There is a way to have multiple SSL endpoints routing traffic to the same app.
An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.
You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:
Add your domain name to your app:
$ heroku domains:add ssl.example.com
Create a new app:
$ heroku create endpoint-for-example-com
Add the SSL endpoint add-on ($20/mo):
$ heroku addons:create ssl:endpoint --app endpoint-for-example-com
Add your certificate to your new app:
$ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint
Resolving trust chain... done
Adding SSL Endpoint to endpoint-for-example-com... done
endpoint-for-example-com now served by kagawa-1482.herokussl.example.com
Use the ssl endpoint assigned to your new app (e.g. kagawa-1482.herokussl.example.com
) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.
The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.
Notes:
This solution is not documented by Heroku, so it's possible that they
would remove or change this behaviour in the future. Heroku have confirmed that this is safe for production use.
- Be sure to create your endpoints in the same region as your primary app.
- It might take a while for your DNS changes to take effect.