SSL and Certificates

AppHarbor supports SSL in multiple ways, namely SNI SSL, piggyback and hostname/IP based SSL.

SNI SSL

SNI SSL is supported on AppHarbor for HTTPS traffic. Once the certificate is added you can access the application's url with https://example.com - no other changes are required to your application.

Please note that SNI SSL has limited browser support. Refer to http://en.wikipedia.org/wiki/Server_Name_Indication for more info (in particular, Chrome in Windows XP and all versions of IE running on Windows XP will display warnings).

Piggyback SSL

Applications on AppHarbor is enabled with piggyback SSL by default. You can access your site using HTTPS with your hostname like so: https://your-app-name.apphb.com address that is assigned to the application.

IP-based SSL

You can get IP-based SSL for your application for $100/month (AppHarbor has to run a custom load balancer for each IP-SSL enabled site). Just drop us a line on support@appharbor.com and we'll set it up.

Getting a Certificate

SSL certificates can be purchased from a wide array of digital certificate providers or they can be self-signed. RapidSSL, GeoTrust and Comodo are a few popular choices.

You can usually find a walkthrough of how to create a certificate on the provider's website.

One of our users has written a good step-by-step blog post showing how the certificate creation process in IIS.

Uploading a Certificate

You can upload your own certificate in two ways: Either by using a public/private key pair or by uploading af *.pfx file. If your private key or pfx file needs a passphrase you can enter it when adding the certificate. A passphrase must always be supplied when uploading a pfx certificate. You can add a certificate to your application by clicking the "Certificates" link on your application's page.

Intermediate Certificates

When a certificate has been created for the application you can add intermediate certificates. Usually the certificate issuer includes any necessary intermediate certificates when you receive the certificate. If not you may have to contact the certificate issuer to get their intermediate certificate.

Troubleshooting

RequireHttpsAttribute: If you're using the built-in RequireHttpsAttribute to ensure that a controller action always uses HTTPS you will experience a redirect loop. The reason is that SSL is terminated at the load balancer level and RequireHttps doesn't recognize the X-Forwarded-Proto header it uses to indicate that the request was made using HTTPS. You should therefore use a custom RequireHttps attribute for this purpose. We've put up a sample RequireHttpsAttribute class which you can find here: https://gist.github.com/915869

Public/Private key header and footer: When uploading a certificate using public/private key pair make sure to include the header and footer (i.e. -----{BEGIN/END} CERTIFICATE----- and -----{BEGIN/END} RSA PRIVATE KEY-----

Pfx file fails when uploading: Some pfx files may fail when uploading. Try and import it in IIS and then export a new one to use on AppHarbor. Feel free to contact support if this doesn't solve the issue

Recent Discussions

21 Sep, 2014 04:18 PM
20 Sep, 2014 01:28 AM
19 Sep, 2014 01:05 AM
16 Sep, 2014 11:22 PM
15 Sep, 2014 12:55 PM