How do I selectively enable SSL in Rails 4 for certain paths?

Question

How do I turn SSL HTTPS off for a given path? I saw Enable SSL for certain resource actions but that was to enable HTTPS for a single path. My config has

config.force_ssl = true

However when I show a page that has an iframe and embeds an external source

<iframe src='http://www.

Then it doesn't even appear (Chrome) because it is mixed content. So I want to disable SSL for that single route that has an iframe. (I really want to turn it on & off depending on the content.)

I tried adding this to my routes.rb

get 'frame', :constraints => { :protocol => 'http' }

but that gave an error http://127.0.0.1:3000/posts/136/frame

No route matches [GET] "/posts/136/frame"

even though the route shows up

frame_post GET  /posts/:id/frame(.:format)  posts#frame {:protocol=>"http"}

I also saw Force SSL for specific routes in Rails 3.1 and tried

gem 'rack-ssl-enforcer' # Gemfile
config.middleware.use Rack::SslEnforcer, :except => [ /\/frame$/ ], :strict => true # application.rb

but it still always redirects to https. I also tried

force_ssl :except => :frame # posts_controller.rb

But that didn't work either.

I'm using Rails 4.1.

Answer 1

Rack ssl enforcer is a great solution for this - your regular expression is wrong. In your form, the regex would only exclude a path that is entirely '/frame', and would not exclude a path that had anything before /frame

If you want to exclude any path that ends with /frame, The correct regular expression would be:

\.*\/frame$/

Resulting in a config:

config.middleware.use Rack::SslEnforcer, :except => [ \.*\/frame$/ ], :strict => true