How to redirect to HTTPS with .htaccess on Heroku Cedar stack

emersonthis picture emersonthis · Oct 21, 2014 · Viewed 10k times · Source

I'm new to cloud hosting...

I'm working on a PHP web app that's hosted on Heroku as a "Cedar" app. Heroku offers "piggy back" SSL to all their subdomains, so I can load https://myapp.herokuapp.com just fine. But I can also load http://myapp.herokuapp.com. I want to force SSL by redirecting http requests to https.

Normally, this would be easy. I would just use mod_rewrite as follows:

RewriteCond %{HTTPS} != on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

BUT THIS DOESNT WORK ON HEROKU!

It appears that SSL terminates upstream, before the traffic ever hits my app. So the %{HTTPS} condition is never met, and the result is a redirect loop. I've also tried the following, which also didn't work:

RewriteCond %{SERVER_PORT} != 443 #<--also redirect loop
RewriteCond %{REQUEST_SCHEME} !https #<--also redirect loop

So my question is how can I detect/redirect-to HTTPS when it's terminated upstream?

Answer

emersonthis picture emersonthis · Oct 21, 2014

After spending all day on this, I figured it out!!

The issue is eloquently summarized here.

Bottom line: Heroku sets its own custom header to indicate the ORIGINAL scheme of the traffic (before SSL terminated at the load balancer).

So THIS works in an .htaccess file on Heroku

##Force SSL 

#Normal way (in case you need to deploy to NON-heroku)
RewriteCond %{HTTPS} !=on

#Heroku way
RewriteCond %{HTTP:X-Forwarded-Proto} !https 

#If neither above conditions are met, redirect to https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The secret sauce is the line with HTTP:X-Forwarded-Proto.

Hope this helps someone else having the same issues! At the time of writing this there is ZERO documentation on this.