2

I'm trying to circumvent Heroku's policy on SSL which forces you to pay for an add-on at $20/month. Understanding the best route is to get the add-on, I'm wondering what I get with the add-on that you can't do with sinatra? Wouldn't requesting a certificate from the server be like sending a request to the server and therefore be handled by sinatra? What is so different that makes that impossible to implement?

wurde
  • 2,487
  • 2
  • 20
  • 39
thesecretmaster
  • 1,950
  • 1
  • 27
  • 39
  • Please check below link may it would be helpful for you. http://stackoverflow.com/questions/3696558/how-to-make-sinatra-work-over-https-ssl – rajeev Apr 21 '16 at 05:59

1 Answers1

2

So, heroku over ssl is actually free if you access your application over the herokuapp.com domain. You only have to pay for the add-on if you want to serve your app over ssl from a custom domain. Because heroku apps are proxied by nginx (with a default *.herokuapp.com cert), creating a dns record in a custom domain without purchasing the plugin would result in a certificate mismatch and a fat warning appearing when people tried to access your site. The addon allows you to add the custom cert so that the cert matches the CNAME record.

There is a free workaround though, as @seph said, Cloudflare is pretty good for a situation like this because of it's universal ssl offering. If you set SSL to "Full" without strict SSL checking and enforce HSTS (check the Crypto tab in the dashboard) then you can do a secure proxy to your heroku instance and ignore any cert mismatches while still having full, end-to-end encryption.

photoionized
  • 5,092
  • 20
  • 23
  • Also, I guess, to respond to the particular "why can't I just send a cert using Sinatra" (which is really Puma/Unicorn/Webrick/some other Rack server)--it's because of the nginx proxy, all of the web traffic to your app gets routed through heroku controlled servers before hitting your app, it's the certs on these servers that actually matter. – photoionized Apr 21 '16 at 04:26
  • So then theoretically couldnt I put the cert on my custom domain provider? – thesecretmaster Apr 21 '16 at 10:30
  • @thesecretmaster -- by domain provider do you mean your DNS provider? DNS and a proxy are two substantially different things--Cloudflare just happens to nicely conflate the two with universal SSL. If you want to do this without something like Cloudflare, you could put the cert on your own proxy server and have it work, but at that point you'd have to have a server that you own and manage... so kind of defeats the purpose of using Heroku... – photoionized Apr 21 '16 at 12:23
  • So what is cloudflare? A DNS provider and also an ssl provider? – thesecretmaster Apr 21 '16 at 12:39
  • @thesecretmaster: It's a CDN that has some additional features like providing SSL, to use it you use your domain registrar to transfer your nameservers to Cloudflare, so in that sense, yeah, it controls both DNS and SSL as well as many other things. Rather than trying to write a bunch about Cloudflare features here though and expanding the scope of the question, why don't you read about it for yourself? https://www.cloudflare.com/ – photoionized Apr 21 '16 at 13:14
  • @thesecretmaster: to clarify though, the features I described in my original answer are free in Cloudflare, you don't have to pay for them. – photoionized Apr 21 '16 at 13:15