I have a heroku app running on app.domain.com
I have a different app (strikingly landing page) running on www.domain.com
I turned on cloudflare for my domain.com and want to get SSL working. I've tried the flexible SSL cert.
However, when I request https, I get SSL errors (curl -I gives no alternative certificate subject name matches target host name).
The SSL cert appears to say "Active" on my Cloudflare console, and I've set up Page Routing for http://domain.com to Always use HTTPs
On the DNS page of Cloudflare, I hit the orange icon on the row for www and app to have them "enabled" but then I just get Invalid URL The requested URL "[no URL], is invalid." when hitting the site.
Related
I have a several web sites running on a shared hosted server.
Every site except one I can enter in my browser https://webmail.example.com or http://webmail.example.com and they both work and resolve to the secure or insecure pages accordingly.
On the one site the page resolves correctly for regular http but I get a "404 Not found" error when I try https for the webmail subdomain of that site. https://myexample.com does work for all pages on that site (without the webmail subdomain).
All of the DNS settings are the same for all of the sites. There is a CNAME record webmail.example.com --> examplecom. None of the sites have a "proper" subdomain setup where the subdoman points to a directory, just the DNS setting. The SSL Status reports that the SSL cert for the webmail subdomain is valid.
Im not sure what else to check or how webmail ultimately get pointed to the webmail page.
I want to work locally and I've set in the hosts file
127.0.0.1 dev.domain.com
the dev.domain.com subdomain is not set in the nginx config on the live server, only in my local hosts file
I've started the dev server (webpack) with self signed ssl and made the certificate as trusted, so now it appears with green in the browser bar as a Valid certificate would
So now I'm viewing the locally runned app on https://dev.domain.com and I see all the cookies from www.domain.com and .domain.com in chrome devtools
The problem is that when I do an ajax call and dump the cookies from php, none of them appear for dev.domain.com but all appear for www.domain.com
Now, I know that https site cannot show non-https 3rd party site in an iframe.
But if I get SSL cert for www.mydomain.com and mydomain.com ONLY, can subdomain.mydomain.com show non-https iframe content?
If subdomain.mydomain.com is non-https, it can show non-https iframe content.
The only effect of the https on the parent domain (mydomain.com) is if the parent domain use HSTS (a header that tells the browser to force https) with the option includesubdomains: If that option is activated on the parent domain, then a visitor could be forced to visit subdomain.mydomain.com with https (even if you didn't activate https on it!)
I'm trying to redirect all https traffic to http using this in Sinatra
get "*" do
if request.secure?
redirect request.url.gsub(/^https/, "http")
else
pass # continue execution
end
end
However, on a custom domain on heroku, my browser shows me the error:
This is probably not the site you are looking for!
You attempted to reach www.[domain].com, but instead you actually reached a server identifying itself as *.heroku.com.
My DNS is configured with the www subdomain having a CNAME pointing to [domain].herokuapp.com as per https://devcenter.heroku.com/articles/custom-domains
Is this a DNS issue? Is buying a SSL certificate the only way to allow all https traffic to redirect to http, on heroku?
If you were going to use that code then I'd make it a before filter, as that's really what it is.
However, if you've received a request at the application layer (which is where your Sinatra app sits on Heroku) then you need a certificate because the HTTP layer (where the Nginx proxy servers that deal with this sit) has already received the request and will attempt to deal with it as a secure connection but fail/raise an error because there's no certificate. That is the message you'll get if you try and reach an non SSL page/site via the https URI scheme. You can still access the site but the user has to click past a scary warning.
The only way I know of that may work without a certificate (but looking at this answer probably not) is if you had access to the Nginx configuration and did the rewrite of the URL (and probably some headers) there.
I'm developing on Heroku a site with a couple of subdomains. One of them is signup (as in signup.myapp.com) which requires SSL access -- of course! But the rest of the subdomains, such as www, do not require https to access.
The problem is that the client only purchased an SSL certification for signup.myapp.com. This means that, when a user tries to access other places of my site with https (such as https://www.myapp.com), SSL certification does not validate and browsers tell the user that the site could be malicious... not good for branding.
I tried to make the site redirect from https to http, but of course this failed, because SSL was checked before the redirect could be sent.
Is there a way that I can deny access to these places of my site from https, so that users encounter, for instance, a 404 page instead? Or, do you know of any other ways to handle this situation? (the client is reticent to acquire a new SSL certificate, specially a wildcard certificate).
Unfortunately, you need a certificate for each of the domains (or a wildcard one as you mention), see e.g.:
How to redirect https to http without any SSL Certificate
The problem is that certificate is the first thing checked, way before anything else happens. If that fails, browser will typically display "get me out of here!"-kind of notification. There's no built in support for SSL-to-non-SSL transition.
You can shut down https://www.example.com (i.e. make your Web server not listen on port 443), but that of course won't yield a 404, also bad for branding.
With just one non-wildcard certificate, the only thing you can do is put all the pages under that domain. I.e. instead of https://signup.example.com/a/b/c, you need to do https://www.example.com/signup/a/b/c or something along those lines.
On the other hand, you can buy the certificate for under $100/year (or $150 total for 2 years) at GoDaddy:
http://www.godaddy.com/ssl/ssl-certificates.aspx
so, depending on your context, it might just pay off to pay this instead of doing any additional development.