Hope that's helpful.

这篇关于Rails + SSL：每个控制器还是整个​​应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！