5 files changed, 50 insertions, 25 deletions

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 20274cd2b..0c1929366 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -26,4 +26,9 @@ Alaveteli::Application.configure do
       :sender_address => AlaveteliConfiguration::exception_notifications_from,
       :exception_recipients => AlaveteliConfiguration::exception_notifications_to
   end
+
+  require 'rack/ssl'
+  if AlaveteliConfiguration::force_ssl
+    config.middleware.insert_before ActionDispatch::Cookies, ::Rack::SSL
+  end
 end
diff --git a/config/general.yml-example b/config/general.yml-example
index bfe289541..5005fda77 100644
--- a/config/general.yml-example
+++ b/config/general.yml-example
@@ -12,6 +12,11 @@ SITE_NAME: 'Alaveteli'
 # Domain used in URLs generated by scripts (e.g. for going in some emails)
 DOMAIN: '127.0.0.1:3000'
 
+# If true forces everyone (in the production environment) to use encrypted connections
+# (via https) by redirecting unencrypted connections. This is *highly* recommended
+# so that logins can't be intercepted by naughty people.
+FORCE_SSL: true
+
 # ISO country code of country currrently deployed in
 # (http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2)
 ISO_COUNTRY_CODE: GB
@@ -53,7 +58,6 @@ FRONTPAGE_PUBLICBODY_EXAMPLES: 'tgq'
 # script). Earlier in the list means the templates have a higher
 # priority.
 THEME_URLS:
- - 'git://github.com/mysociety/adminbootstraptheme.git'
  - 'git://github.com/mysociety/alavetelitheme.git'
 
 # When rails-post-deploy installs the themes it will try this branch first
@@ -100,19 +104,6 @@ TRACK_SENDER_NAME: 'Alaveteli Webmaster'
 # this up!
 RAW_EMAILS_LOCATION: 'files/raw_emails'
 
-# The base URL for admin pages, must always end with a '/'
-# e.g. https://www.example.com/secure/alaveteli-admin/
-# If not specified, it will default to the path to the admin controller,
-# which is usually what you want. It is useful in situations where admin
-# requests are proxied via a secure server, for example.
-ADMIN_BASE_URL: ''
-
-# Where /stylesheets sits under for admin pages. See asset_host in
-# config/environment.rb. Can be full domain or relative path (not an
-# absolute path beginning with /).  Again, unlikely to want to change
-# this.
-ADMIN_PUBLIC_URL: ''
-
 # Secret key for signing cookie_store sessions
 COOKIE_STORE_SESSION_SECRET: 'your secret key here, make it long and random'
 
diff --git a/config/memcached.yml-test b/config/memcached.yml-test
deleted file mode 100644
index 18d959876..000000000
--- a/config/memcached.yml-test
+++ /dev/null
@@ -1,2 +0,0 @@
-test:
-  disabled: true
\ No newline at end of file
diff --git a/config/test.yml b/config/test.yml
index ecd7c2898..fbec24346 100644
--- a/config/test.yml
+++ b/config/test.yml
@@ -71,15 +71,6 @@ CONTACT_NAME: 'Alaveteli Webmaster'
 # this up!
 RAW_EMAILS_LOCATION: 'files/raw_emails'
 
-# The base URL for admin pages.  You probably don't want to change this.
-ADMIN_BASE_URL: ''
-
-# Where /stylesheets sits under for admin pages. See asset_host in
-# config/environment.rb. Can be full domain or relative path (not an
-# absolute path beginning with /).  Again, unlikely to want to change
-# this.
-ADMIN_PUBLIC_URL: ''
-
 # Secret key for signing cookie_store sessions
 COOKIE_STORE_SESSION_SECRET: 'your secret key here, make it long and random'
 
diff --git a/config/varnish-alaveteli.vcl b/config/varnish-alaveteli.vcl
index 77350a8c8..5dd0ac83c 100644
--- a/config/varnish-alaveteli.vcl
+++ b/config/varnish-alaveteli.vcl
@@ -115,3 +115,43 @@ sub vcl_fetch {
     }
 }
 
+# We need to separately cache requests originating via http and via https
+# since we are serving very slightly different content in each case
+
+# Varnish 2.x version of vcl_hash
+#sub vcl_hash {
+#    set req.hash += req.url;
+#    if (req.http.host) {
+#        set req.hash += req.http.host;
+#    } else {
+#        set req.hash += server.ip;
+#    }
+#
+#    # Include the X-Forward-Proto header, since we want to treat HTTPS
+#    # requests differently, and make sure this header is always passed
+#    # properly to the backend server.
+#    if (req.http.X-Forwarded-Proto) {
+#        set req.hash += req.http.X-Forwarded-Proto;
+#    }
+#
+#    return (hash);
+#}
+
+# Varnish 3 version of vcl_hash
+sub vcl_hash {
+    hash_data(req.url);
+    if (req.http.host) {
+        hash_data(req.http.host);
+    } else {
+        hash_data(server.ip);
+    }
+
+    # Include the X-Forward-Proto header, since we want to treat HTTPS
+    # requests differently, and make sure this header is always passed
+    # properly to the backend server.
+    if (req.http.X-Forwarded-Proto) {
+        hash_data(req.http.X-Forwarded-Proto);
+    }
+
+    return (hash);
+}