-
-
Notifications
You must be signed in to change notification settings - Fork 1
Cloudflare
All requests to the origin server at Heroku are proxied through Cloudflare. Cloudflare enforces various web standards, for example HSTS and the like. It also offers great analytics, including geolocation services. Cloudflare also caches requests, provides image optimization and in general speeds up page loading. Cloudflare also manages the application’s DNS and exposes an API to do so, which is very convenient and allows to, for example, generate review app DNS entries dynamically.
Only the production and staging setups are (not yet, will be when production-ready) encrypted end-to-end (enforced by Cloudflare Page Rule and Origin Certificate), all the other environment’s traffic is only encrypted from the Cloudflare Edge, i.e., the communication between the Cloudflare Proxy and the Heroku Origin Server is not necessarily encrypted. That means that the end user can and must always access services using HTTPS, and will be redirected/see an error if attempts are made to access the services over an insecure channel.
Cloudflare rules enforce ‘Strict’ SSL (End-to-End) encryption, there exist Page Rules to allow insecure communication to review apps. On Cloudflare an Origin Certificate was created and uploaded to be served from each Heroku staging and production app (valid for 15 years) using Heroku’s Manual Certificate Management option. Therefore, we route through an SSL tunnel from an end user to Cloudflare and through a separate SSL tunnel from Cloudflare to Heroku.
For non-production and non-staging environments we route through an SSL tunnel from an end user to Cloudflare and not necessarily through SSL from Cloudflare to Heroku.