Free SSL with CloudFlare and Heroku

[winston]

Recently, I set up CloudFlare with Heroku to make good use of its Universal SSL and essentially made Dasherize https the poor man's way.

My aim was to get the following working:

• http://dasherize.com redirects to https://www.dasherize.com
• http://www.dasherize.com redirects to https://www.dasherize.com
• https://dasherize.com redirects to https://www.dasherize.com
• https://www.dasherize.com works!

Here are the steps to get that working:

1) Sign up for a CloudFlare account

Go to https://www.cloudflare.com/.

2) Add a website to CloudFlare

3) Configure CNAME

After you have scanned your website, you will probably see an A entry and a CNAME entry.

Modify (and/or delete) the A and CNAME entries so that they become:

• CNAME, dasherize.com to Heroku domain name
• CNAME, www to Heroku domain name

It might look strange to have two CNAME going to the same Heroku domain, but CloudFlare supports CNAME Flattening so we are good.

4) Wait for DNS to propagate

At this point, we can wait for DNS to propagate and when it's done:

• http://dasherize.com redirects to https://dasherize.com
• http://www.dasherize.com redirects to https://www.dasherize.com

And the DNS entries should look like so (with some information ommitted):

$ curl -I http://dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I http://www.dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://www.dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I https://dasherize.com
HTTP/1.1 200 OK
Server: cloudflare-nginx
...
Via: 1.1 vegur

$ curl -I https://www.dasherize.com
HTTP/1.1 200 OK
Server: cloudflare-nginx
..
Via: 1.1 vegur

We are almost there, we are just left with redirecting http://dasherize.com to https://www.dasherize.com.

You might be thinking.. But why www? Everyone has different opinions.

5) Final Redirection

To redirect http://dasherize.com to https://www.dasherize.com, we need to include add a Page Rule that:

Forwards (301) https://dasherize.com/* to https://www.dasherize.com

And with that, the DNS entries will look like:

$ curl -I http://dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I http://www.dasherize.com
HTTP/1.1 301 Moved Permanently
...
Location: https://www.dasherize.com/
Via: 1.1 vegur
Server: cloudflare-nginx

$ curl -I https://dasherize.com
HTTP/1.1 301 Moved Permanently
...
Server: cloudflare-nginx
Location: https://www.dasherize.com/

$ curl -I https://www.dasherize.com
HTTP/1.1 200 OK
...
Server: cloudflare-nginx
Via: 1.1 vegur

6) Full SSL

Finally, go to the Crypto page, and make sure that you have selected the Full option for your SSL. You can read more about the differences by clicking on Help below the select options.

---

With these 6 steps, you now have a SSL enabled site for $0, all thanks to CloudFlare's Full SSL option:

Since all Heroku apps comes free with https and that, quoting CloudFlare, "CloudFlare will not attempt to validate the certificate", hence it makes it easy for us to have the Dasherize site SSL-enabled.

Also, don't forget to set config.force_ssl = true in your Rails production.rb.

---

Thank you for reading.

@winston ✏️ Jolly Good Code

About Jolly Good Code

We specialise in Agile practices and Ruby, and we love contributing to open source.
Speak to us about your next big idea, or check out our projects.

[joshteng]

@winston tremendously helpful and cost saving tip!

[winston]

@joshteng ka-ching!

[fadhlirahim]

👍

[tmlee]

@winston Nice that does the job in a few steps!
I supposed for something more granular, https://github.com/tobmatth/rack-ssl-enforcer can be considered?

[winston]

@tmlee Yup. That gem seems to do the job.

[faizalzakaria]

interesting.

[lordhumunguz]

Thanks Winston!

the redirecting from http to https doesn't seem to be automatic. Did you have to turn it on somewhere? I get 200 OK's for both http and https.

[joshteng]

@4thethrillofit I do a 301 http -> https redirection at my DNS. fyi, using cloudflare. But I think if ure still using Rails, there's a config to force ssl I think.

[winston]

@4thethrillofit Is it a Rails app? As what @joshteng said:

Also, don't forget to set config.force_ssl = true in your Rails production.rb.

[lordhumunguz]

Yep! @joshteng apparently they want you to use Page Rules

[joshteng]

@4thethrillofit it was weird at first but i got to love it fast enough. haha

[choonkeat]

another day, another free SSL https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

... at no extra cost. SSL/TLS certificates provisioned through AWS Certificate Manager are free!

ACM will allow you to start using SSL in a matter of minutes. After your request a certificate, you can deploy it to your Elastic Load Balancers and your Amazon CloudFront distributions with a couple of clicks. After that, ACM can take care of the periodic renewals without any action on your part.

[guptarohit]

Is dasherize.com hosting on heroku?
I am using shared hosting, how can I make it work.
In my case records looks like(I have removed 'A' records):

Type	Name	Value	TTL
CNAME	mydomain.xyz	is an alias of clcp.hostingprovider.com	Automatic
CNAME	www	is an alias of clcp.hostingprovider.com	Automatic

still not working, I also tried the value of A record(which I've removed now) in place of CNAME's value. Can you suggest possible solution?