Secured way to deploy Rails App

In: Ruby on Rails|Web Security

27 Mar 2010

In recent times Rails has grown into a very large community of developers with new ones joining the programming sweetness by the hour. With the release of Passenger a.k.a mod_rails , the pain of deploying a Rails application is almost a no brainer, weather you choose to use Apache or Nginx as your server. Most programmers do their rails development and testing using the built in rails server and mongrel, its very convienient and easy to develop and test your rails apps using this approach (I know I do).

Unfortunately this has caused a lot of developers who mainly come from other web dev platforms like .NET and PHP to overlook how to properly deploy their rails apps. If you’re developing in PHP or .NET, usually the approach is to drop the entire application into your web directory and move on from there, IT IS A BAD APPROACH TO DO THIS WITH YOUR RAILS APP.

Your entire Rails Application can be downloaded by anybody and your source-codes stolen or worst your codes can be read by hackers to find any flaws. Another reason is that anyone can take a look inside your config folder and take a peek at your database.yml file and get the login details to your Production DB Server, (you must be crazy enough to ignore that one :) ).

Now I know some of you might be wondering whats my reason for saying this. Every rails application is deployed using a vhost configuration file which will require you to point to the full location of your public folder inside your rails app. eg. A typical installation on linux will look like this /var/www/YOUR-RAILS-APP/public , now lets assume your application is pointing to a subdomain, so we have something like “railsapp.yourdomainname.com” (wonderful). You are eager to test your app on a production server so you hit your browser and viola there you are.

Now with a little luck in guessing, anyone can guess the correct name of your rails app folder then you are doomed, the attacker can simply type something like this into his browser “yourdomain.com/YOUR-RAILS-APP” and this time your application fails to load on the folder structure is displayed, he can go into any folder of his choice and lookup whatever his wants.

The Properly deploy your Rails application, NEVER EVER DEPLOY YOUR APPLICATION INTO THE WEB ROOT. you can create a folder outside the web root and point the full path in your vhost file eg. “/var/rails_apps/YOUR_RAILS_APP/public”

Your code is protected now.

Comment Form

About this blog

Just tackling programming nightmares with flares. Sometimes the tactics are smooth sometimes their rough.

Photostream

Categories

Archives

  • Rowe Alfred: @TJ Glad I could help, love your WP-Theme so I got one for myself. [...]
  • TJ: Thanks for posting this with the whole error. Helped me Google my way to fixing it for me in seconds [...]

About Me

1Alfred is a seasoned programmer with over 8 years of experience, CEO of nCodedev Labs, a Ruby evangelist and activist. Loves programming most of the time, spends my free times with his family or trying out something new. He believes in doing more than expected of you and working hard at anything you find your self working on. As he always says, you don't have to take the bull by its horns all the time, you can take it by the tail too and move on to the horns when you stronger.

Copyright © 2007 - dream.think.create - is proudly powered by WordPress | Log in

Compositio Theme is created by: Design Disease brought to you by PremiumThemes.com