Hacker News new | ask | show | jobs
by icebraining 3810 days ago
The only potential problem is that Cloudflare doesn't check the validity of the herokuapp.com cert, so in theory someone could MITM the connection. In practice, I'm not sure how you'd even get Cloudflare to connect to the rogue proxy, short of taking control of the DNS of *.herokuapp.com.
1 comments
grapehut 3810 days ago
That's not true, when you setup crypto in cloudflare you need pick between "Full SSL (Strict)" which requires a valid certificate, and "Full SSL (non-strict)" which allows you to use a self-signed certificate or what not, but there's no reason you should be using that mode if you already have a valid certificate (as is the heroku case).
link
icebraining 3810 days ago
"Full SSL (Strict)" doesn't work with the certificate provided for free by Heroku:

  By default Heroku offers a wildcard SSL certificate which only covers
  ‘*.herokuapp.com’. This means that ‘Full SSL’ can be utilized as a default,
  which does not require that the SAN contains your FQDN. To utilize
  Full (Strict) you will need to add your own SSL certificate to your
  Heroku app, which can be done by using their ‘SSL Endpoint’ add-on.
https://support.cloudflare.com/hc/en-us/articles/205893698-C...
link