David Lowry


750 Experience
0 Lessons Completed
1 Question Solved


Rest-assured I overthought this!!

Host and Forwarded host only required and reverse proxy to the actual heroku app (this may not be necessary, as opposed to my other CNAME'd end-points). The below works.

customdomain.tv, another.customdomain.tv {
        reverse_proxy https://actual-app-name.herokuapp.com {
                header_up Host {upstream_hostport}
                header_up X-Forwarded-Host {host}
        log {
               #  blah

TL;DR - how do I override the base_url (akin to CSRF protection?) with a set of valid domains?

Hi all

I run a PaaS of sorts which at present is hosted on Heroku and I have to map all my custom domains 1:1 with Heroku generated CNAMEs. This is a bit painful to maintain after 15-20 domains but I am trying to move away from this model for a different reason. I need to know the user's IPv6 address if it is what is presented by their browser (because my video CDN CAN see ipv6 and it breaks token authentication when I generate against ipv4). Heroku doesn't support this as its router is ipv4 only.

Scenario: I have a reverse proxy set up and functioning in Caddy BUT it fails at the form submission stage.

  • My app (on heroku) responds at app.mydomain.com
  • My goal is to add ipv6 awareness and a little protection in front of my app server
  • My reverse proxy proxies to that domain and presents the site i'm requesting because I pass that through by forwarding the X-CustomDomain or similar (in Application Controller)
  • I attempt to sign in, sign up and my logs read "HTTP Origin header (https://www.validclientsite.tv) didn't match request.base_url (https://app.mydomain.com)" on the form submission

I think my question is how do I override this base_url problem with a set of valid domains?

Heroku will proxy blindly via that specific URL but if I put something else in the regular x-REFERER header an SSL error occurs.

Hope that makes sense.

For clarity, my Caddy config set is below. I've commented out a few things that I added and have removed because Caddy does them automatically.

list-of-supported-domains.com {
    reverse_proxy https://app.myapp.com {
        header_up Host {upstream_hostport}
        header_up X-Forwarded-Host app.myapp.com
        header_up X-MyCustomReferrer {host} #"custom-domain.myapp.com"
        #header_up X-Real-IP {remote_host}
        #header_up X-Forwarded-Proto {scheme}
        #header_up Access-Control-Allow-Origin *
        #header_up Access-Control-Allow-Credentials true
        #header_up Access-Control-Allow-Headers Cache-Control,Content-Type
    log {
        output file /var/log/caddy/heroku.log

In my rails app I do something like this (in a tenancy type manner)

      custom_domain = request.headers['HTTP_X_CUSTOMREFERRER'] # or nil
      ac = Account.find_site(request, custom_domain) # this uses request.domain and .subdomain where heroku knows the domains

PS Yes I'm building out a staging env in Hatchbox but a live migration is a bit much mid-season.

logo Created with Sketch.

Screencast tutorials to help you learn Ruby on Rails, Javascript, Hotwire, Turbo, Stimulus.js, PostgreSQL, MySQL, Ubuntu, and more. Icons by Icons8

© 2023 GoRails, LLC. All rights reserved.