Performance hit would be smaller if you had your site on EC2 too. Still have to pay $100/mo just to have exclusive IP for your SSL, only you'd have all spare power of this instance of other purposes. Anyway sounds like making life complicated again.
If you plan to host multiple SSL-enabled sites on Heroku, you could host them under one Custom SSL addon (serving one multi-domain certificate). I already tried this: http://wojciech.oxos.pl/post/277669886/save-on-herokus-custom-ssl-addons A workaround until SNI becomes viable solution. Regards, Wojciech -- http://twitter.com/WojciechK On Nov 30, 11:52 am, Paul Leader <[email protected]> wrote: > Oren's essentially correct. > > If you wanted to use a reverseproxyin this context, it would need to > terminate theSSLconnection itself. > > However, yourSSLproxybox could re-write the urls tohttps://foo.heroku.com > and then use the free piggy-backSSLservice. > > You would still be open to the possibility of someone hacking your > reverseproxy, but all the communications would be encrypted. > > This is not really any different from a normal application with anSSL > front end acting as a gateway, with private application servers behind > it. The only difference is that the "internal" communications are > actually going over the public internet, but in encrypted form. > > Because theSSLreverseproxywould have to unpack and modify all > requests, it wouldn't be particularly efficient. You would now have > two encryption/decryption cycles, and a rewriter in the middle, so > expect a bit of a performance hit. > > It would be nice if SNI support was more widespread, as that would be > the best solution at just $5 a month. > > Paul > --http://www.graphomatic.net- Graph your lfe > > On Nov 29, 9:19 pm, Oren <[email protected]> wrote: > > > Someone with betterSSL-foo may chime in here, but I don't believe you > > canproxyanSSLrequest. That would consitute a man-in-the-middle > > attack. The browser would detect this, and provide a big fat warning > > to the user. You could terminate theSSLconnection on the VPs, but > > then of course the VPS->Heroku connection wouldn't be encrypted. > > > Oren > > > On Nov 28, 4:35 pm, Jordan Brock <[email protected]> wrote: > > > > With the recent addition of custom domainSSLhosting on Heroku, the > > > possibility of moving some of my production sites over became very > > > real. Very real until I saw the cost of theSSLadd-on that is. $1200/ > > > year per site is not really an option. > > > > However, it got a friend and I thinking: Couldn't this be worked > > > around with ProxyPass and ProxyPassReverse? Eg, I run a dedicated VPS > > > that does nothing except act as aproxyserver. This server has the > > >SSLcertificate on it, and acts as aproxyforhttps://example.heroku.com > > > > Is there anything inherently wrong with this approach? It's kind of > > > what is being done by heroku anyway for their normal hosting (eg > > > everything is behind a proxying server). > > > > It's an additional point of failure, and is a potential security risk > > > (in terms of someone hacking into the VPS and redirecting the > > > ProxyPassReverse directive). But with those caveats, is it something > > > that could be done? > > > > An example: > > > >http://www.example.comactsasaproxyforhttp://example.heroku.comhttps://www.example.comactsasaproxyforhttps://example.heroku.com > > > > Any thoughts? -- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
