Maybe I'm missing something and I'm not an SSL expert, but couldn't Heroku allow customers to purchase more than one IP for an SSL instance? Then they could apply multiple domains without a multi- domain cert and without constantly having to keep applying/managing a single cert when it's changed. The customer would obviously need to make sure to keep the traffic low, as Morten points out. There would be an expense for the IP, but that should be much lower than a dedicated instance.
I'm sure there are technical hurdles, but he custom SSL issue is a hot topic as evidenced by the length of this thread/similar ones. Also, I've had a number of conversations with different developers and when the topic turns to heroku they say "Great platform, but did you hear SSL costs $100/month?" -Kelly On Dec 10, 2009, at 4:22 PM, Wojciech Kruszewski wrote: > On Dec 10, 11:06 pm, Morten Bagai <mor...@heroku.com> wrote: >> Yeah, I didn't catch the multi-domain part. > > Well, wildcard is still interesting for me. I could replace > *.heroku.com with my own wildcard as a piggyback. I'd prefer to serve > sites admin/user panels of my clients from my own domain. > >> Theoretically it might be possible. I don't think we have ever seen >> a multi-domain cert in the >> wild at Heroku. > > Actually I already tried this with two dummy apps and a multi-domain > certificate taken from production site - worked like a charm. Will > show you the apps once they are migrated (if I remember of course). > >> Also, the solution we have in place now isn't designed >> for this in a couple of ways: >> >> 1) You would have to redeploy the cert every time it changed >> 2) With multiple busy apps, you might max out the resources of the >> SSL >> routing instance > > Good points. As for the resources, such a feature would be useful > mostly for smaller sites. > >> >> On Dec 10, 2:01 pm, Wojciech Kruszewski <wojci...@oxos.pl> wrote: >> >>> Yes I believe it would be possible. >> >>> You could even create a service that would to the pooling: "I'll add >>> your domain to my multi-domain certificate for a yearly fee". >>> <emphasis>Theoretically</emphasis> this business model should >>> work... >>> although I'd much prefer Heroku coming up with their solution. >> >>> Do you know is it easy to add new domains to existing multi-domain >>> certificates? >> >>> Regards, >>> Wojciech >> >>> --http://twitter.com/WojciechK >> >>> On Dec 10, 10:44 pm, Doug Petkanics <petkan...@gmail.com> wrote: >> >>>> If I am following your approach correctly, then I believe it >>>> would be >>>> possible for multiple Heroku users to "cooperate" on a single >>>> custom SSL >>>> addon using the following steps. >> >>>> 1. Alice and Bob agree to cooperate and split the costs between >>>> one another >>>> outside of the scope of Heroku's billing. >>>> 2. Alice buys a multi domain SSL cert covering her domain and >>>> Bob's domain. >>>> Alice also buys the custom SSL addon, and applies the certificate >>>> to her >>>> app. >>>> 3. Alice and Bob edit their domain's DNS settings to point to the >>>> dedicated >>>> IP. >>>> 4. Bob enables piggyback ssl on his app, and gets the benefit of >>>> Alice's >>>> custom ssl addon. The multi-domain cert they bought includes both >>>> their >>>> domains. >> >>>> Heroku guys, if this approach would work, would you take issue >>>> with some >>>> users pooling together to reduce the cost? I don't ask in the >>>> spirit of >>>> taking advantage of your platform, but instead ask because the >>>> current price >>>> of custom SSL is prohibitive from running smaller apps on the >>>> service right >>>> now. >> >>>> Thoughts? >> >>>> On Thu, Dec 10, 2009 at 12:00 PM, Wojciech Kruszewski >>>> <wojci...@oxos.pl>wrote: >> >>>>> In fact this is possible with their current environment: >>>>> http://wojciech.oxos.pl/post/277669886/save-on-herokus-custom-ssl-addons >> >>>>> On Dec 9, 7:58 pm, Wojciech Kruszewski <wojci...@oxos.pl> wrote: >>>>>> This is theoretically possible with their architecture, but >>>>>> they are >>>>>> currently reviewing how easy it would be to implement it and if >>>>>> it's >>>>>> worth the trouble. >> >>>>>> I created a public feature request: >>>>> http://support.heroku.com/forums/42310/entries/87156 >>>>>> - would you care to add your vote? >> >>>>>> Cheers, >>>>>> Wojciech >> >>>>>> On Dec 8, 11:47 pm, Chris Hanks <christopher.m.ha...@gmail.com> >>>>>> wrote: >> >>>>>>> Wojciech, if you ask support about that and get some good >>>>>>> news, would >>>>>>> you report back? I'm curious about this too. >> >>>>>>> Thanks! >> >>>>>>> Chris >> >>>>>>> On Dec 8, 2:05 pm, Oren Teich <o...@heroku.com> wrote: >> >>>>>>>> I don't know if that's possible or not it's probably a >>>>>>>> function of >>>>> the >>>>>>>> SSL protocol and our routing mesh, but it's beyond my technical >>>>>>>> knowledge. Best bet is to drop support@ a line, and see what >>>>>>>> they >>>>>>>> say. They'll be able to dig into the details for you. >> >>>>>>>> Oren >> >>>>>>>> On Tue, Dec 8, 2009 at 12:42 PM, Wojciech Kruszewski < >>>>> wojci...@oxos.pl> wrote: >>>>>>>>> Thanks Oren, this makes sense. >> >>>>>>>>> So can that one mostly idle server handle SSL requests for >>>>>>>>> multiple >>>>>>>>> applications? >> >>>>>>>>> I mean I tried Heroku and was very happy with the experience - >>>>> looks >>>>>>>>> like it needs little to no maintenance on my part. I'd wish >>>>>>>>> to host >>>>> a >>>>>>>>> handful smaller web apps, each with 1-3 dynos. >> >>>>>>>>> I could live with piggyback ssl, if it was my own wildcard >>>>>>>>> certificate. >> >>>>>>>>> - Wojciech >> >>>>>>>>> On Dec 8, 8:58 pm, Oren Teich <o...@heroku.com> wrote: >>>>>>>>>> They are totally independent. The way our architecture >>>>>>>>>> works, >>>>> dynos >>>>>>>>>> run on machines called railguns, which are specially set up >>>>>>>>>> for >>>>> the >>>>>>>>>> job. We have to setup a special (and yes, mostly idle) >>>>>>>>>> server >>>>> just to >>>>>>>>>> handle the SSL requests. It's not possible with the >>>>>>>>>> product we >>>>> have >>>>>>>>>> today to run dynos on that server. >> >>>>>>>>>> Oren >> >>>>>>>>>> On Tue, Dec 8, 2009 at 7:48 AM, Wojciech Kruszewski < >>>>> wojci...@oxos.pl> wrote: >>>>>>>>>>> Hi, >> >>>>>>>>>>> I've read your explanation about why you charge $100/mo for >>>>> custom SSL >>>>>>>>>>> (http://docs.heroku.com/ssl#faq). You need exclusive IP, >>>>>>>>>>> Amazon >>>>>>>>>>> assigns only one IP for an instance, so you need to >>>>>>>>>>> reserve full >>>>>>>>>>> instance just to use one SSL cert - seems fair. >> >>>>>>>>>>> Ok, but if you reserve full EC2 instance just for me... >>>>>>>>>>> then why >>>>> do I >>>>>>>>>>> have to pay for extra dynos? Aren't you double-billing for >>>>>>>>>>> this >>>>>>>>>>> instance? >> >>>>>>>>>>> I believe it's "just against your architecture" but still >>>>>>>>>>> I'd >>>>> like to >>>>>>>>>>> know the explanation. >> >>>>>>>>>>> Regards, >>>>>>>>>>> Wojciech >> >>>>>>>>>>> -- >>>>>>>>>>> http://twitter.com/WojciechKhttp://oxos.pl-RubyonRailsdevelopment >> >>>>>>>>>>> -- >> >>>>>>>>>>> You received this message because you are subscribed to the >>>>> Google Groups "Heroku" group. >>>>>>>>>>> To post to this group, send email to >>>>>>>>>>> her...@googlegroups.com. >>>>>>>>>>> To unsubscribe from this group, send email to >>>>> heroku+unsubscr...@googlegroups.com<heroku%2bunsubscr...@googlegroups.com >>>>> > >>>>> . >>>>>>>>>>> For more options, visit this group athttp:// >>>>> groups.google.com/group/heroku?hl=en. >> >>>>>>>>> -- >> >>>>>>>>> You received this message because you are subscribed to the >>>>>>>>> Google >>>>> Groups "Heroku" group. >>>>>>>>> To post to this group, send email to her...@googlegroups.com. >>>>>>>>> To unsubscribe from this group, send email to >>>>> heroku+unsubscr...@googlegroups.com<heroku%2bunsubscr...@googlegroups.com >>>>> > >>>>> . >>>>>>>>> For more options, visit this group athttp:// >>>>> groups.google.com/group/heroku?hl=en. >> >>>>> -- >> >>>>> You received this message because you are subscribed to the >>>>> Google Groups >>>>> "Heroku" group. >>>>> To post to this group, send email to her...@googlegroups.com. >>>>> To unsubscribe from this group, send email to >>>>> heroku+unsubscr...@googlegroups.com<heroku%2bunsubscr...@googlegroups.com >>>>> > >>>>> . >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/heroku?hl=en. > > -- > > You received this message because you are subscribed to the Google > Groups "Heroku" group. > To post to this group, send email to her...@googlegroups.com. > To unsubscribe from this group, send email to > heroku+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/heroku?hl=en > . > > -- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to her...@googlegroups.com. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
