Doesn't seem to protect any static files in public

[ndbroadbent]

I would like to also protect some static files that I'm serving from public/, such as documentation and a static blog site. It would be great if lockup could also intercept those requests.

[ndbroadbent]

I put together this Rack middleware as a proof of concept: https://gist.github.com/ndbroadbent/983d30d58e3bae89bb45baaf6108eeeb

Seems to be working fine. But not sure the best way to integrate this with the lockup project.

[danrabinowitz]

Unfortunately, this won't work. Most production deployments serve assets from public without hitting Rails at all.

In practice, it's not a problem since static assets can usually only be reached from dynamic pages. That is, unless someone happens to know the url(s) to hit, they won't be able to reach your assets.

If you really need your static assets secured, you'll probably want to use HTTP basic auth in nginx or apache.

[ndbroadbent]

Ah, good point. I needed this because I'm hosting on Heroku, so I'm serving all of my assets with Rails, and caching them behind CloudFlare. This setup works great, because only a single request hits my Rails server.

And for staging, I turned off CloudFlare, so all requests go to Rails. But with this middleware I wrote, now I have lockup pages for all of my static blog pages and documentation, so it's working pretty well for me. But you're right, this is probably not a very common situation.