Home arrow Ruby-on-Rails arrow Secure Application Deployment with Ruby on Rails
RUBY-ON-RAILS

Secure Application Deployment with Ruby on Rails


In this third part of a five-part series on deploying an ecommerce application with Ruby on Rails, you will learn how to configure access to the application so that it is properly secured, and more. This article is excerpted from chapter 12 of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 4
August 09, 2010
TABLE OF CONTENTS:
  1. · Secure Application Deployment with Ruby on Rails
  2. · SSL Configuration
  3. · FastCGI Module Configuration
  4. · Creating the Production Database

print this article
SEARCH DEVARTICLES

Secure Application Deployment with Ruby on Rails
(Page 1 of 4 )

Access Configuration

Letting your web server blindly serve all files will most likely cause security problems in a production environment. Your web server might serve files containing sensitive information like backups created by vi and emacs or files used by Subversion. To deny access to these files, the configuration file (Listing 12-1) defines two rules usingurl.access-deny: one for backups, as defined in the LightTPD template, and one for Subversion files.

Later in this chapter, we will use Capistrano to deploy the application to production. By default, Capistrano uses the Subversioncheckoutcommand when deploying the application to the production machine. Using the Subversioncheckoutcommand, instead of theexportcommand, means that the deployment directory will contain.svndirectories, which could be served by your web server, if someone is smart enough to request them. Here is an example of the information that can be found in.svn/entries:

<?xml version="1.0" encoding="utf-8"?>
<wc-entries
  xmlns="svn:">
<entry
 
committed-rev="106"
 
name=""
 
committed-date="2006-04-11T21:07:20.659809Z"    
  url="svn://127.0.0.1:3690/emporium/ public"
  last-author="george"
  kind="dir"
 
uuid="1612fdca-df0d-0410-9dbd-93b5c6b9c7f0"
 
prop-time="2006-04-19T20:19:36.000000Z"
  revision="109"/>

As highlighted in the example, a hacker can find out the URL of your Subversion server and the user that updated the file.

You can prevent access to all files and folders named.svnusing the following rule in thelighttpdconfiguration file (as described inhttp://hivelogic.com/articles/2006/04/30/ preventing_svn_exposure):

$HTTP["url"] =~ "/\.svn/" {
 
url.access-deny = ( "" )
}


blog comments powered by Disqus
RUBY-ON-RAILS ARTICLES

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials