Heroku + Cloudflare completely free SSL

Question

Attempting to get completely free SSL on Heroku using Cloudflares new free Universal SSL

Read this article: http://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/

Which seems to suggest its possible now that Cloudflare offers SSL for free.

The steps I took:

Set up my DNS with Cloudflare (free account)
Forwarded my domain to my herokuapp (CNAME example-app.com -> example-app.herokuapp.com)
Set the Cloudflare SSL option to 'Full SSL'
Added my domain to my heroku app

Forcing https with this express middleware:

app.use(function(req, res, next) {
    if (req.headers['x-forwarded-proto'] != 'https') {
        res.redirect('https://' + req.headers.host + req.path);
    }
    else {
        return next();
    }
});

The heroku domain http://example-app.herokuapp.com works correctly and redirects to https://example-app.herokuapp.com, green lock and all.

Both http://example-app.com and https://example-app.com do not work. The browser tab icon just keeps spinning and never resolves. Any ideas on how to get this working? Is this even possible?

*UPDATE

This is looking like it IS actually possible. From CloudFlare support:

Hi Bill,

Fundamentally, as long as the "origin" supports an SSL connection you can use Full SSL with CloudFlare.

Simon

CloudFlare released this blog post today: https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/

My site has started resolving, but getting a "Your connection is not private" message like in the "Errors you may see" part of the blog post. Also in my CloudFlare settings there is a "SSL issuing" alert, so I imagine once it is issued this may just work. I'll keep y'all posted.

No, you have to pay $20/mo if you want SSL enabled for custom domains hosted on Heroku. — idbehold, Sep 30 '14 at 23:21
@idbehold have you read this article? It suggests you do not. http://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/ — Bill Johnston, Oct 01 '14 at 02:07
Just an aside - this is much easier to do with free SSL from http://www.startssl.com/ — Imperative, Oct 13 '14 at 19:30
By the way, for anyone looking for free SSL hosting, you can host your *custom* domain for free with OpenShift (as long as you get yourself a free certificate). — Robin Winslow, Jan 24 '15 at 13:52
@RobinWinslow open shift is iaas and so you can just install ssl cert...right, and in terms of specs how does it compare to heroku, free one. Also i read you can have only 3 free instances at openshift. — Muhammad Umer, Apr 14 '15 at 15:01
Openshift Online v3 free "Starter" plan no longer includes custom domains. Heroku meanwhile has https://devcenter.heroku.com/articles/automated-certificate-management starting from $7/mo Hobby paid plan. — Beni Cherniavsky-Paskin, May 05 '19 at 13:22

score 25 · Answer 1 · edited Jul 26 '16 at 15:36

There is a catch: it's unsecure between Heroku and Cloudflare.

It can work with "Flexible SSL" — unencrypted HTTP between Heroku and CF. We don't want that.
It also works with "Full SSL" — HTTPS between Heroku and CF but without CF validating the certificate. Heroku presents a *.herokuapp.com cert, CF is happy. Unfortunately, a man-in-the-middle between Heroku and CF can present a self-signed snakeoil.co.mordor cert an CF would be equally happy (and the user can't tell, they only see CF's cert)! It's documented in the Full SSL section of the CloudFlare blog post Introducing Strict SSL.
But "Full SSL (strict)" does NOT work, because CF expects Heroku to present yourdomain.com cert, and gives an error page :-(
[You can of course get such a cert youself and pay Heroku for serving it to CF but that's going back to square one... You do get benefits of CDN, but it's not "completely free SSL on Heroku".] This situation is discussed in the CloudFlare article Configure CloudFlare and Heroku over HTTPS.

So is this setup with Full SSL acceptable? One could argue that the links between CF and Heroku are probably "in the backbone, above the clouds" and relatively hard to control for an active attacker, so the communication is clearly safer than no TLS at all. BUT it's not end-to-end secure, and you're giving the user a false sense of security normally associated with HTTPS and the green lock icon, and some would say that's worse then being up front with no TLS at all... [See opinions on https://news.ycombinator.com/item?id=8382335]

As of Feb 2015, I saw no option in CF to configure Full Strict mode to expect a cert on some other domain. I have no idea why CF don't allow that, it'd clearly be technically doable.

I was going to ask for confirmation that *Full SSL (Strict)* doesn't work if you configure things like the article linked from the OP suggests -- with a CNAME `example.com => example.herokuapp.com`, but then I found this CloudFlare article [Configure CloudFlare and Heroku over HTTPS](https://support.cloudflare.com/hc/en-us/articles/205893698) that says as much :( In the article you linked to about what certificate they expect, when they say "certificate must [...] respond for the request domain name (hostname)" I guess they mean the hostname in the user's request. — JMM, Jul 26 '16 at 15:30
`The Full(strict) SSL option checks for SSL certificate validity at the origin web server... or valid certificate purchased from a Certificate Authority is required to avoid 526 errors.` The certificate provided by heroku at `domain.herokuapp.com` is valid. So you should be able to set Full(strict) without any problems? https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean- — Muhammad Umer, Oct 04 '20 at 15:08
Anybody can present _some_ valid cert. The question is valid _for which domain_, and my understanding was that Full Strict requires a cert for the same domain you want users to see. I haven't used CF for several years, no idea if still true. — Beni Cherniavsky-Paskin, Oct 04 '20 at 18:18

Bill Johnston · Accepted Answer · 2014-10-05T20:28:26.400

14

This does work exactly as I had it set up. The problem was that it took a couple days for CloudFlare to issue their Unlimited SSL. Once it says 'SSL active' under your CloudFlare SSL settings, it will work.

edited Oct 05 '14 at 20:28

answered Oct 05 '14 at 17:03

Bill Johnston

1,160
1
14
31

1

same here, set up heroku and cloudflare 2 days ago, ssl started working today – Jascha Ehrenreich Oct 07 '14 at 17:19
Ive read that it's secure between user and cloudfare but not between cloudfare and your server.. is it true? Also that ssl by cloudfare dont work on android 2.xx and ie. (I guess it could be solved if you detect and redirect to https://app.herokuapp.com/ – Muhammad Umer Apr 14 '15 at 14:57
Sadly (NEW): "When an app is migrated to the new infrastructure, its default appname.herokuapp.com, DNS records, and any haiku.herokudns.com custom domain records are modified to point to the IP addresses of the new routing infrastructure. For a period of 24-48 hours, the app is accessible via both the new and old routing infrastructure. When the migration completes, the app will no longer be accessible via the old routing infrastructure and all traffic must flow via the new infrastructure. Requests for an app sent to the old infrastructure will result in error code: H31 Misdirected Request." – Pat May 28 '21 at 15:18

score 2 · Answer 3 · answered Oct 01 '14 at 19:37

2

To get the apex domain to work, you probably need to use DNS provider that supports ALIAS records, Cloudflare also does DNS and would likely work. More providers listed here: https://devcenter.heroku.com/articles/custom-domains#root-domain

answered Oct 01 '14 at 19:37

friism

19,068
5
80
116

CloudFlare uses [CNAME Flattening](http://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/) which is used in [the article](http://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/) that suggests its possible. – Bill Johnston Oct 01 '14 at 20:01
Their CNAME Flattening worked for me, both to foo.herokuapp.com and bar-baz.rhcloud.com, and (*very* anecdotally) did not interfere with emails to webmaster@myapex.net (which IIUC is the main risk with ALIAS-like DNS). – Beni Cherniavsky-Paskin Feb 11 '15 at 14:50

score 0 · Answer 4 · answered Oct 01 '14 at 21:35

0

To get this to work, you need to create a Page Rule on Cloudflare for your domain. Mine looks something like this:

URL Pattern: my-domain.co/*
Forwarding to: https://www.my-domain.co/$1

From there, you can use a CNAME on www to point to my-domain.herokuapp.com.

Cloudflare (and most other DNS providers) do not allow CNAME records for the root domain. Only for subdomains. www is a subdomain, so you can force all traffic to www and cname that to heroku.

answered Oct 01 '14 at 21:35

TJC

717
3
12

1

CloudFlare uses [CNAME Flattening](http://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/) which is used in the article that suggests its possible. Also, this doesn't seem to be working for me. – Bill Johnston Oct 01 '14 at 22:53
this works in both ways. in my cloudflare page rules i have two rules: [http]://exaple.org to [https]://exaple.org/ and www.exaple.org to [https]://exaple.org this way cloudflare automatically reconnects me to [https://]exaple.org unfortunately cloudflare does not support wildcard subdomains for free, pro or business accounts and the enterprise accounts that allow wildcards are rumored to cost 500$ a month. – Jascha Ehrenreich Oct 07 '14 at 17:23

Heroku + Cloudflare completely free SSL

*UPDATE

4 Answers4

Linked