禁用Heroku应用程序的SSL [英] Disabling SSL for a Heroku App

问题描述

我最近更改了我在Heroku上运行的Rails应用程序的域。我将原文重定向到新版本，并且在过去的几个月中，两者都运行了SSL。我试图从原始域中删除SSL，因为它只是重定向。

我做了我认为应该做的每件事：

• 在production.rb中使用 config.force_ssl = false 关闭应用程序中的SSL


• 更改DNS ALIAS和CNAME以指向myapp.herokuapp.com


• 删除SSL端点和证书
  

如果我去myapp.herokuapp.com，一切都很好，但如果我去myapp.com或www.myapp.com它会自动尝试将我带到网站的安全版本< https://myapp.com> https://myapp.com ，并从我的浏览器中收到标准安全错误警告。

<我错过了什么？这是一个缓存问题吗？ DNS更改是否需要时间才能启动？我尝试了一些机器/浏览器，这个问题在所有这些问题上都是一致的。

最糟糕的情况是，我可以肯定地重新添加SSL端点，但它看起来像是矫枉过正。

解决方案

config.force_ssl = true a href =https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security =noreferrer> Strict Transport Security 标题（ HSTS ），其中 max-age 为一年。请参阅此问题。这种头文件强制浏览器支持它通过HTTPS联系服务器一年。这是为了防止中间人降级HTTPS连接到HTTP的攻击。

迁移到 HSTS 的生产站点的HTTPS并非易事。您应该通过HTTPS保留您的网站，并使用 max-age = 0 返回 HSTS 标题以重置一年设置。问题是要决定你需要多久保持HTTPS。为了确保所有的客户都被切换，你应该这样做一年。您可能会决定在较短的时间内完成此操作，但可能会导致不频繁访问的客户破坏网站。

I recently changed the domain for a Rails app I have running on Heroku. I redirected the original to the new one, and for the last couple of months have been running SSL on both. I tried to remove SSL from the original domain since all it does is redirect.

I did everything I thought I should:

• Turned off SSL in the app with config.force_ssl = false in production.rb
• Changed DNS ALIAS and CNAME to point to "myapp.herokuapp.com"
• Removed the SSL endpoint and certs

If I go to myapp.herokuapp.com, everything is fine, but if I go to myapp.com, or www.myapp.com it automatically tries to take me to the secure version of the site, https://myapp.com, and I get the standard security error warning from my browser.

Am I missing something? Is it a caching issue? Does it just take time for the DNS change to kick in? I've tried on a few machines/browsers, and the issue is consistent across all of them.

Worst case, I can definitely add the SSL Endpoint back on, but it seems like overkill.

解决方案

config.force_ssl = true enables Strict Transport Security header(HSTS) with max-age of one year. See this issue. Such header forces browsers that support it to contact the server over HTTPS for one year. This is to prevent attacks in which man in a middle downgrades HTTPS connection to HTTP.

Moving out of HTTPS for production sites that were served with HSTS is not very easy. You should keep your site served over HTTPS and return HSTS header with max-age=0 to reset the one year setting. The problem is to decide for how long you need to keep HTTPS. To be absolutely sure that all clients are switched, you should do it for one year. You may decide to do it for a shorter period, but at the risk of breaking the site for clients that are visiting infrequently.

这篇关于禁用Heroku应用程序的SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！