On September 29, 2014, CloudFlare introduced Universal SSL for the public. To be able to offer TLS certificates for free, they are using the extension to TLS protocol called Server Name Indication. This allows them to be able to serve a certificate for multiple domains using only one IP address, reducing the hosting cost. Since Heroku offers a piggyback TLS certificate via *.herokuapp.com, you can easily take advantage of this free TLS certificate offer and add TLS support (which commonly called SSL) to your website for free. Here are the steps to do that:
1. Add your domain name to CloudFlare
Create an account on CloudFlare and give the website details like your domain name say example.com.
2. Edit DNS records
If you already have your domain name hosted somewhere, CloudFlare will display your current DNS configuration. You can customize those settings to your needs, such as retaining Google Apps configuration.The important part here is the value for your apex and the www subdomain. You will need to change or create those two as CNAME records pointing to your .herokuapp.com address. You may also add another CNAME record for your another site, pointing to another Heroku app.
3. Choose a plan:
You can select the free plan if you are just want to use this for personal use.
4. Update name server
Update the name servers to point to cloudflair.
5. Turn on Full SSl:
There is one last step to make sure that your connetion between your users and your website is secure. Click on the gear button, then click CloudFlare settings. Now, scroll down to SSL section, then make sure that Full SSL is selected.
6. Using your own certificate for production:
While this Universal SSL works perfectly in most cases, there are some caveats:
- Users with legacy browsers (Internet Explorer on Windows XP, and Android phone pre-Ice Cream Sandwich) will see a bad certificate warning.
- If a user inspects certificate information, they will not see your domain name in the common name section. Your domain name will instead appear in DNS Name Section.
7. Setup SSL:
First, setup a Heroku SSL endpoint as usual. After that is done, you will get an endpoint domain (such as your_app_name.herokussl.com) that you need to point to. Then, back on CloudFlare, change both www and apex record to point to that domain. Also, turn off CloudFlare by clicking on the cloud button. Now save your changes.
Now you have secure production, staging, and any other subdomains you may have without having to buy a wildcard SSL cetificate.
Thanks for the reading !!!
For more detail please see the Reference.
