Rails 5 - Invalid Authenticity - SSL

Today I introduced SSL to my latest app Homes in Asia and suddenly I wasn’t able to login. I was greeted by an ActionController::InvalidAuthenticityToken error.

Surprised I did some digging. I found out that there is an issue with the new way CSRF tokens are handled by ActionController when it comes to SSL (hmm… need to dig in to it tomorrow). This requires Nginx to send some extra headers.

In my Nginx config file for the site…

location @homesapp {
    ...
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Forwarded-Host homesin.asia;
    ...
}

Make sure to replace homesin.asia from above with your host name.

Then restart Nginx using sudo service nginx restart and you should be good to go!

Extra Details

This all happened when I configured LetsEncrypt Wild Card SSL on the domain. Any form submission might have resulted the ActionController::InvalidAuthenticityToken error but I only checked the login form (Devise).

  • Rails 5.1.5
  • Devise 4.4.3
  • Nginx 1.10.3

Lets Encrypt Wild Card SSL Tutorial

LetsEncrypt has finally introduced wildcard SSL. For me, the timing couldn’t have been better as I am in the process of developing Homes in Asia - A real estate website builder.

Generating a wild-card SSL is as easy as generating an ordinary SSL. The only extra step is that you need to set a TXT record in your DNS. The exact code will be provided to you by the client.

If you haven’t already download and run the certbot-auto application.

#~ wget https://dl.eff.org/certbot-auto
#~ chmod a+x ./certbot-auto
#~ sudo ./certbot-auto

The last step from above will download the application and its dependencies.

Then it is time to generate the SSL certificate. My domain is homesin.asia. To generate the certificate, I ran

#~ sudo ./certbot-auto certonly \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --manual --preferred-challenges dns \
  -d *.homesin.asia

This starts a wizard. It will mention that the IP address of the machine will be logged publicly. Once you agree there will be a couple ‘yes’ ‘no’ question.

Then it will prompt you to set up TXT records. Depending on how you set-up your domain you will have to set this txt record. Make sure you wait till it gets registered. You can use dig -t txt homesin.asia kind of a command to make sure that the txt record was set before continuing.

If all went well you will now have a SSL cert generated.

PS: If you are using a DNS service like Google (8.8.8.8), it may take a long time for the propagation to take place.

Sri Lanka Social Media Ban

Multiple social media have been blocked in Sri Lanka over the last week. This follows Buddhist mobs attacking Muslim homes, businesses and mosques. The terror had been coordinated using social media which was the causality of the ban. Yesterday Viber was unblocked. The government is in talks with social media firms on possibilities to regulate extremist content.

Following the social media ban, many users used VPN services. Few days back I learnt that connection to even VPN services have been blocked.

I would like to make this the opportunity to ask users new to VPN services to use reputed VPNs for security reasons. I have been using expressVPN for a long time for business pouposes. They are known not to keep logs about our activity which is important.

2018 anti-Muslim Riots

LG 43UJ63 4K TV - Abans Sri Lanka

Lightning, the force once worshipped as a God, burnt my TV last week! The high tension power post right next to our boundary wall (about 60 feet) from the TV was struck by lightning. The trip acted but it was too late for my 3 year old Samsung TV.

I must say it was the most peaceful few days I’d had in a long time. But it was tough for mum who loves her TV shows. I remember the time our old Sony Trinitron failed when I was a child and how lonely and depressed I got. I thought of getting a TV in the 40in range. Because mum had developed a fondness for YouTube I thought of getting a Smart TV.

I went shopping for a TV today. I dropped at the Singer showroom at Thalahena and the Abans showroom at Malabe. Singer had Samsung and Sony. Abans had LG.

Samsung Smart TVs run Tizen, Samsungs internaly built operating system that powers smart watches and even some smart phones. It would be good for me to get one as I can build and test apps for Tizen I thought. The Sony IMO had better image quality. I mean when it comes to up scaling images. But it operating system is Opera. LG uses WebOS. It is known to be fast.

After some thinking I decided to go for a LG 43U63 TV. It is about 38in wide (TV size is not width, but its diagonal). Its a 4K UHD TV and I got it for LK Rs. 120,000/=. The FHD (1080p) version of it (supporting WebOS 3.0) was 100,000/=. But I decided to spice things up (at least occasionally) and got a 4K TV.

  • Web OS 3.5
  • 43in 4K IPS display
  • Magic Remove
  • WiFi support
  • 3 HDMI and 1 USB
  • Time Machine to record Live TV
  • And many more…

Its picture quality is amazing when viewing 4K content (ex: through the YouTube app). Sound is quite good. Watching TV though Sri Lanka Telecom Peo TV is not bad but has some artefacts of up-scaling. But its not bad. I wish PeoTV will soon adopt at least Full HD.

I wished they came with BlueTooth audio support. But it doesn’t. I will have to rely on an external utility to get it handled. That way mum can watch TV as loud as she likes without disturbing me.

Overall I am happy with the purchase. If you have a question ask me.

Thumula Gets Married

I just got home from Thumula Jayathilake’s wedding. I’d make this an opportunity to wish them a great future. The wedding was at the Grand Kandyan, my first visit there, and a beautiful and great hotel.

I met Thumula on the orientation ceremony. If I remember correct, he asked me for a pen, and that is when we had a chat and I got to know that he was around Katugastota. I looked for him that evening when we went to the Akbar Canteen but he was not to be found.

Few days later I met him in the Katugastota Peradeniya (Petroleum Corporation) bus. I also got to know Susantha Wijesekara and Anuradha Herath who lived close by. I was warned many times by ragging seniors indirectly not to keep close friendships with them. Been the stubborn one and anti raggers not been the ones psychologically traumatized I preferred their friendship. In the mean time I maintained a blog that got me in some serious hot water.

One day Susantha suggested I come to the common room to have a chat with some seniors and I became ALA.

Since then I would often meet Thumula because we would come in the same bus, live in the common room, and go in the same bus even if lectures finished early. When I would bring the car, I would give him a ride and vice versa.

Today (well technically yesterday) I met him almost after 6 years. Its been a long time. It was nice to meet some of my old friends.

And again… good luck guys!