[英]What does force_ssl do in Rails?
In a previous question I found out that I should be setting nginx ssl termination and not having Rails process encrypted data.在上一个问题中,我发现我应该设置 nginx ssl 终止,而不是让 Rails 处理加密数据。
Then why does the following exist?那么为什么会存在以下情况呢?
config.force_ssl = true
I see this commented out in the production config file.我看到这在生产配置文件中被注释掉了。 But if the expectation is that nginx will handle all the ssl stuff so that my rails app doesn't deal with encrypted data then what does
config.force_ssl = true
do?但是,如果期望 nginx 将处理所有 ssl 内容,以便我的 Rails 应用程序不处理加密数据,那么
config.force_ssl = true
做什么?
Should I leave it commented out in production if I know I will always be using nginx?如果我知道我将一直使用 nginx,我应该在生产中将其注释掉吗?
It doesn't just force your browser to redirect HTTP to HTTPS.它不只是强制您的浏览器将 HTTP 重定向到 HTTPS。 It also sets your cookies to be marked "secure", and it enables HSTS , each of which are very good protections against SSL stripping.
它还会将您的 cookie 设置为标记为“安全”,并启用HSTS ,每个都是针对 SSL 剥离的非常好的保护。
Even though HTTPS protects your app at " https://example.com/yourapp " against MITM attacks, if someone gets between your client and your server they can rather easily get you to visit " http://example.com/yourapp ".尽管 HTTPS 保护“ https://example.com/yourapp ”上的应用程序免受 MITM 攻击,但如果有人在您的客户端和您的服务器之间进入,他们可以很容易地让您访问“ http://example.com/yourapp ” . With neither of the above protections, your browser will happily send the session cookie to the person doing the MITM.
如果没有上述保护措施,您的浏览器将很乐意将会话 cookie 发送给执行 MITM 的人。
Setting config.force_ssl
includes ActionDispatch::SSL
.设置
config.force_ssl
包括ActionDispatch::SSL
。 The ActionDispatch::SSL
docs describe the functionality as follows (emphases added for clarity): ActionDispatch::SSL
文档对功能的描述如下(为清楚起见添加了重点):
See the includes here and the docs for ActionDispatch::SSL here .
请参阅包括在这里和ActionDispatch :: SSL的文档在这里。
This middleware is added to the stack when config.force_ssl = true
, and is passed the options set in config.ssl_options
.当
config.force_ssl = true
,这个中间件被添加到堆栈中,并传递在config.ssl_options
设置的选项。 It does three jobs to enforce secure HTTP requests:它执行三项工作来强制执行安全的 HTTP 请求:
TLS redirect: Permanently redirects http:// requests to https:// with the same URL host, path, etc. Enabled by default. TLS 重定向:将 http:// 请求永久重定向到具有相同 URL 主机、路径等的https:// 。默认启用。 Set
config.ssl_options
to modify the destination URL (eg redirect: { host: "secure.widgets.com", port: 8080 }
), or set redirect: false
to disable this feature.设置
config.ssl_options
以修改目标 URL(例如redirect: { host: "secure.widgets.com", port: 8080 }
),或设置redirect: false
以禁用此功能。
Secure cookies: Sets the secure
flag on cookies to tell browsers they mustn't be sent along with http:// requests.安全 cookie:在 cookie 上设置
secure
标志以告诉浏览器它们不能与 http:// 请求一起发送。 Enabled by default.默认启用。 Set
config.ssl_options
with secure_cookies: false
to disable this feature.将
config.ssl_options
设置为secure_cookies: false
以禁用此功能。
HTTP Strict Transport Security (HSTS): Tells the browser to remember this site as TLS-only and automatically redirect non-TLS requests . HTTP 严格传输安全 (HSTS):告诉浏览器将此站点记住为仅 TLS 并自动重定向非 TLS 请求。 Enabled by default.
默认启用。 Configure
config.ssl_options
with hsts: false
to disable.使用
hsts: false
配置config.ssl_options
以禁用。 Set config.ssl_options
with hsts: { … }
to configure HSTS:使用
hsts: { … }
设置config.ssl_options
以配置 HSTS:
expires
: How long, in seconds, these settings will stick. expires
:这些设置会坚持多久,以秒为单位。 Defaults to 180.days
(recommended).180.days
(推荐)。 The minimum required to qualify for browser preload lists is 18.weeks
.18.weeks
。subdomains
: Set to true
to tell the browser to apply these settings to all subdomains. subdomains
:设置为true
以告诉浏览器将这些设置应用于所有子域。 This protects your cookies from interception by a vulnerable site on a subdomain.true
.true
。preload
: Advertise that this site may be included in browsers' preloaded HSTS lists. preload
:宣传此站点可能包含在浏览器的预加载 HSTS 列表中。 HSTS protects your site on every visit except the first visit since it hasn't seen your HSTS header yet. hsts: false
is a shortcut for hsts: { expires: 0 }
.hsts: false
是hsts: { expires: 0 }
的快捷方式。 Requests can opt-out of redirection with exclude
:请求可以使用
exclude
选择退出重定向:
config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
This setting forces HTTPS by redirecting HTTP requests to their HTTPS counterparts.此设置通过将 HTTP 请求重定向到其对应的 HTTPS 来强制使用 HTTPS。 So a browser visiting
http://domain.com/path
will be redirected to https://domain.com/path
.因此,访问
http://domain.com/path
的浏览器将被重定向到https://domain.com/path
。
Leaving the setting commented out would allow both protocols.将设置注释掉将允许两种协议。
You still have to configure your web server to handle HTTPS requests.您仍然需要配置您的 Web 服务器来处理 HTTPS 请求。
It forces all communication with the server to be encrypted and use SSL, ie through HTTPS.它强制与服务器的所有通信都加密并使用 SSL,即通过 HTTPS。
When you include it in a controller that controller will only accept HTTPS requests.当您将它包含在控制器中时,该控制器将只接受 HTTPS 请求。
Helpful links:有用的网址:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.