I've considered the possibility of using EC2 security groups to combine my own EC2 instances with that of my Heroku app, but there are a couple problems I can see: 1) it depends on Heroku remaining on EC2 (which is fine for now, but it's worth keeping in mind), 2) there's no guarantee which EC2 instance my app will run on, and I don't know if the apps are all in the same security group, and 3) if my app's EC2 instance is in the same security group, so are all the other apps on that EC2 instance. :P
So what I've done, for a different scenario, is set up an SSL pipe between my frontend and backend servers. In my case the frontend is the Heroku app and the backend is an EC2 instance, but the idea would work in your case (indeed, you even mentioned it). You wouldn't need a signed cert between your nginx frontend and your Heroku app, even.. just for the frontend. Only problem I can see with it is lag, so it depends a lot on what your application is and how lag would be perceived by users. In our case we try to make as much of the background communication asynchronous as possible so users don't notice. Jimmy On Wed, Dec 8, 2010 at 5:34 PM, Ruy Diaz <[email protected]> wrote: > Hi all, > > I'm trying to figure out how to set up my application to allow > multiple SSL enabled custom domains. I am planning on using UCC > certificates (supporting up to 150 hostnames each). However, I'm not > sure if the setup I have in mind is possible through Heroku. > > Our application allows each of our users to create multiple websites. > Each website gets a subdomain under our host name. As an upgrade, > users can sign up for a package that allows a custom domain to be > attached to the website. As another upgrade, they can add SSL to the > site. This is where it gets tricky. > > I currently have Hostname based SSL with a wildcard certificate to > cover the subdomains on our hostname. It's setting up the SSL for the > custom domains that I'm trying to figure out. What I'm thinking of > doing at this point is to get a UCC certificate for every 150 > customers. The problem is hosting the certificate and here is what I'm > not sure if is possible or not with Heroku. I thought I could set my > SSL addon to IP based (Heroku would then start up a new EC2 instance > with a static IP) and mount the UCC certificate on it. This is > assuming that my Wildcard certificate is still operational on my > original app, which I think is true because at one point we did add > the IP based SSL (which we cancelled shortly after because we found an > alternative to the problem we had at the time) and the wildcard > certificate was still being served, but that could have just been > because it got transferred over to the IP addon. > > At any rate, IF I can keep my wildcard certificate AND put the UCC > certificate on the new EC2 instance AND I can fire up more EC2 > instances for each additional UCC certificate I need, AND I have > access to update the UCC certificates (each time I need to register a > domain) through the API, then I think I'm in the clear. > > I'm not sure if any of this is possible because: > - I'm not sure it actually works to have both Hostname and IP based > SSL with different certificates > - when you run heroku ssl:add, you only pass the PEM and key, you > don't get to tell it "add it to the hostname SSL, or add it to the IP > based SSL". Is there a way to specify it? > - from the web interface, it doesn't seem like you can add multiple IP > based SSL addons. If you can, how do you tell the heroku gem to > install an updated certificate to IP server 1 or IP server n. > > If this is not possible, I would have to run my own EC2 instances just > so I can host an NGINX or similar and serve the SSL certificates. The > problem here is how do I now proxy the request back to my heroku app > securely? Is there a way to use an internal DNS name or establish a > tunnel to my app? I don't love this solution because it requires > managing the instances manually, which is kind of what we love about > Heroku: that we don't have to manage them. > > Another alternative would be to start up a new Heroku app for each of > my UCC certificates, each instance with my whole app. The problem here > is that costs add up pretty quickly, since we would basically be > hosting 150 customers per instance. Additionally now we need to deploy > our code to multiple instances, which we would preferably like to > avoid. > > Are there any other alternatives that I am missing? Is my first > solution (the most cost effective and easy to implement and maintain, > IMO) possible? > > Regards > Ruy > > -- > You received this message because you are subscribed to the Google Groups > "Heroku" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<heroku%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/heroku?hl=en. > > -- +1-919-627-7546 -- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
