I'd recommend reading through this for a bunch of SSL related information and an example config: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
I just purchased my SSL cert from the same place I registered the domain which you can usually do. You'll need to just upload that to the server and configure it to load the cert and key from that process. Usually they give you some instructions on how to do that as well.
Here's one where he buys the cert from Namecheap and configures it: https://aralbalkan.com/scribbles/setting-up-ssl-with-nginx-using-a-namecheap-essentialssl-wildcard-certificate-on-digitalocean/
Thanks for the quick response! I'm trying to decide if I should force all traffic over https (which I want to do) and how I should go about it (using Rails
config.force_ssl = true or redirect it from within Nginx. I notice you allow both (at least http when I'm not logged in), is by design? Any advice is much appreciated.
I'm using Nginx to redirect to https so it shouldn't allow you to use it over HTTP (aside from the first request which redirects you). I think it's wise to also do
force_ssl with Rails as well so you have a backup to enforce that.
I don't think I have
force_ssl set (but I should), although I can't seem to reproduce accessing GoRails via only HTTP except with curl. Are you able to view GoRails without ssl in your browser?
If I open up a New Private Window in Firefox and type 'gorails.com' into the URL bar I end up at http://gorails.com/ (I can't see the http:// part of the URL, I have to select all and copy/paste it into a text editor). I then clicked on the Forums link and copy/pasted the URL into a text editor and saw that the URL was http://gorails.com/forum. So, it looks like I'm accessing your site over http.
I just received my SSL cert from Namecheap and I'm going to give it a shot installing it on my droplet -- wish me luck!
One quick question - do you a staging environment (different server/domain/subdomain/etc.) to test code deployments before pushing it into production?
You're definitely right. Chrome is redirecting to SSL but not Firefox. Weird. I'm going to
force_ssl from now on. Thanks for the heads up! :)
I usually have a separate app and database for staging. GoRails currently doesn't have a staging app but it needs one soon. Separate servers are good, and you can copy production data into the staging database to test against real(ish) data. Just make sure that things like API keys don't match production ones so your test users in staging don't get emails, etc when testing. ;)
Thanks for the heads up! I successfully installed my SSL cert on my Production environment. I'm now going to attempt to install a self-signing cert on my Staging environment, so that I don't need to buy another cert -- tried using my Production cert but the domain name didn't match so it threw an error.
Thanks again for all of your help!
Yeah that's a good idea to do self signed for staging since you can trust it. Nobody else will really be using it so that should work totally fine (and cheaper!)
Join 31,353+ developers who get early access to new screencasts, articles, guides, updates, and more.