Heroku + Cloudflare completely free SSL

Bill Johnston picture Bill Johnston · Oct 1, 2014 · Viewed 11.1k times · Source

Attempting to get completely free SSL on Heroku using Cloudflares new free Universal SSL

Read this article: http://mikecoutermarsh.com/adding-ssl-to-heroku-with-cloudflare/

Which seems to suggest its possible now that Cloudflare offers SSL for free.

The steps I took:

  • Set up my DNS with Cloudflare (free account)
  • Forwarded my domain to my herokuapp (CNAME example-app.com -> example-app.herokuapp.com)
  • Set the Cloudflare SSL option to 'Full SSL'
  • Added my domain to my heroku app
  • Forcing https with this express middleware:

    app.use(function(req, res, next) {
        if (req.headers['x-forwarded-proto'] != 'https') {
            res.redirect('https://' + req.headers.host + req.path);
        }
        else {
            return next();
        }
    });
    

The heroku domain http://example-app.herokuapp.com works correctly and redirects to https://example-app.herokuapp.com, green lock and all.

Both http://example-app.com and https://example-app.com do not work. The browser tab icon just keeps spinning and never resolves. Any ideas on how to get this working? Is this even possible?

*UPDATE

This is looking like it IS actually possible. From CloudFlare support:

Hi Bill,

Fundamentally, as long as the "origin" supports an SSL connection you can use Full SSL with CloudFlare.

Simon

CloudFlare released this blog post today: https://blog.cloudflare.com/universal-ssl-be-just-a-bit-more-patient/

My site has started resolving, but getting a "Your connection is not private" message like in the "Errors you may see" part of the blog post. Also in my CloudFlare settings there is a "SSL issuing" alert, so I imagine once it is issued this may just work. I'll keep y'all posted.

Answer

Beni Cherniavsky-Paskin picture Beni Cherniavsky-Paskin · Feb 11, 2015

There is a catch: it's unsecure between Heroku and Cloudflare.

  • It can work with "Flexible SSL" — unencrypted HTTP between Heroku and CF. We don't want that.
  • It also works with "Full SSL" — HTTPS between Heroku and CF but without CF validating the certificate. Heroku presents a *.herokuapp.com cert, CF is happy. Unfortunately, a man-in-the-middle between Heroku and CF can present a self-signed snakeoil.co.mordor cert an CF would be equally happy (and the user can't tell, they only see CF's cert)! It's documented in the Full SSL section of the CloudFlare blog post Introducing Strict SSL.
  • But "Full SSL (strict)" does NOT work, because CF expects Heroku to present yourdomain.com cert, and gives an error page :-(
    [You can of course get such a cert youself and pay Heroku for serving it to CF but that's going back to square one... You do get benefits of CDN, but it's not "completely free SSL on Heroku".] This situation is discussed in the CloudFlare article Configure CloudFlare and Heroku over HTTPS.

So is this setup with Full SSL acceptable? One could argue that the links between CF and Heroku are probably "in the backbone, above the clouds" and relatively hard to control for an active attacker, so the communication is clearly safer than no TLS at all. BUT it's not end-to-end secure, and you're giving the user a false sense of security normally associated with HTTPS and the green lock icon, and some would say that's worse then being up front with no TLS at all... [See opinions on https://news.ycombinator.com/item?id=8382335]

As of Feb 2015, I saw no option in CF to configure Full Strict mode to expect a cert on some other domain. I have no idea why CF don't allow that, it'd clearly be technically doable.