Menu
I've created a self-signed certificate, added it to Heroku, and provisioned an SSL endpoint on Heroku, and I log heroku certs:info it seems to be there.
I'm creating my server on Express like so:
var server = require('http').createServer(app);
And then redirecting to https like so:
app.use(function(req, res, next) {
var reqType = req.headers["x-forwarded-proto"];
reqType == 'https' ? next() : res.redirect("https://" + req.headers.host + req.url);
});
The server runs fine, however I came across this code snippet on S.O. to create an https server:
var keys_dir = './sslcert/';
var server_options = {
key : fs.readFileSync(keys_dir + 'server.key'),
ca : fs.readFileSync(keys_dir + 'server.csr'),
cert : fs.readFileSync(keys_dir + 'server.crt')
}
var server = require('https').createServer(server_options,app);
I don't point to the certs/keys like this example, and my site is running on https (although the lock is red since it's self-signed).
So my question is, how does my server know about my keys/certs without me explicitly pointing to them like the code snippet with server_options? Is this taken care of by Heroku behind the scenes?
How does the SSL Endpoint I setup on Heroku interact with the http server I created with var server = require('http').createServer(app);?
EDIT
I just so this answer on another question:
"SSL termination occurs at Heroku's load balancers; they send your app plain (non-SSL) traffic, so your app should create a non-HTTPS server."
they send your app plain (non-SSL) traffic mean exactly? Does this mean that I don't have to redirect to https in my app?
339
To use it, there are three simple steps: Acquire an SSL certificate from your SSL provider. Upload the certificate to Heroku. Update your DNS settings to reference the new SSL endpoint.
As Heroku Doesn't provide SSL for Free Plan. But You can use Cloudflare which gives free SSL. You can Use Cloudflare As Bridge For SSL.
Simply paste your certificate code in the box >> click on Decode >> download the file in the Bundle (Nginx) field. To install the certificate in your Heroku Dashboard, open the certificate, select the necessary application from the list, and select Settings.
HTTP versions supportedThe Heroku router only supports HTTP/1.0 and HTTP/1.1 clients. HTTP/0.9 and earlier are no longer supported.
SSL termination is done on Heroku servers/load-balancers before the traffic gets to your application. The "thing" you added your cert to was not your dyno, but rather a Heroku-controlled server.
So when SSL (https) traffic comes in, it is "stopped" (terminated) at the server. That server opens a new http connection to your dyno, and whatever is gets it sends back over https to the client.
So on your dyno you don't need to "mess" with certs etc, and you will be seeing only incoming http traffic: whether directly from http clients, or from Heroku servers who talk https to clients and http to you.
Redirecting to https is a different matter: if a client "comes" to your app with http, and you prefer they use https, by all means redirect. They will issue a new request, this time https, and go thru Heroku's SSL termination and then to your app. But now you know that the path between the client and Heroku is secure (due to the client using https), and the path between the Heroku SSL termination and your dyno is presumably secure (if you trust Heroku...)
HTH
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
