The X-Forwarded-Proto
header is intentionally overridden by AppHarbor's load balancers to the actual scheme of the request.
Note that while CloudFlare's flexible SSL option may add slightly more security, there is still unencrypted traffic travelling over the public internet from CloudFlare to AppHarbor. This arguably defies the purpose of SSL for anything else than appearances and reducing the number of attack vectors (like packet sniffing on the user's local network) - i.e. it may look "professional" to your users, but it actually is still insecure.
That's less than ideal particularly since AppHarbor supports both installing your own certificates and includes piggyback SSL out of the box. CloudFlare also recommends using "Full SSL" for scenarios where the origin servers/service support SSL. So you have a couple of options:
- Continue to use the insecure "Flexible SSL" option, but instead of inspecting the
X-Forwarded-Proto
header in your customRequireHttps
filter, you should inspect thescheme
attribute of theCF-Visitor
header. There are more details in this discussion. - Use "Full SSL" and point CloudFlare to your
*.apphb.com
hostname. This way you can use the complimentary piggyback SSL that is enabled by default with your AppHarbor app. You'll have to override theHost
header on CloudFlare to make this work and here's a blog post on how to do that. This will of course make requests to your app appear like they were made to your*.apphb.com
domain - so if for instance you automatically redirect requests to a "canonical" URL or generate absolute URLs you'll likely have to take this into consideration. - Upload your certificate and add a custom hostname to AppHarbor. Then turn on "Full SSL" on CloudFlare. This way the host header will remain the same and your application will continue to work without any modifications. You can read more about the SSL options offered by AppHarbor in this knowledge base article.