Oren's essentially correct. If you wanted to use a reverse proxy in this context, it would need to terminate the SSL connection itself.
However, your SSL proxy box could re-write the urls to https://foo.heroku.com and then use the free piggy-back SSL service. You would still be open to the possibility of someone hacking your reverse proxy, but all the communications would be encrypted. This is not really any different from a normal application with an SSL front end acting as a gateway, with private application servers behind it. The only difference is that the "internal" communications are actually going over the public internet, but in encrypted form. Because the SSL reverse proxy would have to unpack and modify all requests, it wouldn't be particularly efficient. You would now have two encryption/decryption cycles, and a rewriter in the middle, so expect a bit of a performance hit. It would be nice if SNI support was more widespread, as that would be the best solution at just $5 a month. Paul -- http://www.graphomatic.net - Graph your lfe On Nov 29, 9:19 pm, Oren <[email protected]> wrote: > Someone with better SSL-foo may chime in here, but I don't believe you > can proxy an SSL request. That would consitute a man-in-the-middle > attack. The browser would detect this, and provide a big fat warning > to the user. You could terminate the SSL connection on the VPs, but > then of course the VPS->Heroku connection wouldn't be encrypted. > > Oren > > On Nov 28, 4:35 pm, Jordan Brock <[email protected]> wrote: > > > With the recent addition of custom domain SSL hosting on Heroku, the > > possibility of moving some of my production sites over became very > > real. Very real until I saw the cost of the SSL add-on that is. $1200/ > > year per site is not really an option. > > > However, it got a friend and I thinking: Couldn't this be worked > > around with ProxyPass and ProxyPassReverse? Eg, I run a dedicated VPS > > that does nothing except act as a proxy server. This server has the > > SSL certificate on it, and acts as a proxy forhttps://example.heroku.com > > > Is there anything inherently wrong with this approach? It's kind of > > what is being done by heroku anyway for their normal hosting (eg > > everything is behind a proxying server). > > > It's an additional point of failure, and is a potential security risk > > (in terms of someone hacking into the VPS and redirecting the > > ProxyPassReverse directive). But with those caveats, is it something > > that could be done? > > > An example: > > >http://www.example.comactsas a proxy > >forhttp://example.heroku.comhttps://www.example.comactsas a proxy > >forhttps://example.heroku.com > > > Any thoughts? -- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
