I am using Namecheap for domain registration and for DNS, and using Heroku for hosting. I have purchased an SSL certificate through Namecheap and set it up with Heroku, and have it nearly working perfectly.
Currently, I have a DNS CNAME record with host "www" pointing to "[whatever].herokussl.com.", and a "#" host record set to URL Redirect (301) to "http://www.[domain].com".
My app itself forces all HTTP traffic to redirect to HTTPS, so "http://www.[domain].com" goes to "https://www.[domain].com".
I am getting the following results:
http://www.[domain].com - properly navigates to site as HTTPS
https://www.[domain].com - properly navigates to site as HTTPS
http://[domain].com - properly navigates to site as HTTPS
https://[domain].com - **does not** navigate to site, and instead the browser cannot find the page
I believe this has to do with how the URL Redirect behaves behind the scenes. I had originally done this as CNAME record pointing directly to "[whatever].herokussl.com.", but apparently doing that on the zone apex blocks MX records...
What do I need to do to get the desired behavior? I simply want all naked or "www" domains to point to my "www" domain.
UPDATE: More information regarding my DNS settings
HOST NAME IP ADDRESS/URL RECORD TYPE
--------- -------------- -----------
# http://www.[domain].com URL Redirect (301)
www [whatever].herokussl.com. CNAME (Alias)
My SSL certificate was not a wildcard, just an EssentialSSL certificate from Comodo. I'm fine if only www.[domain].com works (with a redirect from the naked domain), although when I was using a CNAME for both the apex and "www", it was working as a naked domain with SSL just fine.
If you use DnsSimple, you can use their ALIAS record feature.
The DnsSimple ALIAS record is not a standard DNS record type, and is not the same thing as a CNAME record. Rather, DnsSimple supports it in a special way, by performing the DNS resolution for you and returning to your browser the results. This is different from all other DNS records, where the DNS server performs no processing but simply returns the record to your browser on-demand.
There may be other DNS vendors with their own similar features.
However, with only vanilla DNS, HTTP-only 3xx's from your nameserver, and Heroku, there is no way to get SSL to the zone apex (the domain name with no www.).
Related
I have a 1&1 IONOS domain for my heroku app. the www subdomain works fine, with a CNAME setup for it. but I'm trying to redirect the root url to the www subdomain. this also works fine for http, but if the url is typed in as https://example.com, I get a ERR_SSL_PROTOCOL_ERROR (on chrome, other browsers have different errors). this is on any device, regardless of clearing cache and history etc.
my heroku logs show it's never reached, so it must be an issue within 1&1.
theres an ssl cert set on the domain with 1and1, as well as heroku's ACM.
any ideas?
To make the four URL variations (http://example.com, http://www.example.com, https://example.com, and https://www.example.com) point to a different SSL hosted site (heroku, cloudfront, etc), you need three things in IONOS:
Under DNS settings, add a CNAME entry for the www subdomain that points to your SSL hosted site (example.herokuapp.com)
Set up an HTTP Redirect under Domain Forwarding to https://www.example.com (don't check the box that states "Also set up for www subdomain")
Make sure you have an SSL wildcard certificate for *.example.com installed and attached to your domain in IONOS
It looks like all you are missing is number 3. After that, the redirect that you have setup should work as expected.
Note: example.com should be replaced by your actual domain in all of the above.
I am working on setting up SSL with Heroku and Namecheap.
On Heroku I currently have the domains:
Domain Name - DNS Target
www.app.domain.io - www.app.domain.io.herokudns.com
www.domain.io - www.domain.io.herokudns.com
On NameCheap I have:
Type - Host - Value
CNAME Record - app - www.app.domain.io.herokudns.com
CNAME Record - www- www.domain.io.herokudns.com
URL Redirect Record - # - https://www.domain.io
CNAME Record - www - https://www.domain.io
What works:
www.domain.io works fine and does not redirect to include https
domain.io just fails to reach a site
https://www.domain.io works great!
https://domain.io fails to reach a site.
http://www.app.domain.io/ fails to reach a site.
https://www.app.domain.io/ fails to reach a site.
http://app.domain.io/ reached the heroku nothing there yet page.
Ideally, all pages should always redirect to include https and www. Any idea what I'm doing wrong?
I fixed the problem. I added redirect records so that if the url was entered with or without www and with or without https it would be redirected to include https and www. This required 4 redirects for the domain.
In addition, the app.domain.io url had not content because I hadn't set something up there yet. I was planning on using the app.domain.io for a new heroku app later on.
Remember to wait long enough and try clearing your cache to see if the issue is resolved.
Edit
In my domain settings under Redirect Domain
Source Url Destination Url
domain.xyz https://www.domain.xyz/
www.domain.xyz https://www.domain.xyz/
The above ensures https is always used.
In my domain advanced DNS settings under Host Records
Type Host Value TTL
CNAME Record www <link from heroku> 30 min
URL Redirect Record # https://www.domain.xyz/ unmasked
URL Redirect Record www https://www.domain.xyz/ unmasked
This is what you need to do on namecheap to work with a heroku app. There is more to do on the heroku side of things.
In Heroku under app settings there is a Domains and certificates section.
You can add your domain there. This will create a DNS Target which is what you put in the <link from heroku> block from above. Heroku will also let you use LetsEncrypt and they will automatically refresh your SSL certificate.
Remember to wait awhile between changes. DNS changes can take up to 24 hours to apply.
For anyone using Heroku, Django, and namecheap that still has a similar problem (i.e. you have a working https website, but http is not automatically routed to https), you also have to set SECURE_SSL_REDIRECT = True in your settings.py file. Making this addition fixed the issue in my case.
This change, in addition to the URL configurations posted in #Programmingjoe's answer, should fix the issue.
I have two domains with GoDaddy: foo.com and bar.com
I want to redirect foo.com to bar.com/foo
I tried setting up Domain Forwarding from within the GoDaddy Dashboard and it did work, but not for HTTPS (which is the URL indexed within Google).
I checked with GoDaddy Support and received this response:
That will not work because your domain does not have an SSL Certificate active and there is no way to activate an SSL Certificate on it with a forward.
Maybe I'm overthinking this, but here's an alternative approach I had in mind:
Set the A record of foo.com to the same IP address that bar.com is using
Within the website code of bar.com, check the $_SERVER['SERVER_NAME'] and redirect appropriately
By using plain DNS this is not possible, the reason for this is that DNS is a protocol different than HTTP.
Some providers offer "forwarding" options but behind the scenes, they point your domain to an HTTP server the one later does the redirect.
For example, using CloudFlare this could be very easy to achieve, you need to setup up only one domain, let's say foo.com and then just create a page rule to redirect traffic to bar.com/foo, the rule could be something like:
*foo.com*
More info about the page rules can be found here: https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-Page-Rules-
I've got a website with an SSL certificate for the root domain only - example.com.au
The site runs on heroku with the dns at dnsimple.com
I want all requests to www.example.com.au to go to the canonical url, ie to example.com.au and obviously this redirection needs to be set up at the dns level so that the user doesn't get stopped with an "insecure" message.
What should i put in my DNS?
I want all requests to www.example.com.au to go to the canonical url, ie to example.com.au and obviously this redirection needs to be set up at the dns level so that the user doesn't get stopped with an "insecure" message.
In short: This is not possible, because aliases at DNS level will not change the hostname.
In detail:
If the user types in www.example.com the client (i.e. the browser) will lookup the IP for this host and it will follow any DNS aliases (like a CNAME pointing to example.com) during this process. But, following DNS aliases will not cause redirects inside the browser. Instead the name in the URL will stay the same and so will be the name used to verify the certificate.
This means there is no way to do what you want at the DNS level. If you want to redirect from https://www.example.com to https://example.com you must have a certificate matching www.example.com.
I have a Debian server which is running a number of client sites. Most of these are not running SSL so accessing by HTTP is fine.
I have one customer with an SSL certificate and accessing their site via HTTPS is fine too.
The problem comes if you try to access one of the other sites with HTTPS you get directed to the other site that has the SSL certificate.
For instance, lets say we have the following sites on the server:
alpha.net
bravo.net
charlie.net (SSL)
delta.net
So as you can see, charlie is the only one with SSL, and irrespective of if you go to http charlie.net or https charlie.net, it works fine.
http to all the other sites is fine, but if you were to go to https alpha.net, it will initially come up with an Invalid Certificate error and let you continue but whilst it has alpha.net in the address bar, its actually showing the charlie.net site in the browser.
I have researched SNI and how if any other sites have SSL I'll need to put them all on specific IP addresses (something else I need to try to work out how to do as I have no idea) but I am not sure why this is happening or how I resolve it.
Has anyone else encountered this before and how did you get around it?
Many thanks,
Rob
This does not have anything to do with SNI, as you currently only have one HTTPS server. What happens, as you've stated in your comment, is that the alpha.net domain resolves to your server's IP. Your Apache server is set up to listen for requests on port 443 on this IP, and to serve the contents of charlie.net to these requests. (And the certificate error means that the browser noticed the discrepancy between the certificate's alleged domain name and the domain name used for the request.)
Redirecting from HTTPS to HTTP is probably more trouble that it's worth, since you would need valid certificates for each domain, lest you present your users with another security warning. This would entail creating virtual hosts for alpha.net:443 and so on, on an SNI capable server (i.e., later versions of Apache 2.2+ with openssl), and adding a redirection like so:
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
Probably the easiest course for your problem is to use a different IP for charlie.net. With this setup, there would be no way for alpha.net (and so on) to display the contents of another site.
If you have multiple IPs on your server, use a unique one for the SSL site, all non-SSL sites share another IP.
Since SSL doesn't care what is the domain you are visiting, it only cares if the current domain is approved from the list of domains(Common Name) it gets from the Ip address.