Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
336 views
in Technique[技术] by (71.8m points)

ruby on rails - Heroku SSL on root domain

I am trying to setup SSL for my heroku app. I am using the hostname based SSL add-on. The heroku documentation states the following:

Hostname based SSL will not work with root domains as it relies on CNAME 
aliasing of your custom domain names. CNAME aliasing of root domains is 
an RFC violation. 

As expected everything works well when I access the site using the www subdomain, i.e. https://www.foo.com. The browser complains when I access https://foo.com as the certificate presented is for heroku.com.

I concluded that I have to redirect the traffic for foo.com to www.foo.com to address this issue. I am considering following approaches:

1) DNS based redirection

The DNS provider Zerigo supports the redirect records. I came across a question on a similar subject on SO. I tried the solution, it works ONLY for HTTP redirection(Zerigo documentation confirms this).

My Zerigo configuration:

foo.com      A             x.x.x.x
foo.com      redirect      http://www.foo.com
www.foo.com  CNAME         zzz.amazonaws.com

2) Rack based redirection

Add a rack based middle-ware to perform the redirection. The canonical-host gem provides such support.

use CanonicalHost do
  case Rails.env.to_sym
    when :staging     then 'staging.foo.com'
    when :production  then 'www.foo.com'
  end
end

I am wondering if there is a better solution for this(barring switching to $100 per month IP based SSL)

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Wow...this took me forever, and a bunch of info on the web was wrong. Even Heroku's docs didn't seem to indicate this was possible.

But Jesper J's answer provides a hint in the right direction: it works with DNSimple's ALIAS record which I guess is some new sort of DNS record they created. I had to switch my DNS service over to them just to get this record type (was previously with EasyDNS).

To clarify when I say "works" I mean:

  • entire site on SSL using your root domain
  • no browser warnings
  • using Heroku's Endpoint SSL offering ($20/month)

It works for all of the following urls (redirects them to https://foo.com with no warnings)

To summarize the important bits.

  1. move your DNS over to DNSimple (if anyone knows other providers offering an ALIAS record please post them in the comments, they were the only one I could find)
  2. setup Heroku endpoint ssl as normal https://devcenter.heroku.com/articles/ssl-endpoint
  3. Back in DNSimple add an ALIAS record pointing foo.com to your heroku ssl endpoint, something like waterfall-9359.herokussl.com
  4. Also add a CNAME record pointing www.foo.com to your heroku ssl endpoint, waterfall-9359.herokussl.com
  5. finally in your rails (or whatever) app make the following settings:

in production.rb set

config.force_ssl = true

in application_controller.rb add

before_filter :check_domain

def check_domain
  if Rails.env.production? and request.host.downcase != 'foo.com'
    redirect_to request.protocol + 'foo.com' + request.fullpath, :status => 301
  end
end

This finally seems to work! The key piece seems to be the ALIAS dns record. I'd be curious to learn more about how it works if anyone knows, and how reliable/mature it is. Seems to do the trick though.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...