
Use LetsEncrypt and CloudFlare to secure any Heroku app for free - maxehmookau
https://github.com/substrakt/letsencrypt-heroku
======
CiPHPerCoder
Please do keep in mind that CloudFlare is essentially a consensual man-in-the-
middle and for certain threat models is not compatible with the "secure"
modifier.

If your threat model differs, this is cool.

~~~
samwillis
Do also keep in mind that ssl on Heroku is terminated at their routing layer
before your Dynos. Therefore it is as easy for Heroku (Salesforce) to man-in-
the-middle your application as it is for CloudFlare, whether that be on
instruction for the authorities or due to a bad actor on the staff.

Both of them you have to trust to do the right thing and that is an exercise
left to the individual thinking of using either service. So lets not pretend
that CloudFlare is a special case.

If you need to trust the none of your service providers can MITM your site
then you can't use any PaaS or CDN, you need to terminate the SSL yourself,
that includes for all static assets you use. No more jQuery from Google CDN,
no more analytics/exception tracking/fonts from your favoured provider and no
more advertising conversion tracking.

But then do also remember that it's possible for any web host to take over
their customers site as long as they own the IP address. They just point the
IP to another server, configure it to respond to the hostname and they can
then even use any SSL certificate provider who validates the domain name with
a file at a specific URL to grab a certificate.

Everyone has to make their own judgment on who they can trust. CloudFlare is
no different.

~~~
dublinben
>No more jQuery from Google CDN, no more analytics/exception tracking/fonts
from your favoured provider and no more advertising conversion tracking

Those all sound like reasonable best practices for building a website.

~~~
JohnTHaller
Except for the part where anyone you'd like to partner with isn't going to
trust your internal analytics to gauge your popularity. One of the points of
third party analytics is that you have a disinterested third party who can
provide the data to someone else.

------
dmathieu
Or, if you want to just provision a letsencrypt certificate on Heroku without
cloudflare:

[https://github.com/dmathieu/sabayon](https://github.com/dmathieu/sabayon)

~~~
xutopia
Is it possible to do this on the fly with subdomains? I have a specific
problem with my instance where I have multiple domains and multiple
subdomains. Right now I use a wildcard SSL because the subdomains are
generated on the fly whenever a new client signs up.

Is it possible to create a new certificate without restarting all the servers
each time a new client signs up?

~~~
dmathieu
No, that is not possible with the sabayon architecture. It needs to store
letsencrypt key/token for all domains, and stores them as config vars.

You'd have to store them in a database for example to avoid having to restart
the app. But that wouldn't be a good solution either, as letsencrypt will not
allow you to have more than 100 domains under the same certificate.

------
joeblau
I'm using Cloudflare + Heroku to host
[https://www.gitignore.io](https://www.gitignore.io) [0], but I'm not using a
LetsEncrypt certificate. I'm just using Cloudflare's Universal SSL[1]
certificate. So far everything with Cloudflare has been amazing; they even
prevented a 99 million+ request DDOS attack on my site a few years ago.

[0] - [https://github.com/joeblau/gitignore.io/wiki/System-
Architec...](https://github.com/joeblau/gitignore.io/wiki/System-Architecture)

[1] - [https://blog.cloudflare.com/introducing-universal-
ssl/](https://blog.cloudflare.com/introducing-universal-ssl/)

------
xutopia
Is it possible to use this with multiple subdomains? I have multiple domains
pointing to an heroku instance and each domain has multiple subdomains.
Insofar as I understood LetsEncrypt does not support wildcard SSL but is it
possible to use this tool (or another) to secure all subdomains as well?

~~~
maxehmookau
Yep. Just pass in a comma delimited list to the subdomains parameters
(subdomains=www,hello,another,test) and it'll add all of them to the
certificate.

~~~
moron4hire
Is there a limit? Last I heard you could do up to 100 that way. That'd
certainly be enough for my own needs ( _if_ I were using LetsEncrypt), but I
don't know about other people.

------
baus
Just to clarify, is traffic unencrypted between CloudFlare and Heroku? Are
those connections over the public internet?

~~~
samwillis
CloudFlare is only providing DNS, no traffic goes though it in this instance.

It is trivial however to setup CloadFlare to have encrypted traffic to your
Heroku app for free when using their cdn/webapp firewall service as your app
is on [https://appname.herokuapp.com](https://appname.herokuapp.com) which
CloudFlare proxy.

------
maxehmookau
We wrote a blog post about it too [https://substrakt.com/heroku-ssl-me-weve-
come-a-long-way/](https://substrakt.com/heroku-ssl-me-weve-come-a-long-way/)

------
cmalpeli
Would this solution allow one to secure multiple TLDs on one Heroku
endpoint/application?

~~~
maxehmookau
Not currently but it's on the roadmap.

------
nstj
Cloudflare may not be as awesome as everyone makes it out to be. Discuss.

~~~
maxehmookau
For this use case it really is. The number of DNS providers that have support
for SSL at the domain apex using ALIAS or ANAME records could be counted on
one hand. You don't have to use any of the CloudFlare specific features, but
their DNS management is really good.

~~~
stryk
Would you mind elaborating as to which few specific DNS providers those are?

~~~
maxehmookau
Sure! Heroku have a list here [https://devcenter.heroku.com/articles/custom-
domains#configu...](https://devcenter.heroku.com/articles/custom-
domains#configuring-dns-for-root-domains)

~~~
stryk
Thanks, cheers

