I've setup 'ssl endpoint' on heroku and that works great. I have a cname for www.miketown3.com pointing to osaka-4635.herokussl.com. https is working great.
However, when I GET http://www.miketown3.com, I get redirected to https://www.miketown3.com and I want to remain on http. When testing my app locally this does not happen. Also, when watching the traffic in chrome, I see no http level redirection of any kind. There's just a request to http://www.miketown3.com with no response. Then immediately the next request is to https://www.miketown3.com, but this time there is a valid response.
My question, where is this redirection happening and how can I stop it? Thanks a bunch!
Since your www subdomain is pointed to osaka-4635.herokussl.com, the server at this address performs the redirection. To stop it, you have to remove the ssl endpoint addon, and change your DNS records per https://devcenter.heroku.com/articles/custom-domains (e.g. point your root and www subdomain to yourapp.herokuapp.com)
I'm not 100% sure what you question is but if you only want HTTPS for certain parts(urls) of your website and assuming you are using rails you can add the gem 'rack-ssl-enforcer', this will allow you to specify what parts of your website redirect to https i.e. login
This was a chrome cache thing.
Related
I recently bought a domain name at OVH for an app I hosted on Heroku. I then paid for the dynos in order to set an automatic SSL certificate.
Everything seems to me working fine:
Domain Status Last Updated
─────────── ─────────── ────────────
mpjrigot.eu Cert issued 2 minutes
mpjrigot.fr Cert issued 2 minutes
But my URL is still in HTTP. What am I missing?
EDIT
I'm using React.js for this app
I also have a Ruby on Rails back but for nom i'm keeping that on the heroku.app, works fine
2nd EDIT
Using react-https-redirect, force-https or react-ssl-redirect...
Basically, chrome tells me that "this is not a safe space", and that this is a fake https that might want to steal the user's passwords and stuff
So I got an SSL that is set on my HerokuApp,
I got a domain on OVH that points to the IP of the app
But the http isn't secure somehow
I really think I missed something obvious as I'm new to this...
You can add HTTPS to your app with the following methods.
Method1 (Recommended)
Since, you're using rails for the backend, you can configure your rails app to always use HTTPS.
in your production.rb add
config.force_ssl = true
More Info: https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls
ActionDispatch SSL: https://api.rubyonrails.org/v6.1.4/classes/ActionDispatch/SSL.html
Method2 (Easy Setup)
You can also signup for cloudflare's free plan and easily setup https redirects with cloudflare's 'Always Use HTTPS' or 'Automatic HTTPS Rewrites' feature.
The 'Always Use HTTPS' feature will redirect all http requests on your site to https address.
The 'Automatic HTTP Rewrites' feature will change the HTTP links on your site to HTTPS links.
More Info here:
Always use HTTPS: https://blog.cloudflare.com/how-to-make-your-site-https-only
Automatic HTTPS: https://www.cloudflare.com/website-optimization/automatic-https-rewrite/
Cloudflare's SSL: https://www.cloudflare.com/ssl/
cloudflare dashboard
What am I missing?
Heroku provides a certificate, so you should be able to access your application using https://. However it does not redirect HTTP requests to HTTPS for you:
Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.
Exactly how you do that depends on the language and libraries or framework that you are using. Several common examples are listed in the link I provided above.
If you edit your question to tell us what technology you have used to build your application I'll be happy to add those details to this answer. In case you are using Scala, please see How to disable HTTP requests on Heroku and/or auto-redirect to HTTPS?
solution
I eventually read about Heroku needing a specific host that takes in the address they tell you to point to when setting a domain name...
So I switched to Gandi for my domain name and set the ALIAS to point to said adress
Works like a charm
I have a site being hosted on heroku so I can go to myapp.herokuapp.com/ and my SPA loads. I got a domain and used cloudflare with a CName record to alais mydomain.com to myapp.herokuapp.com. Great the sites load. Within my SPA i load some images. If my app loads directly from heroku *myapp.herokuapp.com/images/filex.png" it works fine but if I call (or type in the address bar) myDomain.com/images/files.png" I just get my site back like i types mydomain.com
Is this an issue with cloudflare? Do i need additional routing rules?
or is this an issue with my express server that is serving the app and images? does the redirected
request look different and do I need to add code to handle the redirect?
I'm not sure why the redirect is happening without more information. My best guess is that you need to follow these instructions from Heroku. Without this, Heroku servers will have no idea what to do with a request that has a host header of mydomain.com, and will perform in some unexpected way. Heroku needs some way on its side to know that all mydomain.com requests should be handled identically to myapp.herokuapp.com requests.
If this configuration is already in place, your underlying code needs to handle myapp.herokuapp.com and mydomain.com, but I believe by default express will not care about hostname.
Seems to have been an issue with heroku. It’s working fine on aws.
We have recently installed an SSL certificate to our fairly old version of Drupal. The front end of it works well, however, we are now unable to log in to the admin area. We put this problem on our servers who claims the website now goes into a continuous redirect look, causing the site to crash. here is what they said.
"I have taken a further look at this and we can see some pages have specific rules in place that are forcing them to use HTTP this is then causing an issue with the redirect to HTTPS, this is essentially creating a loop as the Site goes to the HTTP which gets redirected to HTTPS, which the page then redirects back to HTTP and so on. You will need to review the content of the site and to remove the redirect(s) to HTTP for any pages that have this, alternatively, we can remove the redirect to HTTPS (However this defeats the purpose of having the SSL Certificate then). Please let me know if you would like me to remove the HTTPS redirect."
The same problem can be found here at stack overflow. However, the answer is very vague considering it's a change to the .htaccess file.
Any thoughts?
put this line at the en of settings.php
$conf['https'] = TRUE;
I am using cloudflare's "flexible ssl" as an intermediary between client and my site.
After setting this up, I went to the browser and tried accessing my site via https:
https://example.com/login
and everything works. I fill in my login info and log in successfully and am not on http://example.com . I manually enter https://example.com/* where * is many other pages and it all works fine.
Now I want to redirect all requests to use the seemingly working https. So i go to my cloudflare account on their website and create a page rule : http://example.com/* to always use https.
Now I go to example.com/login and successfully redirected to https://example.com/login, I fill in my log in information and submit the login form , the page refreshes and I am back to https://example.com/login with an empty login form.
Anyone know what the problem is or how to help troubleshoot?
I am using laravel as a framework for the site and apache as the webserver.
create a page rule : http://example.com/* to always use https
Noted. Be aware that CloudFlare does this by accepting every HTTP request on http://example.com/* and returning a 301 redirect to the equivalent HTTPS request. The browser completes the redirect by sending a GET request to the HTTPS URL.
I fill in my log in information and submit the login form
Check the login form source carefully and check what URL the login form is submitted to. My guess is that the form is submitted to http://example.com/login or something similar. CloudFlare will accept the POST request to http://example.com/login and return a 301 redirect to https://example.com/login -- which your browser will complete as a GET request and hence not sending the login data.
So your best solution is to make sure that your login form POSTs to the correct HTTPS URL not to the HTTP URL.
That's my best guess anyway.
how to help troubleshoot?
Ensure that you are using different log files to distinguish between HTTP and HTTPS requests on your server.
Some other suggestions:
Get a Let's Encrypt SSL certificate and put that on your site so that the communication between CloudFlare and your site is all SSL. https://letsencrypt.org/
Ensure that HSTS is turned on for all of your HTTPS requests so that the browser will know not to send any requests to any HTTP URLs.
Create a development server where you can test all of this working with HTTPS between the browser and the web server without CloudFlare. Once you've got it all working in HTTPS mode without CloudFlare then you can try it with CloudFlare and you should get essentially the same results. Your problem is with the HTTP -> HTTPS switch, not specifically with CloudFlare.
Anyone know if you can:
rename a herokussl.com app? If so how? same as with regular apps: heroku apps:rename new name?
to complete SSL rollout on Heroku we need to update DNS. This means changing www.example.com, which currently points to our example-production.herokuapps.com URL, to point to example-production.herokussl.com (assuming I can change the cryptic app name, see 'A' above). But, in doing so that will remove any plain old http access to our site and force https...correct? Is this by design? Common practice? What happens when users simply enter http://example.com in their browser, exactly? Assume a redirect but is it a 301 permanent redirect? Or...?
Apologies for apparent ignorance, I only re-activate my SSL synapses once every few years...
You have to make sure you set
config.force_ssl = true
in your production.rb config file, so that it forces the https url