Changes in Heroku. How to continue having free Cloudflare SSL on free Heroku dynos?

Heroku email from today:

When an app is migrated to the new infrastructure, its default [ appname.herokuapp.com ], DNS records, and any [ haiku.herokudns.com ] custom domain records are modified to point to the IP addresses of the new routing infrastructure. For a period of 24-48 hours, the app is accessible via both the new and old routing infrastructure. When the migration completes, the app will no longer be accessible via the old routing infrastructure and all traffic must flow via the new infrastructure. Requests for an app sent to the old infrastructure will result in error code: H31 Misdirected Request.

To get correct and future-proof DNS targets for custom domains associated with your Heroku apps, you can run heroku domains and compare the DNS target in the output to the CNAME target that you’ve configured with your DNS provider. If the DNS targets don’t match, you need to update your DNS configuration to point to the DNS targets provided by Heroku.

I’ve done the above. This breaks the workaround to get free SSL from cloudflare to work with Heroku (because of the move away from *herokuapp.com, which enabled the workaround in the first place). So now one has to upload a cloudflare certificate by using Heroku SSL (which one can only use on paid dynos)

Rest of the email:

If you have any SSL Endpoints associated to your app, you can verify the DNS by following this step from the SSL Endpoint setup documentation. Please note that the SSL Endpoint add-on is deprecated and will be removed starting July 31, 2021. All existing and new Heroku applications should use Heroku SSL, which includes [Automated Certificate Management (ACM)].

Anyone with a workaround to make free Cloudflare SSL work on free heroku dynos?

May I ask have you tried this one?:

Thanks for commenting!

The workaround on your first link only (may work - I haven’t tried → EDIT: have now tried and NO, Flexible SSL does not work with Heroku) work if one moves from Full SSL (my setup now which worked perfectly with a *herokuapp.com config) to “Flexible SSL” — unencrypted HTTP between Heroku and Cloudflare. So, not end-to-end secure and gives visitors a false sense of security.

And on the second link: Automated Certificate Management can only be used in heroku with paid dynos. So, not in a free heroku setup.

So, I am still looking for a new workaround and wonder if cloudflare may also implement some new changes to enable Full SSL with free dynos heroku again.

EDIT: As per above, Flexible SSL also does not work and soon Full SSL also won’t work given changes by Heroku. And on documentation from Cloudflare, this: https://support.cloudflare.com/hc/en-us/articles/205893698-Configure-Cloudflare-and-Heroku-over-HTTPS does not work at all.

While that is a laudable approach, you should still take into account that “Full” itself also gives somewhat of such a false sense as it does not verify the certificate and the same people who’d wiretap your unencrypted connection could still hijack your connections and present their own certificate. It’s essentially as “secure” as accepting a certificate warning in your browser.

Bottom line, the only secure mode is “Full strict” as you have proper encryption and verification in that case, just like with any browser.

1 Like

@sandro I’m with you. Thanks for sharing that.

I wish there was a setup that would work with full strict.

Now even those on full ssl will go kaput. There will be a bunch of hobby apps going down in July.

So, I am still looking for a new workaround and wonder if cloudflare may also implement some new changes to enable Full SSL with free dynos heroku again.

What’s you’re asking is to have Cloudflare keep lowering the bar on security because providers are lowering it at their end. If security is important to a person, that should be on their list of requirements when shopping for a host. It’s like buying a new car without antilock brakes because you’ll just find someone else to retrofit it.

1 Like

I may have miscommunicated.

Let me clarify:
I obviously would like to all my hobby apps working on full strict . Yay to that.

My point with this post is that these tons of hobby apps will go down in July because of changes on the Heroku side of things. Cloudflare hasn’t made any changes. Also, Heroku hasn’t exactly lowered their bar on security, they are simply forcing a change to paid dynos (These changes make even Full SSL not work any longer, full strict already did not work at all on Heroku free dynos).

Should there be a way to have a full strict SSL setup between Cloudflare and Heroku on free dynos I’d be ecstatic! So, yes I am still looking for a solution to this.

That’s really not something Cloudflare has any influence on. Cloudflare offers two insecure and broken solutions here but the only secure mode is Full strict.

That requires a valid certificate (just like in any other case as well) on your server side. If your host is unable to provide that it might be best to switch host.

Bottom line, your site needs to be properly secure without Cloudflare first. If that is not the case it can never be secure.