根域上的 Heroku SSL

Question

I am trying to setup SSL for my heroku app. I am using the hostname based SSL add-on. The heroku documentation states the following:

Hostname based SSL will not work with root domains as it relies on CNAME 
aliasing of your custom domain names. CNAME aliasing of root domains is 
an RFC violation. 

As expected everything works well when I access the site using the www subdomain, ie https://www.foo.com . The browser complains when I access https://foo.com as the certificate presented is for heroku.com.

I concluded that I have to redirect the traffic for foo.com to www.foo.com to address this issue. I am considering following approaches:

1) DNS based redirection

The DNS provider Zerigo supports the redirect records. I came across a question on a similar subject on SO. I tried the solution, it works ONLY for HTTP redirection(Zerigo documentation confirms this).

My Zerigo configuration:

foo.com      A             x.x.x.x
foo.com      redirect      http://www.foo.com
www.foo.com  CNAME         zzz.amazonaws.com

2) Rack based redirection

Add a rack based middle-ware to perform the redirection. The canonical-host gem provides such support.

use CanonicalHost do
  case Rails.env.to_sym
    when :staging     then 'staging.foo.com'
    when :production  then 'www.foo.com'
  end
end

I am wondering if there is a better solution for this(barring switching to $100 per month IP based SSL)

Answer 1

Wow...this took me forever, and a bunch of info on the web was wrong. Even Heroku's docs didn't seem to indicate this was possible.

But Jesper J's answer provides a hint in the right direction: it works with DNSimple's ALIAS record which I guess is some new sort of DNS record they created. I had to switch my DNS service over to them just to get this record type (was previously with EasyDNS).

To clarify when I say "works" I mean:

• entire site on SSL using your root domain
• no browser warnings
• using Heroku's Endpoint SSL offering ($20/month)

It works for all of the following urls (redirects them to https://foo.com with no warnings)

• http://foo.com
• http://www.foo.com
• https://www.foo.com
• https://foo.com

To summarize the important bits.

1. move your DNS over to DNSimple (if anyone knows other providers offering an ALIAS record please post them in the comments, they were the only one I could find)
2. setup Heroku endpoint ssl as normal https://devcenter.heroku.com/articles/ssl-endpoint
3. Back in DNSimple add an ALIAS record pointing foo.com to your heroku ssl endpoint, something like waterfall-9359.herokussl.com
4. Also add a CNAME record pointing www.foo.com to your heroku ssl endpoint, waterfall-9359.herokussl.com
5. finally in your rails (or whatever) app make the following settings:

in production.rb set

config.force_ssl = true

in application_controller.rb add

before_filter :check_domain

def check_domain
  if Rails.env.production? and request.host.downcase != 'foo.com'
    redirect_to request.protocol + 'foo.com' + request.fullpath, :status => 301
  end
end

This finally seems to work! The key piece seems to be the ALIAS dns record. I'd be curious to learn more about how it works if anyone knows, and how reliable/mature it is. Seems to do the trick though.

Answer 2

DNSimple offers an ALIAS record type to address this need. You can create an alias from your root domain (aka zone apex) pointing to a CNAME. Read more about it here:

http://blog.dnsimple.com/introducing-the-alias-record/

Answer 3

One thing you will like to keep in mind is that google might index both versions of your site if both versions are accessible (Root vs WWW). You would need to setup conicals to handle that which might be a pain to upkeep.

In my DNS settings I set up a URL / Forward record (DNS Simple)

URL foo.com     3600        http://www.foo.com

The CNAME setup only needs to be setup for WWW

CNAME   www.foo.com 3600        providedsslendpoint.herokussl.com

I also had to setup and Alias for my root

ALIAS   foo.com 3600        providedsslendpoint.herokussl.com

Then I decided to simply replace foo.com with an env variable ENV['SITE_HOST'] (Where SITE_HOST= www.foo.com or whatever I might define). I can control this via my heroku configuration or my.env file (See https://github.com/bkeepers/dotenv ). That way, I can control what happens in different environments.

For example, my test app uses test.foo.com as the url it also has its own SSL endpoint so that works fine for me. This also scales to create staging or qa specific environments as well.

  before_filter :check_domain

  def check_domain
    if Rails.env.production? || Rails.env.testing? and request.host.downcase != ENV['SITE_HOST']
      redirect_to request.protocol + ENV['SITE_HOST'] + request.fullpath, :status => 301
    end
  end

From now on, end users will always access www with forced SSL. Old links will suffer a small hang but nothing noticeable.

Answer 4

On the Rails part, to make the redirection, it'd be more sane to make it occur on the router layer, like this (works on Rails 3+):

Rails.application.routes.draw do

  match '/*splat' => redirect { |_, request| request.url.sub('//www.', '//') }, :constraints => { :subdomain => 'www' }

  # ...

end

Answer 5

DNS redirects wouldn't care whether the inbound request is http or https so would maintain the original protocol - so would redirect http://foo.com to http://www.foo.com and the same for https.

You'll need to do it within the application via the gem you found or some other rack redirect gem or if www. is a problem use the IP based SSL addon.

Answer 6

For those heroku users using godaddy previously, I just finish porting the DNS over from godaddy to cloudflare. And the https is working fine now.

Godaddy DNS is incompatible with heroku. And this is due to:

Some DNS providers will only offer A records for root domains. Unfortunately, A records will not suffice for pointing your root domains to Heroku because they require a static IP. These records have serious availability implications when used in environments such as on-premise data-centers, cloud infrastructure services, and platforms like Heroku. Since Heroku uses dynamic IP addresses, it's necessary to use a CNAME-like record (often referred to as ALIAS or ANAME records) so that you can point your root domain to another domain.

Setting up is fairly simple.

First, add the nameservers of the cloudflare into godaddy dns manager. These are some examples:

roxy.ns.cloudflare.com sam.ns.cloudflare.com

Next, you only need two more steps.

1. Add a CNAME NAME.com and link it to NAME.com.herokudns.com
2. That's it. This is assuming that you already have a CNAME www.NAME.com linked to www.NAME.com.herokudns.com

If you are using Rails, be sure to set config.force_ssl = true at config/environment/production.rb

Answer 7

I found DNSimple to be complicated for my current web developer competence. I finally signed up with easyDNS and moved the domain I purchased at Godaddy over to easyDNS. Annual cost for a standard easyDNS subscription is currently $20. Good thing about easyDNS is that they actually answer their phone. A few minutes on the phone and I had my DNS target configured properly for Heroku. Tested my app and it worked for HTTP. When I upgraded my heroku app to a paid hobby dyno, which is currently $7/mo, it instantly applied SSL protection. Tested my app in the browser again, and it worked serving over HTTP and HTTPS. Next, I uncommented some code in my nodejs app that redirects http => https. One more test in a browser, seems good to go. Secure. Works with www and it works with the root domain. Bottom line: you may not have to pay for a Heroku Endpoint at $20/mo. Hope that helps.