How to Use An Existing Static IP Address for Heroku

This post could also be titled “How to Set Up a Load Balancer in Front of Heroku” or “How to Set Up a Static IP Address on Heroku Without Add-ons.”

I work in East Africa, and data is fairly expensive for our users. A lot of telcos provide zero-ratings so that the owners of the service can choose to pay for the cost of the data instead of the users.

Zero-rating deals are typically scoped to a given IP address instead of a URL. If a service provider hosts a site onexample.com, which points to 12.34.56.78, they’ll need to arrange a zero-rating deal for 12.34.56.78.

We’re launching a new Web service on Heroku. I’d like to route traffic from a domain through to Heroku. Normally I’d follow Heroku’s Custom Domain Name guide, but because we’re providing zero-ratings I’ll need the client to interact with a specific IP address instead. My DNS needs to point to that specific IP address instead of to a Heroku subdomain.

I’m relatively new to networking, but after stumbling around for a while here’s what I set up.

I’m using HAProxy as a load balancer running on the server with the designated IP address. I set up SSL bridging following the HAproxy infrastructure layout guide.

The client accesses example.com, which resolves to the HAProxy server. The proxy forwards the request to Heroku, receives the response, and sends it back to the client.

Here are some specific configuration details:

1. Create an A record in DNS pointing from your domain to the HAProxy server, which has your designated zero-rated IP address.

2. Specify the HAProxy back-end to point to your app’s subdomain on Heroku:

  server MY-APP MY-APP.herokuapp.com ssl check cookie MY-APP.example.com sni req.hdr(Host)

1. Meanwhile, on Heroku’s side, associate your subdomain with the app:

$ heroku domains:add MY-APP.example.com

And you’re done!

While debugging this system I noticed that my application code was issuing 301 Redirect responses when I hit MY-APP.example.com, sending me to MY-APP.herokuapp.com. I initially thought that this was a result of mis-configuring something, but it turned out that those redirects were being issued from application logic, not by HAProxy or Heroku (which doesn’t perform redirects).

Aside from that brief redirection confusion, this configuration has worked pretty well! It might also be useful if you’d like more fine-grained control when setting up your static IP address than you’d get from a paid Heroku add-on like QuotaStatic or Fixie.

An alternative implementation: It’s also possible to set up SSL pass-through. However, that requires giving your SSL certs to Heroku. Since I already had an ACM (automated certificate management) system, I wouldn’t have been able to auto-renew those certs on Heroku. And since I also already had a working HAProxy instance to build on, manually renewing certs for Heroku seemed more complicated than the solution presented above.