Heroku + Cloudflare completely free SSL Heroku + Cloudflare completely free SSL express express

Heroku + Cloudflare completely free SSL


node.js ssl heroku express cloudflare

There is a catch: it's unsecure between Heroku and Cloudflare.

  • It can work with "Flexible SSL" — unencrypted HTTP between Heroku and CF. We don't want that.
  • It also works with "Full SSL" — HTTPS between Heroku and CF but without CF validating the certificate. Heroku presents a *.herokuapp.com cert, CF is happy. Unfortunately, a man-in-the-middle between Heroku and CF can present a self-signed snakeoil.co.mordor cert an CF would be equally happy (and the user can't tell, they only see CF's cert)! It's documented in the Full SSL section of the CloudFlare blog post Introducing Strict SSL.
  • But "Full SSL (strict)" does NOT work, because CF expects Heroku to present yourdomain.com cert, and gives an error page :-(
    [You can of course get such a cert youself and pay Heroku for serving it to CF but that's going back to square one... You do get benefits of CDN, but it's not "completely free SSL on Heroku".] This situation is discussed in the CloudFlare article Configure CloudFlare and Heroku over HTTPS.

So is this setup with Full SSL acceptable? One could argue that the links between CF and Heroku are probably "in the backbone, above the clouds" and relatively hard to control for an active attacker, so the communication is clearly safer than no TLS at all. BUT it's not end-to-end secure, and you're giving the user a false sense of security normally associated with HTTPS and the green lock icon, and some would say that's worse then being up front with no TLS at all...[See opinions on https://news.ycombinator.com/item?id=8382335]

As of Feb 2015, I saw no option in CF to configure Full Strict mode to expect a cert on some other domain. I have no idea why CF don't allow that, it'd clearly be technically doable.

node.js ssl heroku express cloudflare

This does work exactly as I had it set up. The problem was that it took a couple days for CloudFlare to issue their Unlimited SSL. Once it says 'SSL active' under your CloudFlare SSL settings, it will work.

node.js ssl heroku express cloudflare

To get the apex domain to work, you probably need to use DNS provider that supports ALIAS records, Cloudflare also does DNS and would likely work. More providers listed here: https://devcenter.heroku.com/articles/custom-domains#root-domain

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last