[英]Rails + SSL: Per controller or application-wide?
I could use some wisdom from any developers who have worked with Rails and SSL. 我可以使用任何使用过Rails和SSL的开发人员的智慧。 I have a fairly simple app and I'm in the process of implementing payment processing. 我有一个相当简单的应用程序,我正在实施付款处理。 Obviously payment processing calls for SSL, so I'm setting that up now. 显然,付款处理需要SSL,所以我现在正在设置它。
My intention when I started working on this today was to find the simplest / cleanest way to enforce SSL on specific controller actions - namely anything having to do with payment. 我今天开始研究这个问题时的目的是找到在特定控制器操作上强制执行SSL的最简单/最干净的方法 - 即与付款有关的任何事情。 I figured there was no reason to run the rest of my site on SSL. 我认为没有理由在SSL上运行我的其余网站。
I found the ssl_requirement gem which seems to take care of setting SSL per-controller-action without much difficulty, so that's good. 我找到了ssl_requirement gem ,它似乎很轻松地设置了SSL per-controller-action,所以这很好。 I also found this question which seems to indicate that handling SSL with a gem is now out-of-style. 我还发现这个问题似乎表明用gem处理SSL现在已经不合时宜了。
I also found several answers / comments etc. suggesting that a site should just use Rack middleware like Rack-SSL to force the entire site to SSL mode. 我还发现了几个答案/评论等,表明网站应该使用像Rack-SSL这样的Rack中间件来强制整个网站进入SSL模式。
So now I'm kind of confused, and not sure what I should do. 所以现在我有点困惑,不知道该怎么做。 Could anyone with experience working with Rails 3 and SSL help me understand: 任何有使用Rails 3和SSL经验的人都可以帮助我理解:
ssl-requirement
gem or whether I should just use the new routing and link helper options... 如果per-controller是要走的路,那么使用ssl-requirement
demand gem是否有意义,或者我是否应该使用新的路由和链接帮助器选项...... I'd very much appreciate your insight, this has become a paralyzing decision for me. 我非常感谢你的见解,这对我来说已成为一个瘫痪的决定。 Thanks! 谢谢!
I've found myself "paralyzed" by this decision in the past, and here's what I think about each time. 我发现自己在过去的这个决定中“瘫痪了”,这就是我每次都想到的。
First, keep in mind that some browsers will throw pop-up warnings if you keep switching out of and into SSL, or if you serve some content (the page) with SSL and other content (images, css) without. 首先,请记住,如果您不断切换到SSL,或者如果您使用SSL和其他内容(图像,css)提供某些内容(页面),某些浏览器将抛出弹出警告。 Obviously that's not a good experience for users. 显然这对用户来说不是一个好的体验。
The only possible downside to requiring SSL everywhere is performance. 在任何地方要求SSL的唯一可能的缺点是性能。 But unless you're expecting 1000+ users/day who will be doing lots of things that *don't * require SSL, this is negligible. 但除非你期望每天有1000多名用户做很多*不需要SSL的事情,否则这个数字可以忽略不计。
SSL is handled at the Apache/Nginx/whatever level. SSL在Apache / Nginx /任何级别处理。 So if you decide to put your entire app behind SSL, it makes most sense to deal with it at the Webserver level (redirect http:/yoursite.com to https://yoursite.com . 因此,如果您决定将整个应用程序置于SSL之后,那么在Web服务器级别处理它是最有意义的(将http:/yoursite.com重定向到https://yoursite.com 。
And if, for performance reasons, you decide not to put everything behind SSL, then it still could make sense to handle SSL redirects at the Webserver level. 如果出于性能原因,您决定不将所有内容置于SSL之后,那么在Web服务器级别处理SSL重定向仍然有意义。 Allowing your user through your Webserver, then sending him through half Rails stack, just to boot him back out to start over again is very wasteful. 允许您的用户通过您的Web服务器,然后通过半个Rails堆栈发送他,只是为了让他重新启动以重新开始是非常浪费的。
Of course there's something to be said for simplicity and domains of knowledge, which would suggest handling redirects in your Rails app or middleware, since it "knows" what's safe and unsafe. 当然,为了简单和知识领域,有一些东西可以说,这将建议在Rails应用程序或中间件中处理重定向,因为它“知道”什么是安全和不安全的。
But those are things you'll have to weigh yourself. 但那些是你必须权衡自己的东西。 It depends on whether raw performance or simplicity of development/maintenance is more important. 这取决于原始性能或开发/维护的简单性是否更重要。
I usually end up with a virtual host for http://mysite.com which redirects everything (or sometimes only certain uris) to https://mysite.com/ $1. 我通常最终得到一个http://mysite.com的虚拟主机,它将所有内容(有时只有某些uris)重定向到https://mysite.com/ $ 1。 Hope that's helpful. 希望这很有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.