I'm using Ruby on Rails and AngularJs in my app. I deployed to https://myapp.heroku.com and everything works fine.
Now I bought a custom domain at GoDaddy.com and I set it up with Heroku to redirect to my app. Works fine. The problem is, instead of using HTTPS is using HTTP.
What are the steps to change this? I looked a few tutorials but they seem old and not updated.
According to Heroku the SSL certificate is automatically managed. Do I need to buy a certificate at GoDaddy.com?
Yes, you'll need to get SSL certs from godaddy or some other providers.
Then
go to your app settings in heroku
Look under "Domains and certificates" section
Configure SSL button.
Now just follow the steps and you'll be done.
When it comes to SSL these days, do not run out and purchase one. It can be a waste of your money if you have the skills to set up auto-renewal with Let's Encrypt.
I would recommend checking out SSL Endpoint and Automated Certificate Management from Heroku on setting up and automating the SSL process. There's a lot of information in there and will help keep your costs down.
If this is a bit complicated or you would prefer another plan of attack, you can also use the Let's Encrypt Plugin for Ruby on Rails
Also, don't forget to turn config.force_ssl = true on in your config/environments/production.rb file. This way, Rails will redirect all HTTP traffic to HTTPS. If you would prefer the browser to do the redirects instead of the server, you can have Rails, since you're on Heroku and not a customer Nginx server, respond with a Strict-Transport-Security header; added link so you know how to configure this guy appropriately in regards to your application.
Yes, most web hosting companies require you to purchase an ssl certificate. In the case of GoDaddy.com, check out their ssl certificate page.
Related
I am working on implementing universal links in an iOS app. As per the requirement to implement this I have to serve an apple-app-site-association file from our server end to ensure this is our website.
My concern is that we will serve this file from our real server of course but is there any quicker way to mock this process locally or remotely so that I can bypass the testing phase at the time of implementation? As you know interrupting the other team for some small changes or trial and error seems boring.
It is recommended to have a staging server before you move/deploy you changes in the production. In cases of small projects this could be you local machine. In order for universal links to work you need two things:
The server that hosts the apple-app-site-association needs to have a valid ssl certificate. It will refuse to get the file from a http:// connection or from a https:// with an invalid (e.g. self signed) certificate, unless it is trusted by the device. To make a self signed certificate trusted check here.
The server that hosts the apple-app-site-association needs to publicly accessible because the file is delivered thru CDN, if not when you need to modify the entitlement file to add ?mode=developer, like this: applinks:ourDevServerURL?mode=developer
Currently, I am creating a localhost server using any language(in my opinion golang) then forwarding the localhost to the internet so that ios can access it from anywhere.
I recently downgraded one of my Heroku apps to a free dyno - as a result, the SSL was revoked (cos I was using the SSL provided with a paid dyno). Now, when I visit my site URL, it gives me this error: ERR_SSL_PROTOCOL_ERROR
I've edited my production.rb file to set: config.force_ssl = false and published that code, but it still redirects my site to https when I try to connect on http.
Now, to complicate things:
This only applies to my custom domain - the .herokuapp.com domain works fine
It works fine on incognito mode on both the custom domain and the herokuapp.com domain
I've tried clearing the cookies and cache (for the last 7 days) and it still didn't work :/
Any ideas what I can do?
Edit:
In case it helps, I am using Chrome on Windows 10
Given that you are using Chrome, according to this answer, you need to follow these steps to stop Chrome from redirecting http:// to https://.
Anon is right about STS, but there is a way to specifically delete your domain from the set. Go to chrome://net-internals/#hsts. Enter 3rdrevolution.com under Delete domain security policies and press the Delete button.
Now go to chrome://settings/clearBrowserData, tick the box Cached images and files and press click the button Clear data.
I have a website, http://www.scubastic.com, which I use as a playground app for Ruby on Rails development and SEO hacking. I have run into an issue that I can not seem to fix on my own and it revolves around SSL, SEO, and Heroku.
TL;DR: I had an SSL site and I disabled it but Google still remembers the SSL site. How do I get Google to switch to the Non-SSL site when the SSL site still responds but with a Certificate error??
Basically, when I first created Scubastic.com, I setup Heroku SSL as an excercise in learning it. I setup Google Web Master Tools and began playing around with the various aspects of SEO as well. After I was satisfied, I disabled Heroku SSL and stopped the monthly bill.
Now I have a very interesting problem. Google can't seem to forget the HTTPS version of my site and index is quite stale. Worse, the link people get in Google greets them with an SSL Certificate issue (the *.herokuapp.com Cert doesn't match www.scubastic.com issue) which does nothing to help my page rank. If I manually click through the SSL errors, I do arrive at the website. I find this quite odd because I removed Heroku SSL entirely and the application still responds to SSL requests....to me this is a bug in Heroku and I wish I had greater control over the situation. Alas, I turned to trying to handle this at the application layer because SSL requests still hit the Rails stack (even though these requests should not respond at all!)
So my first attempt at fixing the Google index was to setup a 301 Moved Permanently redirect if any request came into the app as SSL.
class ApplicationController < ActionController::Base
before_filter :redirect_ssl
private
#only need this until Google doesn't link to HTTPS anymore
def redirect_ssl
if request.ssl?
redirect_to "http://#{request.host_with_port}#{request.fullpath}",
:status => :moved_permanently
end
end
end
If you go to Google and search for my site name, you can see the issue I'm having:
https://www.google.com/?q=scubastic
I basically just want Google to stop linking to my SSL site and refresh with the latest content.
Thank in advance for your help.
I was able to resolve the issue with my original post and a lot of patience. It took 5 days for google to update its index but now the link google serves to my site is the non-ssl version.
The redirect is not going to help currently because browsers will barf when they get an invalid certificate when trying to establish a SSL connection to Heroku and that's before any HTTP is done. I don't think it's a bug with Heroku: You removed SSL (and by implication the certificate) and that leaves no way for Heroku to respond correctly to SSL connection requests to your domain.
Here's what you can do:
Re-add SSL on Heroku
Add the redirection you have
Wait for Google to cotton on to the change
Remove SSL
There is also the option of actively asking Google to remove the page, because it's old/not available anymore: Check the webmaster tools help for how to "Remove old or deleted information from Google".
I have this app on heroku the main part of it is called app.example.com for which I have custom domains on heroku, and added endpoint ssl to it. it's all working. By the way, the original www.example.com is very old, and it is hosted somewhere else not on Heroku.
On heroku, I just
heroku domains:add app.example.com
Now, we have an order form for user to order stuff before they get to use the app. and the client wants to have its url as order.example.com instead of app.example.com/order. I looked up routing constraint in Rails from RailsCasts to handle this subdomain redirect, so all's good. then I add it to heroku's custom domains
heroku domains:add order.example.com
then I change the CNAME on the original host of www.example.com to have it point order.example.com to myapps.herokuapps.com (or something). And now accessing order.example.com does bring me to the order form! Just that the https part is showing the usual non-verified cert warning.
So I went ahead and got myself another godaddy certificate, but now when I try to add the certificate to heroku (I have done this once before for app.example.com's https)
heroku certs:add ~/ssl/combined.crt ~/ssl/nopass.key
Adding SSL endpoint to order-dev... failed
! only one SSL endpoint allowed per app (try certs:update instead)
So it seems like I can't actually have more than one SSL certificate per app, does that mean I can actually use what I have for certificate for app.example.com for order.example.com also? If so, what do I have to configure? Or am I doing this all wrong, if so, what should I have done instead?
Thank you for helping out here!
You should buy wildcard certificate for *.example.com as opposed to multiple certs.
I am using Ruby on Rails 3 and I would like to know some information in order to buy SSL certificates.
I have a RoR application at this URL
pjtnam.com
and another RoR application at this URL
users.pjtname.com
If I make an HTTPS request from the application pjtname.com to the application users.pjtname.com like this (in this example I use the Typhoeus gem)
Typhoeus::Request.get(https://users.pjtname.com/sign_in)
and I must receive the response over HTTPS protocoll, how many SSL certificates I must buy?
UPDATE
How many SSL certificates I must buy if
my pjtname.com and users.pjtname.com applications are located on different server?
my applications are pjtname1.com and pjtname2.com and they are located on different server?
If done properly, just one; a wildcard certificate for '*.pjtname.com' and 'pjtname.com' (it's possible to include more than one name in a single certificate).
While you could instead get a certificate for 'pjtname.com' and 'users.pjtname.com', such a certificate would no longer be sufficient when you later decide you need a 'mail.pjtname.com' or a 'chat.pjtname.com' or whatever. The wildcard would cover these future cases.
re: update
It doesn't matter if services are located on different servers; just put the certificate on both servers.
It's possible to have both 'foo.com' and 'bar.com' in a single certificate, just like you can have both 'pjtname.com' and 'users.pjtname.com'. However, it might more difficult to acquire the foo/bar certificate than the pjtname.com/users.pjtname.com.
Also, these answers are true regardless of platform.