Heroku + Cloudflare completely free SSL

Question

Attempting to get completely free SSL on Heroku using Cloudflares new free Universal SSL

Read this article: http://mikecoutermarsh.com/adding-ssl-to-heroku-with-clou

Answer 1

To get this to work, you need to create a Page Rule on Cloudflare for your domain. Mine looks something like this:

URL Pattern: my-domain.co/*
Forwarding to: https://www.my-domain.co/$1

From there, you can use a CNAME on www to point to my-domain.herokuapp.com.

Cloudflare (and most other DNS providers) do not allow CNAME records for the root domain. Only for subdomains. www is a subdomain, so you can force all traffic to www and cname that to heroku.

Answer 2

To get the apex domain to work, you probably need to use DNS provider that supports ALIAS records, Cloudflare also does DNS and would likely work. More providers listed here: https://devcenter.heroku.com/articles/custom-domains#root-domain

Answer 3

This does work exactly as I had it set up. The problem was that it took a couple days for CloudFlare to issue their Unlimited SSL. Once it says 'SSL active' under your CloudFlare SSL settings, it will work.

Answer 4

There is a catch: it's unsecure between Heroku and Cloudflare.

• It can work with "Flexible SSL" — unencrypted HTTP between Heroku and CF. We don't want that.
• It also works with "Full SSL" — HTTPS between Heroku and CF but without CF validating the certificate. Heroku presents a *.herokuapp.com cert, CF is happy. Unfortunately, a man-in-the-middle between Heroku and CF can present a self-signed snakeoil.co.mordor cert an CF would be equally happy (and the user can't tell, they only see CF's cert)! It's documented in the Full SSL section of the CloudFlare blog post Introducing Strict SSL.
• But "Full SSL (strict)" does NOT work, because CF expects Heroku to present yourdomain.com cert, and gives an error page :-(
  [You can of course get such a cert youself and pay Heroku for serving it to CF but that's going back to square one... You do get benefits of CDN, but it's not "completely free SSL on Heroku".] This situation is discussed in the CloudFlare article Configure CloudFlare and Heroku over HTTPS.

So is this setup with Full SSL acceptable? One could argue that the links between CF and Heroku are probably "in the backbone, above the clouds" and relatively hard to control for an active attacker, so the communication is clearly safer than no TLS at all. BUT it's not end-to-end secure, and you're giving the user a false sense of security normally associated with HTTPS and the green lock icon, and some would say that's worse then being up front with no TLS at all... [See opinions on https://news.ycombinator.com/item?id=8382335]

As of Feb 2015, I saw no option in CF to configure Full Strict mode to expect a cert on some other domain. I have no idea why CF don't allow that, it'd clearly be technically doable.