我正在尝试为我的 heroku 应用程序设置 SSL。我正在使用基于主机名的 SSL 插件。 heroku 文档 声明如下:
Hostname based SSL will not work with root domains as it relies on CNAME
aliasing of your custom domain names. CNAME aliasing of root domains is
an RFC violation.
正如预期的那样,当我使用以下命令访问该网站时,一切正常www 子域,即https://www.foo.com。当我访问 https://foo.com 时,浏览器会抱怨,因为所提供的证书是用于heroku.com。
我得出的结论是,我必须将 foo.com 的流量重定向到 www.foo.com 才能解决此问题。我正在考虑以下方法:
1) 基于 DNS 的重定向
DNS 提供商 Zerigo 支持重定向记录。我遇到了 关于 SO 上类似主题的问题。我尝试了该解决方案,它仅适用于 HTTP 重定向(Zerigo 文档证实了这一点)。
我的 Zerigo 配置:
foo.com A x.x.x.x
foo.com redirect http://www.foo.com
www.foo.com CNAME zzz.amazonaws.com
2)基于机架的重定向
添加基于机架的中间件来执行重定向。 canonical-host gem 提供了此类支持。
use CanonicalHost do
case Rails.env.to_sym
when :staging then 'staging.foo.com'
when :production then 'www.foo.com'
end
end
我想知道是否有更好的解决方案(除非切换到每月 100 美元的基于 IP 的 SSL)
I am trying to setup SSL for my heroku app. I am using the hostname based SSL add-on. The heroku documentation states the following:
Hostname based SSL will not work with root domains as it relies on CNAME
aliasing of your custom domain names. CNAME aliasing of root domains is
an RFC violation.
As expected everything works well when I access the site using the www subdomain, i.e. https://www.foo.com. The browser complains when I access https://foo.com as the certificate presented is for heroku.com.
I concluded that I have to redirect the traffic for foo.com to www.foo.com to address this issue. I am considering following approaches:
1) DNS based redirection
The DNS provider Zerigo supports the redirect records. I came across a question on a similar subject on SO. I tried the solution, it works ONLY for HTTP redirection(Zerigo documentation confirms this).
My Zerigo configuration:
foo.com A x.x.x.x
foo.com redirect http://www.foo.com
www.foo.com CNAME zzz.amazonaws.com
2) Rack based redirection
Add a rack based middle-ware to perform the redirection. The canonical-host gem provides such support.
use CanonicalHost do
case Rails.env.to_sym
when :staging then 'staging.foo.com'
when :production then 'www.foo.com'
end
end
I am wondering if there is a better solution for this(barring switching to $100 per month IP based SSL)
发布评论
评论(7)
哇……这花了我很长时间,而且网上的一堆信息都是错误的。即使 Heroku 的文档似乎也没有表明这是可能的。
但 Jesper J 的答案提供了正确方向的提示:它与 DNSimple 的 ALIAS 记录一起使用,我猜这是他们创建的某种新类型的 DNS 记录。我必须将我的 DNS 服务切换给他们才能获得此记录类型(之前使用 EasyDNS)。
为了澄清,当我说“有效”时,我的意思是:
它适用于以下网址所有(重定向它们)到 https://foo.com 且没有警告)
总结重要的部分。
ALIAS记录将foo.com指向您的 heroku ssl 端点,例如waterfall-9359.herokussl.com的 CNAME 记录>www.foo.com到您的heroku ssl端点,waterfall-9359.herokussl.com在
product.rb中设置application_controller.rb添加这似乎终于起作用了!关键部分似乎是 ALIAS dns 记录。如果有人知道的话,我很想了解更多关于它是如何工作的,以及它有多可靠/成熟。不过似乎可以解决这个问题。
Wow...this took me forever, and a bunch of info on the web was wrong. Even Heroku's docs didn't seem to indicate this was possible.
But Jesper J's answer provides a hint in the right direction: it works with DNSimple's ALIAS record which I guess is some new sort of DNS record they created. I had to switch my DNS service over to them just to get this record type (was previously with EasyDNS).
To clarify when I say "works" I mean:
It works for all of the following urls (redirects them to https://foo.com with no warnings)
To summarize the important bits.
ALIASrecord pointingfoo.comto your heroku ssl endpoint, something likewaterfall-9359.herokussl.comwww.foo.comto your heroku ssl endpoint,waterfall-9359.herokussl.comin
production.rbsetin
application_controller.rbaddThis finally seems to work! The key piece seems to be the
ALIASdns record. I'd be curious to learn more about how it works if anyone knows, and how reliable/mature it is. Seems to do the trick though.DNSimple 提供了 ALIAS 记录类型来满足此需求。您可以从根域(也称为区域顶点)创建指向 CNAME 的别名。在这里阅读更多相关信息:
http://blog.dnsimple.com/introducing-the-别名记录/
DNSimple offers an ALIAS record type to address this need. You can create an alias from your root domain (a.k.a zone apex) pointing to a CNAME. Read more about it here:
http://blog.dnsimple.com/introducing-the-alias-record/
DNS 重定向不会关心入站请求是 http 还是 https,因此会保留原始协议 - 因此会重定向 http://foo.com 到 http://www.foo.com ,对于 https 也是如此。
您需要在应用程序中通过您找到的 gem 或其他一些机架重定向 gem 或 www.gem 来完成此操作。使用基于 IP 的 SSL 插件时会出现问题。
DNS redirects wouldn't care whether the inbound request is http or https so would maintain the original protocol - so would redirect http://foo.com to http://www.foo.com and the same for https.
You'll need to do it within the application via the gem you found or some other rack redirect gem or if www. is a problem use the IP based SSL addon.
您需要记住的一件事是,如果两个版本均可访问(Root 与 WWW),Google 可能会索引您网站的两个版本。您需要设置圆锥体来处理维护起来可能很麻烦的问题。
在我的 DNS 设置中,我设置了一个 URL / 转发记录(DNS 简单)
CNAME 设置只需要为 WWW 设置
我还必须为我的根设置和别名
然后我决定简单地替换 foo.comENV['SITE_HOST'] (其中 SITE_HOST= www.foo.com 或我可能定义的任何内容)。我可以通过我的 heroku 配置或 .env 文件来控制它(请参阅 https://github.com/bkeepers/dotenv< /a>)。这样,我就可以控制不同环境中发生的事情。
例如,我的测试应用程序使用 test.foo.com 作为 URL,它也有自己的 SSL 端点,因此对我来说效果很好。这也可以扩展以创建临时或质量保证特定环境。
从现在开始,最终用户将始终使用强制 SSL 访问 www。旧的链接会出现轻微的挂起,但不会引起任何明显的影响。
One thing you will like to keep in mind is that google might index both versions of your site if both versions are accessible (Root vs WWW). You would need to setup conicals to handle that which might be a pain to upkeep.
In my DNS settings I set up a URL / Forward record (DNS Simple)
The CNAME setup only needs to be setup for WWW
I also had to setup and Alias for my root
Then I decided to simply replace foo.com with an env variable
ENV['SITE_HOST'](Where SITE_HOST= www.foo.com or whatever I might define). I can control this via my heroku configuration or my .env file (See https://github.com/bkeepers/dotenv). That way, I can control what happens in different environments.For example, my test app uses test.foo.com as the url it also has its own SSL endpoint so that works fine for me. This also scales to create staging or qa specific environments as well.
From now on, end users will always access www with forced SSL. Old links will suffer a small hang but nothing noticeable.
在 Rails 部分,为了进行重定向,让它发生在路由器层上会更明智,如下所示(适用于 Rails 3+):
On the Rails part, to make the redirection, it'd be more sane to make it occur on the router layer, like this (works on Rails 3+):
对于那些之前使用 godaddy 的 Heroku 用户,我刚刚完成将 DNS 从 godaddy 移植到 cloudflare。现在 https 工作正常。
Godaddy DNS 与 heroku 不兼容。这是由于:
设置相当简单。
首先,将 cloudflare 的名称服务器添加到 godaddy dns 管理器中。以下是一些示例:
接下来,您只需要再执行两步即可。
NAME.com并将其链接到NAME.com.herokudns.comwww.NAME.com.herokudns.com的 CNAMEwww.NAME.com如果您使用的是 Rails,请务必设置 <代码>config.force_ssl = true,位于
config/environment/Production.rbFor those heroku users using godaddy previously, I just finish porting the DNS over from godaddy to cloudflare. And the https is working fine now.
Godaddy DNS is incompatible with heroku. And this is due to:
Setting up is fairly simple.
First, add the nameservers of the cloudflare into godaddy dns manager. These are some examples:
Next, you only need two more steps.
NAME.comand link it toNAME.com.herokudns.comwww.NAME.comlinked towww.NAME.com.herokudns.comIf you are using Rails, be sure to set
config.force_ssl = trueatconfig/environment/production.rb我发现 DNSimpl 对于我目前的 Web 开发人员能力来说很复杂。我最终注册了 easyDNS,并将我在 Godaddy 购买的域名转移到了 easyDNS。标准 easyDNS 订阅的年费用目前为 20 美元。 easyDNS 的好处是他们实际上会接听电话。通过电话几分钟,我就为 Heroku 正确配置了 DNS 目标。测试了我的应用程序,它适用于 HTTP。当我将 Heroku 应用程序升级为付费爱好 dyno(目前价格为 7 美元/月)时,它立即应用了 SSL 保护。再次在浏览器中测试我的应用程序,它可以通过 HTTP 和 HTTPS 提供服务。接下来,我取消了 Nodejs 应用程序中重定向 http => 的一些代码的注释。 https。在浏览器中再进行一次测试似乎很顺利。安全的。适用于 www,也适用于根域。底线:您可能不需要以 20 美元/月的价格购买 Heroku 端点。希望有帮助。
I found DNSimple to be complicated for my current web developer competence. I finally signed up with easyDNS and moved the domain I purchased at Godaddy over to easyDNS. Annual cost for a standard easyDNS subscription is currently $20. Good thing about easyDNS is that they actually answer their phone. A few minutes on the phone and I had my DNS target configured properly for Heroku. Tested my app and it worked for HTTP. When I upgraded my heroku app to a paid hobby dyno, which is currently $7/mo, it instantly applied SSL protection. Tested my app in the browser again, and it worked serving over HTTP and HTTPS. Next, I uncommented some code in my nodejs app that redirects http => https. One more test in a browser, seems good to go. Secure. Works with www and it works with the root domain. Bottom line: you may not have to pay for a Heroku Endpoint at $20/mo. Hope that helps.