How to Make Sinatra Work Over Https/Ssl

How to make Sinatra work over HTTPS/SSL?

I guess you need to setup your Web-server, not Sinatra, to work with SSL. In Sinatra you can use the request.secure? method to check for the SSL usage.

SSL + Nginx: the first article, the second one.

Why isn't my Sinatra app working with SSL?

Generally you don't want any ruby webservers actually handling SSL. You make them serve plain HTTP (that is accessible only via localhost). Then you install a reverse proxy that handles all of the SSL communicate.

For example

1. Install nginx (reverse proxy) and configure it to listen on port 443.
2. Set your
   ruby app server to listen on port 127.0.0.1:80 (accept local
   connections only)
3. All requests hit nginx, which strips the SSL,
   and send the plain HTTP request to your ruby webserver.

A very simple nginx config to get you started:

ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/your.key;
ssl on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

server {
    listen 443 ssl;
    server_name you.example.com;

    location / {
        proxy_pass http://localhost:8080;  # your ruby appserver
    }
}

How to make Sinatra work over HTTPS/SSL?

I guess you need to setup your Web-server, not Sinatra, to work with SSL. In Sinatra you can use the request.secure? method to check for the SSL usage.

SSL + Nginx: the first article, the second one.

How to enable SSL for a standalone Sinatra app?

To do this with MRI ruby, use the following monkeypatch:

sinatra_ssl.rb:

require 'webrick/https'

module Sinatra
  class Application
    def self.run!
      certificate_content = File.open(ssl_certificate).read
      key_content = File.open(ssl_key).read

      server_options = {
        :Host => bind,
        :Port => port,
        :SSLEnable => true,
        :SSLCertificate => OpenSSL::X509::Certificate.new(certificate_content),
        :SSLPrivateKey => OpenSSL::PKey::RSA.new(key_content)
      }

      Rack::Handler::WEBrick.run self, server_options do |server|
        [:INT, :TERM].each { |sig| trap(sig) { server.stop } }
        server.threaded = settings.threaded if server.respond_to? :threaded=
        set :running, true
      end
    end
  end
end

Then, in your standalone application:

app.rb

require 'sinatra'
require 'sinatra_ssl'

set :port, 8443
set :ssl_certificate, "server.crt"
set :ssl_key, "server.key"

get "/" do
  "Hello world!"
end

How to setup an SSL certificate on sinatra

So, heroku over ssl is actually free if you access your application over the herokuapp.com domain. You only have to pay for the add-on if you want to serve your app over ssl from a custom domain. Because heroku apps are proxied by nginx (with a default *.herokuapp.com cert), creating a dns record in a custom domain without purchasing the plugin would result in a certificate mismatch and a fat warning appearing when people tried to access your site. The addon allows you to add the custom cert so that the cert matches the CNAME record.

There is a free workaround though, as @seph said, Cloudflare is pretty good for a situation like this because of it's universal ssl offering. If you set SSL to "Full" without strict SSL checking and enforce HSTS (check the Crypto tab in the dashboard) then you can do a secure proxy to your heroku instance and ignore any cert mismatches while still having full, end-to-end encryption.

---

Related Topics