Attempting to get completely free SSL on Heroku using Cloudflares new free Universal SSL
Read this article: http://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/
Which seems to suggest its possible now that Cloudflare offers SSL for free.
The steps I took:
Forcing https with this express middleware:
app.use(function(req, res, next) {
if (req.headers['x-forwarded-proto'] != 'https') {
res.redirect('https://' + req.headers.host + req.path);
}
else {
return next();
}
});
The heroku domain http://example-app.herokuapp.com works correctly and redirects to https://example-app.herokuapp.com, green lock and all.
Both http://example-app.com and https://example-app.com do not work. The browser tab icon just keeps spinning and never resolves. Any ideas on how to get this working? Is this even possible?
This is looking like it IS actually possible. From CloudFlare support:
Hi Bill,
Fundamentally, as long as the "origin" supports an SSL connection you can use Full SSL with CloudFlare.
Simon
CloudFlare released this blog post today: https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/
My site has started resolving, but getting a "Your connection is not private" message like in the "Errors you may see" part of the blog post. Also in my CloudFlare settings there is a "SSL issuing" alert, so I imagine once it is issued this may just work. I'll keep y'all posted.
There is a catch: it's unsecure between Heroku and Cloudflare.
*.herokuapp.com
cert, CF is happy. Unfortunately, a man-in-the-middle between Heroku and CF can present a self-signed snakeoil.co.mordor
cert an CF would be equally happy (and the user can't tell, they only see CF's cert)! It's documented in the Full SSL section of the CloudFlare blog post Introducing Strict SSL.yourdomain.com
cert, and gives an error page :-(So is this setup with Full SSL acceptable? One could argue that the links between CF and Heroku are probably "in the backbone, above the clouds" and relatively hard to control for an active attacker, so the communication is clearly safer than no TLS at all. BUT it's not end-to-end secure, and you're giving the user a false sense of security normally associated with HTTPS and the green lock icon, and some would say that's worse then being up front with no TLS at all... [See opinions on https://news.ycombinator.com/item?id=8382335]
As of Feb 2015, I saw no option in CF to configure Full Strict mode to expect a cert on some other domain. I have no idea why CF don't allow that, it'd clearly be technically doable.