Setting Google domains to use https - https

I purchased a domain (say, example.com) from Google and my Django application (say, mysite.herokuapp.com) runs on Heroku. The CNAME is set on Google to forward the http requests to the Django applicaiton on Heroku. Forwarding requests from http://mysite.example.com to mysite.herokuapp.com works just fine.
Recently, I need to introduce progressive-web-application to my application and it requires the https protocol, instead of http, that is, the URL now has to be https://mysite.example.com and it doesn't work for Google domains. I tried https://mysite.herokuapp.com and it works fine, which means Heroku already supports https. However, I tried (and also googled) for a long time without finding a solution.
So how do I set the Google domain to use https protocol?

The DNS answer from Google cannot contain the port or protocol (http vs. https), it just contains the hostname.
You need to add a redirect from http to https in the Heroku django app, see e.g. here for more instructions.

It's not Google you need to change, it's your Django configuration.
Set SECURE_SSL_REDIRECT to True, and enable the SecurityMiddleware in your app, and any requests should automatically be redirected from HTTP to HTTPS.

When switching to HTTPS you need to add certs to heroku and that process updates the host from "mysite.heroku.com" to something like "tokyo-2121.herokussl.com". You will need to update your DNS to serve HTTPS pages from the new SSL compliant heroku instance for both HTTP and HTTPS.
Here is a tutorial that outlines the process with Godaddy, it should be very similar or all DNS providers.
http://www.joshwright.com/tips/setup-a-godaddy-ssl-certificate-on-heroku

Just got a solution from one of Heroku's engineers:
1) Upgrade the Heroku app to a paid one (e.g., Hobby)
2) On the DNS provider's settings, set the DNS target to <app_name>.<domain>.herokudns.com (e.g., "mysite.example.com.herokudns.com")
3) Run $ heroku certs:auto:refresh -a <app_name> (e.g., $ heroku certs:auto:refresh -a mysite)

I'm not sure if this is the same problem that you ran into, but when forwarding from https://example.com to my wix subdomain https://learn.example.com, I got a "No resource with given identifier found" error in the browser. Forwarding from http://example.com to https://learn.example.com was working just fine.
I had to open Google Domains' advanced forwarding options for my forwarding rule and enable SSL forwarding, like so:

Related

How to host a website on Heroku without using heroku's own http router?

I need to host a website on Heroku, but I need to have direct access to the HTTP traffic without Heroku's own http router meddling in.
That's not possible.
Heroku doesn't provide a full server infrastruture.
It's rather a limited platform to host HTTP services.

Is there a way to redirect CNAME www.mywebsite.com to https://www.mywebsite.com with ovh and heroku

I am hosting my nodejs app in heroku and my domain name is in OVH.
I managed to create a subdomain www and a CNAME record that points to my heroku app. It is working fine and SSL is also working fine from heroku.
I added a redirection from all subdomains to https://www.mywebsite.com and everything is working fine.
My problem is when i type www.mywebsite.com, there is no redirection and no SSL.
How can i redirect www.mywebsite.com to https://www.mywebsite.com ?
Thanks !
Unfortunately, No.
DNS maps domain names onto IP addresses, that is, it tells the client that example.com points to 12.34.56.78. HTTP vs. HTTPS is a matter of picking a port, and using the right protocol, and this is negotiated directly between client and server; DNS lookup has already happened before that.
If you want to redirect all plain-http traffic to https, you have to do it on the web server, not the DNS server.
In your situation, you could do this in node.js.
There tons of examples online for node's built-in http server or for frameworks like express. I'd recommend this solution.
But there are also solutions like Cloudflare.
They offer you a DNS Service and a proxy, which can handle such HTTP to HTTPS redirection and they even let you use their own SSL Certificate, so you don't need to buy (or let's encrypt) a SSL Certificate on your own, for example.

How to allow external custom domains to run a Laravel app on my server?

My app is a Laravel app, running on Nginx, provisioned by Forge, and SSL certificates are provided by CloudFlare.
It is hosted at a URL like https://www.myapp.com
My app’s customers are businesses, and already own their domains:
https://www.customer1.com
https://www.customer2.com
https://www.customer3.com
etc.
I want my customers to run MyApp from the sub-domains of their choice:
https://some-name.customer1.com
https://some-other-name.customer2.com
https://any-name-they-want.customer3.com
etc.
My customers should not install anything — MyApp still runs on myapp.com, not on their servers
My customers should only (if possible) modify their DNS, probably add a CNAME like "some-name” that points to “myapp.com”
I followed this amazing article: Dynamic custom domain routing in Laravel.
but I can't get it to work in an https (with SSL) environment -- the browser returns:
This site can’t provide a secure connection
some-name.customer1.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The client and server don't support a common SSL protocol version or cipher suite.
How should Nginx and/or SSL certificates be configured?
This is still a question which is not very simple.
However, Caddy does generate SSLs automatically (if replacing Nginx with Caddy is an option for you).
You can check the documentation for more.

Reverse proxy same naked domain to different hosts

I'm managing the DNS of my domain with Cloudflare.
The marketing pages for are hosted with Netlify.
The main application is hosted with Heroku.
Is it possible with cloudflare + a naked domain (my-example.com) to have some paths being served by Netlify and other paths by Heroku?
Or am I forced to put one of the hosting services on a subdomain?
Disclaimer: I work for Netlify.
You can definitely do this without running your own server or paying anything extra.
Since Netlify already has a CDN, it's suboptimal to put cloudflare's CDN (activated with the 'orange cloud' in their settings) in front of Netlify's. Besides being inefficient, doing so breaks Netlify's atomic deploys and rollbacks and also slows down page service from our observations. It may work, but is not recommended. However, CloudFlare's DNS is quite performant and can be used without their CDN (turn off the 'orange cloud'). Their DNS works well with content hosted on Netlify's CDN.
Here's how to set things up to accomplish this via Netlify.
Deploy your static assets to a Netlify site at your main custom domain, let's say it's my-example.com. For testing purposes you can use the built-in sitename at Netlify (something-something-1234.netlify.com) instead of my-example.com. The below example redirects are "host agnostic" so will work with the Netlify hostname, Netlify deploy previews, AND the production hostname.
Find all the paths for your dynamic content - for this example, let's say it's /main/* and /app/* that are dynamic and your backend is hosted on Heroku.
Create proxy redirect rules to point to those paths. They could be hosted via CloudFlare's CDN to protect your API if you wanted to - Netlify proxying to CloudFlare-fronted sites on Heroku works fine. You could also choose just to proxy straight to Heroku which would be less complicated. Netlify has some DDoS protection built-in and is still "in front of" your Heroku app. Up to you.
Deploy those proxy rules and test.
Netlify's proxying (technically reverse proxying) can connect to whatever backend you'd like and does NOT show the URL to the visitor - it looks to them (URL bar in the browser, HTTPS connection) as though they are connected to my-example.com the whole time, but the content is returned from your backend (including HTTP status codes. This response is cached on Netlify's CDN if indicated by your Cache-Control: HTTP Header directives which the Heroku app sends. Note that CloudFlare WILL CHANGE your Cache-Control header in case you set it on content they proxy to! Netlify won't.)
Here's a common setup:
/main/* https://yourapp.herokuapp.com/main/:splat 200!
/app/* https://yourapp.herokuapp.com/main/:splat 200!
Note that if you deploy ANY assets under /main or /app to Netlify, they will be ignored due to the trailing ! on those rules. See https://www.netlify.com/docs/redirects/#note-on-shadowing for some more details about how that works and the alternatives (TL;DR: deploying some things like /main/logo.png on Netlify but nothing that Heroku should serve vs deploying ALL needed content for /main/* on Heroku).
Note that I suggest using identical paths on Netlify and Heroku (/main/*) rather than proxying to /somethingelse/* since it is easier to debug asset loading when paths match up. This isn't a requirement, though.
As mentioned in the comment, its possible using cloudflare enterprise service.
But you can do it with a simple nginx reverse proxy setup.
Have DNS resolve to nginx reverse proxy and based on the path, appropriately call the upstreams.
eg. example.com, and then direct queries for /path1 to 100.100.100.100 and for /path2 to 200.200.200.200

https hosting on the root domain

I'm running my parse app on a naked domain. Parse is not making my life easy though.
At first I struggled to set it up because most DNS hosting services don't allow CNAMEs on the the root domain and Parse requires a CNAME.
Decided to try it out with CloudFlare's CNAME flattening and it ended up working by setting up the CNAME under [hostname key].example.com.
Parse wouldn't allow me to set it up without the hostname key because example.com was not a real CNAME (it's being translated to an A record under the wood by CloudFlare).
But I want to run my website under HTTPS so I registered a certificate that is valid for both "https:// example.com" and "https:// www.example.com".
Again Parse doesn't make it easy. First it didn't accept my certificate because the hostname wouldn't match. I thought that maybe it was trying to compare it with the subdomain of the cert (www.example.com) and that wouldn't match with my app domain (example.com).
I created another CNAME at [hostname key].www.example.com poiting to my parseapp.com url (didn't want to change www.domain.com because it's already poiting to another service that redirects to domain.com), changed my app hostname to www.example.com and it finally accepted my certificate! Yeahhh!
Changed the app hostname back to example.com and tried to access it in the browser, but it takes forever to load and ends failing.
If I change my app to run on "https:// www.example.com" (secure site with with the www subdomain) then it works fine.
So I'm able to run my app in http://example.com (not secure, without www) or "https:// www.example.com" (secure with www).
Why is it that Parse makes it so difficult to run an app on the root domain?
Is there something that I need to do to be able to run a secure app in the root domain?
Most of web services nowadays are designed around the idea of CNAMEs: they provide you a CNAME and you should alias your hostname to that name.
However, as you noted, the CNAME has certain limitations imposed by the DNS protocol RFC and it can't be used to map an apex domain.
Some DNS companies, such as DNSimple or DNS Made Easy, provides a CNAME-like record type that can be used to map the root domain to an hostname provided by a cloud service. Using these services will also make it easier to configure an SSL certificate.
Speaking of SSL certificates, beware that when you purchase a single-name certificate for example.com or www.example.com, it is only valid for that specific hostname. Most certificate authorities will also include the corresponding apex domain if you purchase www.example.com, but you need to check with your SSL certificate provider.
Last but not least, the ability to redirect HTTP to HTTPS traffic really depends on your service provider, in this case parse.com. Unfortunately, it's not uncommon for these services to not force HTTPS. Heroku is currently doing the same, they don't force HTTP to HTTPS when you enable HTTPS.
You should check with them if there is a way to apply such redirect, as the only way is to apply it either at server level or app level. You can't apply the redirect, for example, at DNS level.

Resources