Merge remote-tracking branch 'mysociety/develop' into rails-3-develop

Conflicts:
	Gemfile
	Gemfile.lock
	app/controllers/admin_request_controller.rb
	app/controllers/admin_track_controller.rb
	app/controllers/request_controller.rb
	app/controllers/services_controller.rb
	app/helpers/link_to_helper.rb
	app/mailers/request_mailer.rb
	app/models/application_mailer.rb
	app/models/info_request.rb
	app/views/admin_censor_rule/edit.html.erb
	app/views/admin_censor_rule/new.html.erb
	app/views/admin_public_body/_form.html.erb
	app/views/admin_public_body/_locale_selector.html.erb
	app/views/admin_public_body/_one_list.html.erb
	app/views/admin_public_body/edit.html.erb
	app/views/admin_public_body/list.html.erb
	app/views/admin_public_body/new.html.erb
	app/views/admin_request/_incoming_message_actions.html.erb
	app/views/admin_request/edit.html.erb
	app/views/admin_request/edit_comment.html.erb
	app/views/admin_request/edit_outgoing.html.erb
	app/views/admin_request/list.html.erb
	app/views/admin_request/list_old_unclassified.html.erb
	app/views/admin_request/show.html.erb
	app/views/admin_track/_some_tracks.html.erb
	app/views/admin_track/list.html.erb
	app/views/admin_user/edit.html.erb
	app/views/admin_user/list.html.erb
	app/views/admin_user/show.html.erb
	app/views/general/_footer.html.erb
	app/views/general/exception_caught.html.erb
	app/views/help/contact.html.erb
	app/views/layouts/default.html.erb
	app/views/public_body/_alphabet.html.erb
	app/views/request/_request_listing_single.html.erb
	app/views/request/_sidebar.html.erb
	app/views/request/new.html.erb
	app/views/request/show.html.erb
	app/views/request_mailer/external_response.rhtml
	app/views/request_mailer/fake_response.rhtml
	config/environment.rb
	config/environments/production.rb
	config/routes.rb
	spec/controllers/admin_censor_rule_controller_spec.rb
	spec/controllers/request_controller_spec.rb
	spec/controllers/track_controller_spec.rb
	spec/helpers/link_to_helper_spec.rb
	spec/mailers/request_mailer_spec.rb
	spec/models/info_request_spec.rb
	spec/spec_helper.rb
	spec/views/public_body/show.html.erb_spec.rb
	spec/views/request/show.html.erb_spec.rb
	vendor/plugins/rails_xss/lib/rails_xss/erubis.rb

1 files changed, 28 insertions, 0 deletions

diff --git a/doc/INSTALL.md b/doc/INSTALL.md
index fc571b990..b9e2c6cb1 100644
--- a/doc/INSTALL.md
+++ b/doc/INSTALL.md
@@ -370,6 +370,34 @@ Under all but light loads, it is strongly recommended to run the
 server behind an http accelerator like Varnish.  A sample varnish VCL
 is supplied in `../conf/varnish-alaveteli.vcl`.
 
+It's strongly recommended that you run the site over SSL. (Set FORCE_SSL to true in
+config/general.yml). For this you will need an SSL certificate for your domain and you will
+need to configure an SSL terminator to sit in front of Varnish. If you're already using Apache
+as a web server you could simply use Apache as the SSL terminator. A minimal configuration
+would look something like this:
+
+<VirtualHost *:443>
+    ServerName www.yourdomain
+
+    ProxyRequests       Off
+    ProxyPreserveHost On
+    ProxyPass           /       http://localhost:80/
+    ProxyPassReverse    /       http://localhost:80/
+    RequestHeader set X-Forwarded-Proto 'https'
+
+    SSLEngine on
+    SSLProtocol all -SSLv2
+    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
+
+    SSLCertificateFile /etc/apache2/ssl/ssl.crt
+    SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
+    SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.ca.pem
+    SSLCACertificateFile /etc/apache2/ssl/ca.pem
+    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+</VirtualHost>
+
+Notice the line "RequestHeader" that sets the X_FORWARDED_PROTO header. This is important. This ultimately tells Rails that it's serving a page over https and so it knows to include that in any absolute urls it serves.
+
 Some
 [production server best practice notes](https://github.com/mysociety/alaveteli/wiki/Production-Server-Best-Practices)
 are evolving on the wiki.