diff options
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | Gemfile.lock | 5 | ||||
| -rw-r--r-- | config/environments/development.rb | 2 | ||||
| -rw-r--r-- | config/general.yml-example | 5 | ||||
| -rw-r--r-- | lib/configuration.rb | 1 |
5 files changed, 14 insertions, 1 deletions
@@ -43,6 +43,8 @@ gem 'syslog_protocol' gem 'newrelic_rpm' # erubis is required by rails_xss. Both erubis and rails_xss can be removed after upgrading to Rails 3. gem 'erubis' +# rack-ssl won't be needed on upgrade to Rails 3.1 as something like it is baked in +gem 'rack-ssl' group :test do gem 'fakeweb' diff --git a/Gemfile.lock b/Gemfile.lock index c346a318c..548029163 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -90,7 +90,9 @@ GEM newrelic_rpm (3.5.4.34) pg (0.13.2) polyglot (0.3.3) - rack (1.1.5) + rack (1.1.6) + rack-ssl (1.3.3) + rack rake (0.9.2.2) rbx-require-relative (0.0.9) rdoc (2.4.3) @@ -173,6 +175,7 @@ DEPENDENCIES newrelic_rpm pg rack (~> 1.1.0) + rack-ssl rails! rake (= 0.9.2.2) rdoc (~> 2.4.3) diff --git a/config/environments/development.rb b/config/environments/development.rb index c43cdb049..04680f17c 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -27,3 +27,5 @@ config.action_mailer.smtp_settings = { :address => "localhost", :port => 1025 } # unintentionally kept references to objects, especially strings. # require 'memory_profiler' # MemoryProfiler.start :string_debug => true, :delay => 10 + +config.middleware.insert_after ActionController::Failsafe, "Rack::SSL" if ::Configuration::force_ssl diff --git a/config/general.yml-example b/config/general.yml-example index bfe289541..4b9c22f79 100644 --- a/config/general.yml-example +++ b/config/general.yml-example @@ -12,6 +12,11 @@ SITE_NAME: 'Alaveteli' # Domain used in URLs generated by scripts (e.g. for going in some emails) DOMAIN: '127.0.0.1:3000' +# If true forces everyone (in the production environment) to use encrypted connections +# (via https) by redirecting unencrypted connections. This is *highly* recommended +# so that logins can't be intercepted by naughty people. +FORCE_SSL: true + # ISO country code of country currrently deployed in # (http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) ISO_COUNTRY_CODE: GB diff --git a/lib/configuration.rb b/lib/configuration.rb index 11fe1c56e..28a4023a8 100644 --- a/lib/configuration.rb +++ b/lib/configuration.rb @@ -20,6 +20,7 @@ module Configuration :EXCEPTION_NOTIFICATIONS_FROM => '', :EXCEPTION_NOTIFICATIONS_TO => '', :FORCE_REGISTRATION_ON_NEW_REQUEST => false, + :FORCE_SSL => true, :FORWARD_NONBOUNCE_RESPONSES_TO => 'user-support@localhost', :FRONTPAGE_PUBLICBODY_EXAMPLES => '', :GA_CODE => '', |