
SSL Is Now Included on All Paid Dynos - edmorley
https://blog.heroku.com/ssl-is-now-included-on-all-paid-dynos
======
dtnewman
I've been using this in beta for some of my personal projects that run on
hobby dynos. This doesn't actually give you the certificates, it just allows
you to upload the certificates you get elsewhere to heroku and then configures
the server for your heroku app from there. I find it very helpful to be able
to do this for free... for some of my hobby projects, it's cost prohibitive to
spend more than a few dollars a month on SSL.

If you want to get the certificates for free as well, there's a guide at the
link below that can help for setting this up with Let's Encrypt. The title is
"LET'S ENCRYPT WITH A RAILS APP ON HEROKU", but I followed mostly the same
steps for a Flask/Python app and it worked fine. The only step that was Rails
specific was for setting up a route to the verification content, which is
pretty easy to do in any framework that I can think of (to verify the
website's ownership, Let's Encrypt makes you setup an endpoint at <your-
site>/.well-known/acme-challenge/<verification-string-they-give-you> that
simply returns a long random string they give you in the CLI). See:
[http://collectiveidea.com/blog/archives/2016/01/12/lets-
encr...](http://collectiveidea.com/blog/archives/2016/01/12/lets-encrypt-with-
a-rails-app-on-heroku/)

------
dahdum
I don't often visit Heroku but it's always a trip to see their pricing. It's
like the past 8 years of hardware cost reductions never happened, and you're
still stuck paying $25/month for 512MB ram.

~~~
joshmn
While I agree with your disdain, I have to remind you that there's a lot more
to Heroku than just hardware. I mean, after all, they're sitting atop AWS.

I can't go anywhere else do _service create_ followed by _git push service
master_ and be ready to go within a minute.

~~~
mderazon
You could go with Dokku and host it on a $5 Digital Ocean instance.

Almost the same features plus you can install a Let's Encrypt plugin to handle
SSL for free. Main difference is that you can't scale up - doesn't have that
whole dynos thing.

[https://github.com/dokku/dokku](https://github.com/dokku/dokku)

~~~
jdietrich
The fully-loaded cost of a good engineer is $150-$300/hr. Unless you're
operating at _serious_ scale, the cost of Heroku is a rounding error.

------
edmorley
This makes a big difference to small projects using the $7 hobby dynos, where
the $20 of the SSL Endpoint add-on made Heroku less attractive than other
options.

I'm interested to know how performance compares to the add-on, which uses a
dedicated ELB per app (which is why it cost $20). On the one hand I would
imagine switching to this new feature removes the need to pre-warm the
endpoint ([https://devcenter.heroku.com/articles/ssl-
endpoint#performan...](https://devcenter.heroku.com/articles/ssl-
endpoint#performance)), but on the other could presumably introduce noisy
neighbour issues.

"we will be rolling out exciting new features to it over the coming months"
...native Let's Encrypt support perhaps? :-)

------
jalada
Woohoo!

I'm sure eventually they'll add automatic LetsEncrypt certificates too. But in
the meantime if you're using Ruby on Rails on Heroku, this gem (that I made)
will probably help: [https://github.com/pixielabs/letsencrypt-rails-
heroku](https://github.com/pixielabs/letsencrypt-rails-heroku)

~~~
Sachse
This is what I've been using for the last month or so, it's been working
really well! Thanks for the gem!

------
jakewins
The irony of doing this on Heroku, when the push for encryption that surely
influenced this work reached escape velocity from the same Snowden leaks that
said "oh, and anything at all that you store with AWS is open season to the
NSA".

So it's Heroku reacting to that push by encrypting inbound data, and then
storing it in a cloud with zero privacy protection.

Which, I don't mean to be cynical - it's way better than not encrypting at
all, it's just a bit funny, in a sad, Orwellian way.

~~~
koolba
> So it's Heroku reacting to that push by encrypting inbound data, and then
> storing it in a cloud with zero privacy protection.

What data are they storing? I'm pretty sure they just pipe the inbound request
to whatever process is running your app. They (Heroku) aren't saving every
request or response body. It'd be an insane amount of traffic.

Now someone _could_ tap into that but none of this makes things less secure.
They're just changing the way inbound SSL is handled by offering free SNI
based SSL to everybody. That's a good thing, not a bad thing. The alternative
is having a dedicated endpoint per application serving the exact certificate
for that app (which is why the cost for it was non-free before).

------
darkxanthos
I seriously had no idea Heroku was still even actively being worked on. Nice
to see a much needed upgrade!

------
Artemis2
Why not automatically provision Let's Encrypt certificates for associated
domains?

~~~
tal_berzniz
We've set it up in our company with NGINX and LUA
([https://github.com/GUI/lua-resty-auto-ssl](https://github.com/GUI/lua-resty-
auto-ssl)) and it works great

------
neoCrimeLabs
I know some people use SSL and TLS interchangeably, but just in case, I'd
recommend using TLS not SSL. SSLv2 and SSLv3 have known security issues and
have been superseded by TLSv1 and above.

Also, here's a great server side TLS guide that explains best practices for
TLS:
[https://wiki.mozilla.org/Security/Server_Side_TLS](https://wiki.mozilla.org/Security/Server_Side_TLS)

~~~
brettgoulder
Sorry about the confusion. It is all TLS under the hood, SSLv3 is completely
disabled: [https://devcenter.heroku.com/articles/ssl#supported-ssl-
prot...](https://devcenter.heroku.com/articles/ssl#supported-ssl-protocols)

------
Mizza
If you're a Python user, there is absolutely no reason to user Heroku over
Zappa[0]. Zappa is cheaper (usually free), it's faster, it has auto-renewing
Let's Encrypt certs out of the box, it doesn't have a warm-up time, it's more
scalable and you never have to worry about ops.

Heroku's day has come and gone, quite frankly. Obviously, I'm biased because
I'm the author, but you should evaluate it for yourself.

[0] [https://github.com/Miserlou/Zappa](https://github.com/Miserlou/Zappa)

~~~
mtmail
Missing disclaimer: you're one of the main authors of zappa and sell training
and support packages.

~~~
Mizza
This is true, disclaimer added (although it's so easy to use, I've never
actually sold any :) I worked for free for six months to make an open source
project that's better than Heroku so I don't feel bad about promoting it.).

But, it's still absolutely true. For Python users, you should use Zappa for
web apps and ECS for anything that requires long-running processes. I just
don't see how Heroku makes sense any more.

