问题描述
几天前,我们在Cloudflare代理(橙色云,如果您知道Cloudflare)后面的1个Heroku应用上收到错误消息不支持CDN中的严格TLS".
A few days ago we received the error "Strict TLS in CDN not supported" on 1 Heroku app that's behind Cloudflare's proxy (orange cloud, if you know Cloudflare).
基本上,客户对 https://foo.example.com 的请求是通过Cloudflare代理的,然后由Cloudflare发出对 https://foo.herokuapp.com 的请求,缓存响应,并将结果传递回客户端.请注意,整个链都是通过HTTPS进行的.我们已经将Clouflare配置为仅通过HTTPS与最终服务器通信,并且我们不希望最终服务器通过HTTP发送响应.
Basically, client requests to https://foo.example.com are proxied through Cloudflare, who then make the requests to https://foo.herokuapp.com, caches the response, and passes the result back to the client. Notice that the entire chain is over HTTPS. We've configured Clouflare to only communicate with the end server over HTTPS, and we don't want the end server to ever send out responses over HTTP.
当Heroku的策略检测到您位于已经在处理SSL的代理后面时,似乎不再允许通过SSL进行服务.在过去的一周中,更多的应用程序开始显示此错误,我们不得不禁用Cloudflare的代理.此处是其文档,并且给出的原因是因为Cloudflare提供了SSL证书".
It seems that Heroku's policy no longer allows serving over SSL when they detect that you're behind a proxy that's already handling SSL. Over the past week, more apps have begun showing this error and we've had to disable Cloudflare's proxy. Here's their documentation on this, and the reason given is "because Cloudflare provides SSL certificates."
还有其他人遇到此问题并有解决方法吗?尽管Cloudflare仍然可以阻止从客户端到Cloudflare的某些漏洞,但这仍使从Cloudflare到最终服务器的其他漏洞成为可能.
Anyone else encounter this and have a workaround? While Cloudflare still prevents certain vulnerabilities from the client to Cloudflare, this leaves other vulnerabilities open from Cloudflare to the end server.
更新:我已经收到来自Heroku的回复:
Update: I've heard back from Heroku on this:
但是,我还没有发现上述说法是正确的.无论设置为完全"还是严格",Heroku始终会报告上述错误.我已经安装了Cloudflare的原始证书来解决此问题.
However, I have not found the above to be true. On either setting (Full or Strict), Heroku always reports the above error. I've installed origin certs from Cloudflare to resolve this issue.
推荐答案
Heroku似乎特别不希望您使用ACM(自动证书管理),在这种情况下,他们使用让我们加密"为您自动颁发证书.当您的证书不是面向客户的时,这是不必要的.
It looks like Heroku specifically doesn't want you to use ACM (Automatic Certificate Management), in which they use Let's Encrypt to automatically issue certificates for you. This is unnecessary when your certificates aren't client-facing.
如果始终是Cloudflare与您的Heroku应用程序对话,我建议改为使用原始证书".Cloudflare可以生成专门用于您的证书和私钥,以供您在原始服务器上安装,以向Cloudflare进行身份验证.该证书由Cloudflare的专用CA签名,浏览器无法识别该证书,只有Cloudflare本身可以识别该证书.这意味着您不必像使用普通的CA证书那样跳越繁琐的步骤来验证您的域并更新证书.
If it's always Cloudflare talking to your Heroku app, I suggest instead using "origin certificates". Cloudflare can generate a certificate and private key specifically for you to install on your origin server for the purpose of authenticating it to Cloudflare. This certificate is signed by Cloudflare's private CA, which is not recognized by browsers, only by Cloudflare itself. This means you don't have to jump through so many hoops to verify your domain and renew certs like you would with normal CA certs.
您可以告诉Cloudflare在Cloudflare仪表板中生成原始证书.您可以根据以下文档将证书安装到Heroku中:
You can tell Cloudflare to generate an origin certificate in the Cloudflare dashboard. You can the install your certificate into Heroku according to this documentation:
https://devcenter.heroku.com/articles/ssl#manually-upcertificates-and-mediaries
请注意,这在Heroku方面不需要"ACM",因为您要带上自己的证书.我希望Heroku在落后于Cloudflare的情况下使用此模式会很好(如果没有,那将是Heroku中的一个相当严重的缺陷).
Note that this does not require "ACM" on the Heroku side, because you're bringing your own cert. I would expect Heroku is fine with this mode while behind Cloudflare (if not... that would be a pretty serious flaw in Heroku).
这是Cloudflare有关原始证书的一般文档:
Here's Cloudflare's general docs on origin certs:
(免责声明:我实际上并未在Heroku上尝试过此操作,但过去我已成功将起源证书与其他主机一起使用.)
(Disclaimer: I haven't actually tried this with Heroku, but I've successfully used origin certs with other hosts in the past.)
这篇关于Heroku的变通办法不再支持Cloudflare后面的SSL(“不支持CDN中的严格TLS")?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!