Encryption between Cloudflare & Heroku - ssl

there a several questions for Heroku, Cloudflare and DNS but doesn't match mine. I've configured Heroku with automated certificate management (ACM) and Cloudflare of course is configured to serve SSL from itself. With this I want to ensure, that requests are also encrypted between Cloudflare and Heroku.
SSL works perfect for the Client. Problem is, that Heroku can't verify the DNS settings from Cloudflare (which is documented from Heroku as ACM isn't working with Cloudflare this way). Of course I could disable it, but then the traffic isn't encrypted anymore between Heroku and Cloudflare, which would be the worst case.
Someone knows how I solve this and ensure the entire communication between my Heroku Apps, Cloudflare and the Client is encrypted?
That would be great, I look forward to your answers/questions.

Okay, after a few more researches I guess got the solution. In my case with Cloudflare, Heroku doesn't work with ACM in paid plans above Hobby dynos (as said from Heroku itself). Even the option to generate "Origin Certificates" on Cloudflare and put them into your Dyno config isn't working (tried with an ECDSA one).
It's possible to pay Heroku to be able to modify the SSL Endpoint with the "SSL Endpoint Add-on" (20$/mo) and modify Heroku in the way it works, which isn't an option to me.
Update: I the meantime Heroku did update the SSL behavior and you're able to upload an origin certificate (from Cloudflare for instance).

Related

Changes in Heroku. How to continue having free Cloudflare SSL on free Heroku dynos?

Heroku email from today:
When an app is migrated to the new infrastructure, its default
appname.herokuapp.com, DNS records, and any haiku.herokudns.com custom
domain records are modified to point to the IP addresses of the new
routing infrastructure. For a period of 24-48 hours, the app is
accessible via both the new and old routing infrastructure. When the
migration completes, the app will no longer be accessible via the old
routing infrastructure and all traffic must flow via the new
infrastructure. Requests for an app sent to the old infrastructure
will result in error code: H31 Misdirected Request.
To get correct and future-proof DNS targets for custom domains
associated with your Heroku apps, you can run heroku domains and
compare the DNS target in the output to the CNAME target that you’ve
configured with your DNS provider. If the DNS targets don’t match, you
need to update your DNS configuration to point to the DNS targets
provided by Heroku.
I’ve done the above. This then breaks the workaround to get free SSL from cloudflare to work with Heroku (because of the move away from *herokuapp.com, which allowed the workaround). So, now one has to upload a cloudflare certificate by using Heroku SSL (which one can only use on paid dynos)
Rest of the email:
If you have any SSL Endpoints associated to your app, you can verify
the DNS by following this step from the SSL Endpoint setup
documentation. Please note that the SSL Endpoint add-on is deprecated
and will be removed starting July 31, 2021. All existing and new
Heroku applications should use Heroku SSL, which includes Automated
Certificate Management (ACM).
Anyone with a workaround to enable the use of cloudflare SSL in a free Heroku dynos setup?

heroku free tier and SSL certificate workarounds?

DNS beginner here so bear with me-- I have a small heroku node app and I can't afford the $7/m hobby plan that you need to auto generate an SSL certificate. I have a custom domain from AWS Route 53 that points to the app, but only the www. address works, not the https:// address, I gather because I don't have the SSL certificate.
I saw that there were some cloudfront hacks (2) but mixed reviews about whether they work, and they sound a bit too complicated for me, a beginner.
Are there any workarounds? Like, could I have my https:// AWS address just redirect to the www. one? Could I wrap the ssl'd heroku app in an iframe? Or are there other heroku jamstack type alternatives that offer more inexpensive SSL certificates?
You could potentially use CloudFlare's free SSL with heroku, here is a blog post that goes through the process.

How can I make my HTTP website become HTTPS?

I have a website called http://jobdirecto.com/ that I want to turn into HTTPS.
The site is hosted in Heroku and the domain I got from Namecheap.
I got the paid version of Heroku since that lets me configure the SSL (and I think that's what I have to configure to make it HTTPS). They ask me for a "public certificate" that I don't have though.
I also bought a SSL from SSLs.com and they gave me a private key but no public certificate.
I am lost in what I have to do now to make my website secure.
There's no need to purchase anything. Use Heroku's Automated Certificate Management, which is powered by Let's Encrypt:
Run heroku domains and make note of the .herokudns.com domain it lists
Set up a CNAME record for your custom domain pointing to the .herokudns.com domain from the previous step
Run heroku certs:auto:enable to start the certficate provisioning process
Run heroku certs:auto to see your certificate's status
Please note that
It usually takes between 45 and 60 minutes to generate a TLS certificate for your app’s custom domains
This will let your site run over HTTPS, but it won't automatically redirect requests from HTTP to HTTPS. To do that we'll need to know more about your application.

Any way to add a free SSL certificate on a free heroku dyno?

I've got a heroku free plan, which is running on a custom domain with the PointDNS add-on so it can provide nameservers for DNS provider, if that matters.
I've got the website up and running on my custom domain, on https, but the ssl certificate points to *.herokuapp.com.
I suppose I need another SSL certificate for my custom domain, but after looking around for a long while I still couldn't find anything that doesn't require a paid heroku plan.
Is it even possible to add an ssl certificate, on a free heroku plan, on a custom domain? If so, please help me out.
I'm really over my head here and my knowledge about anything-ssl or dns is very limited.
From the PointDNS add-on doc (https://devcenter.heroku.com/articles/pointdns), I don't see how you can do this easily.
But, if you have purchased the domain (and not ddns), this should be pretty easy with cloudflare.
Setting up a Custom Domain name and FREE SSL certificate for Heroku Apps
Add DNS record to point to your site and redirect to heroku.
Enable the Crypto certificate, after this the certificate will be automatically distributed by Cloudflare.

Disable the default Piggyback SSL on Heroku?

I have two domain names pointing to one Heroku app. One domain name is always used over https. I have a wildcard certificate for that domain. That, combined with the fact that I can only have 1 SSL certificate installed on a Heroku app, leaves me to force the other domain name to http. I have installed the SslEnforcer gem to take care of this for me. However, since Heroku now gives me default Piggyback SSL on my app, when I try to access my non-secure domain over https, it first hits the Piggyback SSL certificate, which yields a security error, since I'n not on the *.herokuapp.com domain. It never got to the SslEnforcer redirect.
So it seems that I desperately need to disable or remove the default Piggyback SSL. Is there a way to do so? Or is there another solution anyone can think of?