David- Thanks for the clarification. I was not aware of the AWS restriction on one IP per EC2 instance.
-Kelly On Dec 10, 2009, at 5:13 PM, David Dollar wrote: > The core of the problem is that Amazon only allows one IP per EC2 > instance, which is why we have to spin up a dedicated instance for > SSL at all. If Amazon ever starts allowing that, we'd be able to re- > evaluate our options for providing SSL. Until then, this is a pretty > decent workaround. I probably wouldn't recommend trying to share it > across people as that seems destined to lead to heartache somewhere, > but if you want to get custom SSL on multiple apps under one cert, > this seems like the way to do it. > > - David Dollar > > On Thu, Dec 10, 2009 at 6:06 PM, Kelly Heikkila <[email protected]> > wrote: > Maybe I'm missing something and I'm not an SSL expert, but couldn't > Heroku allow customers to purchase more than one IP for an SSL > instance? Then they could apply multiple domains without a multi- > domain cert and without constantly having to keep applying/managing a > single cert when it's changed. The customer would obviously need to > make sure to keep the traffic low, as Morten points out. There would > be an expense for the IP, but that should be much lower than a > dedicated instance. > > I'm sure there are technical hurdles, but he custom SSL issue is a hot > topic as evidenced by the length of this thread/similar ones. Also, > I've had a number of conversations with different developers and when > the topic turns to heroku they say "Great platform, but did you hear > SSL costs $100/month?" > > -Kelly > > On Dec 10, 2009, at 4:22 PM, Wojciech Kruszewski wrote: > > > On Dec 10, 11:06 pm, Morten Bagai <[email protected]> wrote: > >> Yeah, I didn't catch the multi-domain part. > > > > Well, wildcard is still interesting for me. I could replace > > *.heroku.com with my own wildcard as a piggyback. I'd prefer to > serve > > sites admin/user panels of my clients from my own domain. > > > >> Theoretically it might be possible. I don't think we have ever seen > >> a multi-domain cert in the > >> wild at Heroku. > > > > Actually I already tried this with two dummy apps and a multi-domain > > certificate taken from production site - worked like a charm. Will > > show you the apps once they are migrated (if I remember of course). > > > >> Also, the solution we have in place now isn't designed > >> for this in a couple of ways: > >> > >> 1) You would have to redeploy the cert every time it changed > >> 2) With multiple busy apps, you might max out the resources of the > >> SSL > >> routing instance > > > > Good points. As for the resources, such a feature would be useful > > mostly for smaller sites. > > > >> > >> On Dec 10, 2:01 pm, Wojciech Kruszewski <[email protected]> wrote: > >> > >>> Yes I believe it would be possible. > >> > >>> You could even create a service that would to the pooling: "I'll > add > >>> your domain to my multi-domain certificate for a yearly fee". > >>> <emphasis>Theoretically</emphasis> this business model should > >>> work... > >>> although I'd much prefer Heroku coming up with their solution. > >> > >>> Do you know is it easy to add new domains to existing multi- > domain > >>> certificates? > >> > >>> Regards, > >>> Wojciech > >> > >>> --http://twitter.com/WojciechK > >> > >>> On Dec 10, 10:44 pm, Doug Petkanics <[email protected]> wrote: > >> > >>>> If I am following your approach correctly, then I believe it > >>>> would be > >>>> possible for multiple Heroku users to "cooperate" on a single > >>>> custom SSL > >>>> addon using the following steps. > >> > >>>> 1. Alice and Bob agree to cooperate and split the costs between > >>>> one another > >>>> outside of the scope of Heroku's billing. > >>>> 2. Alice buys a multi domain SSL cert covering her domain and > >>>> Bob's domain. > >>>> Alice also buys the custom SSL addon, and applies the certificate > >>>> to her > >>>> app. > >>>> 3. Alice and Bob edit their domain's DNS settings to point to the > >>>> dedicated > >>>> IP. > >>>> 4. Bob enables piggyback ssl on his app, and gets the benefit of > >>>> Alice's > >>>> custom ssl addon. The multi-domain cert they bought includes both > >>>> their > >>>> domains. > >> > >>>> Heroku guys, if this approach would work, would you take issue > >>>> with some > >>>> users pooling together to reduce the cost? I don't ask in the > >>>> spirit of > >>>> taking advantage of your platform, but instead ask because the > >>>> current price > >>>> of custom SSL is prohibitive from running smaller apps on the > >>>> service right > >>>> now. > >> > >>>> Thoughts? > >> > >>>> On Thu, Dec 10, 2009 at 12:00 PM, Wojciech Kruszewski > >>>> <[email protected]>wrote: > >> > >>>>> In fact this is possible with their current environment: > >>>>> http://wojciech.oxos.pl/post/277669886/save-on-herokus-custom-ssl-addons > >> > >>>>> On Dec 9, 7:58 pm, Wojciech Kruszewski <[email protected]> wrote: > >>>>>> This is theoretically possible with their architecture, but > >>>>>> they are > >>>>>> currently reviewing how easy it would be to implement it and if > >>>>>> it's > >>>>>> worth the trouble. > >> > >>>>>> I created a public feature request: > >>>>> http://support.heroku.com/forums/42310/entries/87156 > >>>>>> - would you care to add your vote? > >> > >>>>>> Cheers, > >>>>>> Wojciech > >> > >>>>>> On Dec 8, 11:47 pm, Chris Hanks <[email protected]> > >>>>>> wrote: > >> > >>>>>>> Wojciech, if you ask support about that and get some good > >>>>>>> news, would > >>>>>>> you report back? I'm curious about this too. > >> > >>>>>>> Thanks! > >> > >>>>>>> Chris > >> > >>>>>>> On Dec 8, 2:05 pm, Oren Teich <[email protected]> wrote: > >> > >>>>>>>> I don't know if that's possible or not it's probably a > >>>>>>>> function of > >>>>> the > >>>>>>>> SSL protocol and our routing mesh, but it's beyond my > technical > >>>>>>>> knowledge. Best bet is to drop support@ a line, and see what > >>>>>>>> they > >>>>>>>> say. They'll be able to dig into the details for you. > >> > >>>>>>>> Oren > >> > >>>>>>>> On Tue, Dec 8, 2009 at 12:42 PM, Wojciech Kruszewski < > >>>>> [email protected]> wrote: > >>>>>>>>> Thanks Oren, this makes sense. > >> > >>>>>>>>> So can that one mostly idle server handle SSL requests for > >>>>>>>>> multiple > >>>>>>>>> applications? > >> > >>>>>>>>> I mean I tried Heroku and was very happy with the > experience - > >>>>> looks > >>>>>>>>> like it needs little to no maintenance on my part. I'd wish > >>>>>>>>> to host > >>>>> a > >>>>>>>>> handful smaller web apps, each with 1-3 dynos. > >> > >>>>>>>>> I could live with piggyback ssl, if it was my own wildcard > >>>>>>>>> certificate. > >> > >>>>>>>>> - Wojciech > >> > >>>>>>>>> On Dec 8, 8:58 pm, Oren Teich <[email protected]> wrote: > >>>>>>>>>> They are totally independent. The way our architecture > >>>>>>>>>> works, > >>>>> dynos > >>>>>>>>>> run on machines called railguns, which are specially set up > >>>>>>>>>> for > >>>>> the > >>>>>>>>>> job. We have to setup a special (and yes, mostly idle) > >>>>>>>>>> server > >>>>> just to > >>>>>>>>>> handle the SSL requests. It's not possible with the > >>>>>>>>>> product we > >>>>> have > >>>>>>>>>> today to run dynos on that server. > >> > >>>>>>>>>> Oren > >> > >>>>>>>>>> On Tue, Dec 8, 2009 at 7:48 AM, Wojciech Kruszewski < > >>>>> [email protected]> wrote: > >>>>>>>>>>> Hi, > >> > >>>>>>>>>>> I've read your explanation about why you charge $100/mo > for > >>>>> custom SSL > >>>>>>>>>>> (http://docs.heroku.com/ssl#faq). You need exclusive IP, > >>>>>>>>>>> Amazon > >>>>>>>>>>> assigns only one IP for an instance, so you need to > >>>>>>>>>>> reserve full > >>>>>>>>>>> instance just to use one SSL cert - seems fair. > >> > >>>>>>>>>>> Ok, but if you reserve full EC2 instance just for me... > >>>>>>>>>>> then why > >>>>> do I > >>>>>>>>>>> have to pay for extra dynos? Aren't you double-billing for > >>>>>>>>>>> this > >>>>>>>>>>> instance? > >> > >>>>>>>>>>> I believe it's "just against your architecture" but still > >>>>>>>>>>> I'd > >>>>> like to > >>>>>>>>>>> know the explanation. > >> > >>>>>>>>>>> Regards, > >>>>>>>>>>> Wojciech > >> > >>>>>>>>>>> -- > >>>>>>>>>>> http://twitter.com/WojciechKhttp://oxos.pl-RubyonRailsdevelopment > >> > >>>>>>>>>>> -- > >> > >>>>>>>>>>> You received this message because you are subscribed to > the > >>>>> Google Groups "Heroku" group. > >>>>>>>>>>> To post to this group, send email to > >>>>>>>>>>> [email protected]. > >>>>>>>>>>> To unsubscribe from this group, send email to > >>>>> [email protected]<heroku%[email protected] > >>>>> > > >>>>> . > >>>>>>>>>>> For more options, visit this group athttp:// > >>>>> groups.google.com/group/heroku?hl=en. > >> > >>>>>>>>> -- > >> > >>>>>>>>> You received this message because you are subscribed to the > >>>>>>>>> Google > >>>>> Groups "Heroku" group. > >>>>>>>>> To post to this group, send email to > [email protected]. > >>>>>>>>> To unsubscribe from this group, send email to > >>>>> [email protected]<heroku%[email protected] > >>>>> > > >>>>> . > >>>>>>>>> For more options, visit this group athttp:// > >>>>> groups.google.com/group/heroku?hl=en. > >> > >>>>> -- > >> > >>>>> You received this message because you are subscribed to the > >>>>> Google Groups > >>>>> "Heroku" group. > >>>>> To post to this group, send email to [email protected]. > >>>>> To unsubscribe from this group, send email to > >>>>> [email protected]<heroku%[email protected] > >>>>> > > >>>>> . > >>>>> For more options, visit this group at > >>>>> http://groups.google.com/group/heroku?hl=en. > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups "Heroku" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected] > > . > > For more options, visit this group at > > http://groups.google.com/group/heroku?hl=en > > . > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Heroku" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected] > . > For more options, visit this group at > http://groups.google.com/group/heroku?hl=en > . > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Heroku" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected] > . > For more options, visit this group at > http://groups.google.com/group/heroku?hl=en > . -- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
