Heroku SSL在根域上 [英] Heroku SSL on root domain

问题描述

我正在尝试为我的heroku应用程序安装SSL。我正在使用基于主机名的SSL加载项。 heroku 文档声明以下内容：

 基于主机名的SSL不能在根域中使用，因为它依赖于CNAME 
自定义域名的别名。根域的CNAME别名是
和RFC违规。 
  

正如所料，当我使用 www 子域访问网站时， ，即 https://www.foo.com 。当我访问 https://foo.com 时，浏览器发出抱怨，因为提供的证书是heroku.com。

我得出结论，我必须将 foo.com 的流量重定向到 www.foo.com 解决这个问题。我正在考虑以下方法：

1）基于DNS的重定向

DNS提供商Zerigo 支持 重定向记录。我遇到了问题上的类似主题。我尝试了这个解决方案，它只能用于HTTP重定向（Zerigo文档证实了这一点）。

我的Zerigo配置：

  foo.com A xxxx 
 foo.com重定向http://www.foo.com 
 www.foo.com CNAME zzz.amazonaws.com 
  

2）基于机架的重定向

添加一个基于机架的中间件来执行重定向。 规范主机 gem提供此类支持。

 使用CanonicalHost do 
 case Rails.env.to_sym 
 when：staging then'staging.foo。 com'
 when：production then'www.foo.com'
 end 
 end 
  

我想知道是否有更好的解决方案（禁止切换到每月100美元的基于IP的SSL）

解决方案

哇，这让我永远不知所措，网络上的一大堆信息是错误的。即使Heroku的文档似乎也没有表明这是可能的。

但Jesper J的回答提供了一个正确方向的提示：它可以与DNSimple的ALIAS记录一起使用，我猜他们创建了一些新的DNS记录。我必须将我的DNS服务切换到他们只是为了得到这种记录类型（以前与EasyDNS）。

澄清当我说工程我的意思是：

• 使用您的根域名在SSL上的整个网站 b
• 使用Heroku的端点SSL产品（$ 20 /月）
  
  
  

  适用于所有的以下网址（将它们重定向到 https://foo.com ，无任何警告）

  
  
  
  
  
  • http://foo.com
  
  
  • http://www.foo.com
  
  
  • https://www.foo.com
  
  
  • https://foo.com
  
  
  
  
  

  总结重要的部分。

  
  
  1. 将您的DNS移动到到DNSimple（如果有人知道提供ALIAS记录的其他提供商请将它们发布在评论中，它们是我能找到的唯一一个）
  
  
  2. 正常设置Heroku终结点ssl https://devcenter.heroku.com/articles/ssl-endpoint
  
  
  3. 返回到DNSimple，将 ALIAS 记录指向 foo.com 添加到您的heroku ssl端点，例如 waterfall-9359.herokussl.com
  
  
  4. 还要添加指向 www.foo.com to your heroku ssl endpoint， waterfall-9359.herokussl.com
  
  
  5. 终于在你的rails（或其他）应用中以下设置：
     

  位于 production.rb 集合

    config.force_ssl = true 
    

  

application_controller.rb add

    before_filter：check_domain 
   
   def check_domain 
  如果Rails.env.production？和request.host.downcase！='foo.com'
   redirect_to request.protocol +'foo.com'+ request.fullpath，：status => 301 
  结束
  结束
    

  这似乎起作用了！关键部分似乎是 ALIAS dns记录。如果有人知道，我会很好奇地了解它是如何工作的，以及它有多可靠/成熟。似乎要做的伎俩。

  
  

  I am trying to setup SSL for my heroku app. I am using the hostname based SSL add-on. The heroku documentation states the following:

  Hostname based SSL will not work with root domains as it relies on CNAME 
  aliasing of your custom domain names. CNAME aliasing of root domains is 
  an RFC violation. 
  

  As expected everything works well when I access the site using the www subdomain, i.e. https://www.foo.com. The browser complains when I access https://foo.com as the certificate presented is for heroku.com.

  I concluded that I have to redirect the traffic for foo.com to www.foo.com to address this issue. I am considering following approaches:

  1) DNS based redirection

  The DNS provider Zerigo supports the redirect records. I came across a question on a similar subject on SO. I tried the solution, it works ONLY for HTTP redirection(Zerigo documentation confirms this).

  My Zerigo configuration:

  foo.com      A             x.x.x.x
  foo.com      redirect      http://www.foo.com
  www.foo.com  CNAME         zzz.amazonaws.com
  

  2) Rack based redirection

  Add a rack based middle-ware to perform the redirection. The canonical-host gem provides such support.

  use CanonicalHost do
    case Rails.env.to_sym
      when :staging     then 'staging.foo.com'
      when :production  then 'www.foo.com'
    end
  end
  

  I am wondering if there is a better solution for this(barring switching to $100 per month IP based SSL)

  解决方案

  Wow...this took me forever, and a bunch of info on the web was wrong. Even Heroku's docs didn't seem to indicate this was possible.

  But Jesper J's answer provides a hint in the right direction: it works with DNSimple's ALIAS record which I guess is some new sort of DNS record they created. I had to switch my DNS service over to them just to get this record type (was previously with EasyDNS).

  To clarify when I say "works" I mean:

  • entire site on SSL using your root domain
  • no browser warnings
  • using Heroku's Endpoint SSL offering ($20/month)

  It works for all of the following urls (redirects them to https://foo.com with no warnings)

  • http://foo.com
  • http://www.foo.com
  • https://www.foo.com
  • https://foo.com

  To summarize the important bits.

  1. move your DNS over to DNSimple (if anyone knows other providers offering an ALIAS record please post them in the comments, they were the only one I could find)
  2. setup Heroku endpoint ssl as normal https://devcenter.heroku.com/articles/ssl-endpoint
  3. Back in DNSimple add an ALIAS record pointing foo.com to your heroku ssl endpoint, something like waterfall-9359.herokussl.com
  4. Also add a CNAME record pointing www.foo.com to your heroku ssl endpoint, waterfall-9359.herokussl.com
  5. finally in your rails (or whatever) app make the following settings:

  in production.rb set

  config.force_ssl = true
  

  in application_controller.rb add

  before_filter :check_domain
  
  def check_domain
    if Rails.env.production? and request.host.downcase != 'foo.com'
      redirect_to request.protocol + 'foo.com' + request.fullpath, :status => 301
    end
  end
  

  This finally seems to work! The key piece seems to be the ALIAS dns record. I'd be curious to learn more about how it works if anyone knows, and how reliable/mature it is. Seems to do the trick though.

  这篇关于Heroku SSL在根域上的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！