diff options
author | Henare Degan <henare.degan@gmail.com> | 2013-03-14 14:33:17 +1100 |
---|---|---|
committer | Henare Degan <henare.degan@gmail.com> | 2013-03-14 14:33:17 +1100 |
commit | 48c6f8077429dd86da27a52be20c97cc583f31a9 (patch) | |
tree | 78d74660677a3a63659260c982dabfade692749d /doc/INSTALL.md | |
parent | 2f6af09899e2822121d060db55fdd78b15f099db (diff) | |
parent | d8a5de249bfeb41317d64e7efbaab71da1ede00d (diff) |
Merge remote-tracking branch 'mysociety/develop' into rails-3-develop
Conflicts:
Gemfile
Gemfile.lock
app/controllers/admin_request_controller.rb
app/controllers/admin_track_controller.rb
app/controllers/request_controller.rb
app/controllers/services_controller.rb
app/helpers/link_to_helper.rb
app/mailers/request_mailer.rb
app/models/application_mailer.rb
app/models/info_request.rb
app/views/admin_censor_rule/edit.html.erb
app/views/admin_censor_rule/new.html.erb
app/views/admin_public_body/_form.html.erb
app/views/admin_public_body/_locale_selector.html.erb
app/views/admin_public_body/_one_list.html.erb
app/views/admin_public_body/edit.html.erb
app/views/admin_public_body/list.html.erb
app/views/admin_public_body/new.html.erb
app/views/admin_request/_incoming_message_actions.html.erb
app/views/admin_request/edit.html.erb
app/views/admin_request/edit_comment.html.erb
app/views/admin_request/edit_outgoing.html.erb
app/views/admin_request/list.html.erb
app/views/admin_request/list_old_unclassified.html.erb
app/views/admin_request/show.html.erb
app/views/admin_track/_some_tracks.html.erb
app/views/admin_track/list.html.erb
app/views/admin_user/edit.html.erb
app/views/admin_user/list.html.erb
app/views/admin_user/show.html.erb
app/views/general/_footer.html.erb
app/views/general/exception_caught.html.erb
app/views/help/contact.html.erb
app/views/layouts/default.html.erb
app/views/public_body/_alphabet.html.erb
app/views/request/_request_listing_single.html.erb
app/views/request/_sidebar.html.erb
app/views/request/new.html.erb
app/views/request/show.html.erb
app/views/request_mailer/external_response.rhtml
app/views/request_mailer/fake_response.rhtml
config/environment.rb
config/environments/production.rb
config/routes.rb
spec/controllers/admin_censor_rule_controller_spec.rb
spec/controllers/request_controller_spec.rb
spec/controllers/track_controller_spec.rb
spec/helpers/link_to_helper_spec.rb
spec/mailers/request_mailer_spec.rb
spec/models/info_request_spec.rb
spec/spec_helper.rb
spec/views/public_body/show.html.erb_spec.rb
spec/views/request/show.html.erb_spec.rb
vendor/plugins/rails_xss/lib/rails_xss/erubis.rb
Diffstat (limited to 'doc/INSTALL.md')
-rw-r--r-- | doc/INSTALL.md | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/doc/INSTALL.md b/doc/INSTALL.md index fc571b990..b9e2c6cb1 100644 --- a/doc/INSTALL.md +++ b/doc/INSTALL.md @@ -370,6 +370,34 @@ Under all but light loads, it is strongly recommended to run the server behind an http accelerator like Varnish. A sample varnish VCL is supplied in `../conf/varnish-alaveteli.vcl`. +It's strongly recommended that you run the site over SSL. (Set FORCE_SSL to true in +config/general.yml). For this you will need an SSL certificate for your domain and you will +need to configure an SSL terminator to sit in front of Varnish. If you're already using Apache +as a web server you could simply use Apache as the SSL terminator. A minimal configuration +would look something like this: + +<VirtualHost *:443> + ServerName www.yourdomain + + ProxyRequests Off + ProxyPreserveHost On + ProxyPass / http://localhost:80/ + ProxyPassReverse / http://localhost:80/ + RequestHeader set X-Forwarded-Proto 'https' + + SSLEngine on + SSLProtocol all -SSLv2 + SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM + + SSLCertificateFile /etc/apache2/ssl/ssl.crt + SSLCertificateKeyFile /etc/apache2/ssl/ssl.key + SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.ca.pem + SSLCACertificateFile /etc/apache2/ssl/ca.pem + SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown +</VirtualHost> + +Notice the line "RequestHeader" that sets the X_FORWARDED_PROTO header. This is important. This ultimately tells Rails that it's serving a page over https and so it knows to include that in any absolute urls it serves. + Some [production server best practice notes](https://github.com/mysociety/alaveteli/wiki/Production-Server-Best-Practices) are evolving on the wiki. |