Expedited CDN
Last updated June 29, 2021
Table of Contents
- Provisioning the Add-on
- Post-provisioning Configuration
- Blocking IP Addresses
- DDoS HTTP flood protection
- Forcing HTTPS
- Caching and Compression for Site Speed
- Caching Profiles
- Compression Settings
- SSL Certificates for HTTPS
- TLS 1.2 and 1.3
- Logging
- Troubleshooting
- Migrating Between Plans
- Removing the Add-on
- Support
Expedited CDN is an add-on that provides a content delivery network (CDN) as a service to improve the speed and availability of your Heroku applications.
Expedited CDN sits in front of your application, caching requests in a worldwide network of asset servers. It algorithmically routes inbound requests to your application based on network availability and geographic location.
Expedited CDN automatically:
- Speeds up how fast your site loads (CDN)
- Reduces load on your Heroku application
- Increases your site’s availability
- Lets you prioritize network traffic
The add-on also identifies DDoS attacks and abusive traffic. Automated bots continually search the web for vulnerable applications, performing actions like:
- Scanning for unsecured admin screens
- Identifying frameworks with known vulnerabilities
- Brute-forcing passwords
- Submitting bogus forms to reveal sensitive information
Expedited CDN helps identify all of these malicious actions while speeding up your site.
Provisioning the Add-on
Prerequisites
Expedited CDN requires that your app has an associated custom domain and that it’s reachable at that domain. Read this article to learn how to configure one for your app.
To complete the setup, you must also have access to change your site’s DNS configuration.
Attach the Add-on to Your Application
Attach Expedited CDN to a Heroku application via the CLI:
A list of all plans available can be found here.
$ heroku add-ons: add expeditedcdn --app your-app-name
-----> Adding expeditedcdn to sharp-mountain-4005... done, v18 (free)
Post-provisioning Configuration
After provisioning the add-on, click on Expedited CDN from your app’s Resources tab in the Heroku Dashboard to begin setup. You can also open it with the Heroku CLI:
$ heroku add-ons:open expeditedcdn
The setup walks you through the following steps:
- Selecting your domain
- Configuring DNS
- Testing DNS
Although you have a great degree of flexibility in configuring Expedited CDN, its default configuration is intended to:
- Minimize risk, hassle, and complexity of setup
- Work for the majority of Heroku applications
- Give you a solid base for customizing caching rules
Blocking IP Addresses
From the Block/Allow IPs page of your Expedited CDN dashboard, add each IP or CIDR-notated IP range that you want to block:
All requests from that IP or range are stopped at the CDN and don’t reach your Heroku application.
DDoS HTTP flood protection
Distributed Denial of Service (DDoS) attacks seek to overwhelm your application with illegitimate requests. Network-protocol-based DDoS attempts like UDP floods, ICMP floods, and other attacks are automatically blocked.
Application-level DDoS attempts (where massive numbers of HTTP GET/POST requests are issued in rapid succession) are more difficult to block, because outwardly they look like legitimate traffic.
If you’re currently under DDoS attack or suspect that you will be, set the HTTP Flood (DDOS) Mode setting on the Stop Attacks page of your Expedited CDN dashboard to Filtering. This setting forces each client making requests to be able to execute JavaScript.
This requirement eliminates most DDOS HTTP Floods, which are conducted with low-resource, script-based tools that can’t run JavaScript.
IP Protection
You can set URLs to only allow requests from specified IP addresses. This IP protection is often used along with other application-specific security and authorization tools to provide an additional layer of security on high-value URLs, like /admin.
Forcing HTTPS
You can set the option to force all client requests from http to https on the Stop Attack page.
Caching and Compression for Site Speed
Expedited CDN improves site speed and page load times in the following ways:
- It caches assets like images, JavaScript, and CSS on edge servers.
- It opportunistically compresses data in transit.
- It uses modern protocols to bundle connections, which reduces latency.
Edge Network Points of Presence
Expedited CDN routes client requests to edge servers located at both geographic population centers and strategic network locations. After filtering for attacks, rules matches, and DDOS signs, Expedited CDN passes these requests to your Heroku application. It compresses and caches responses.
Caching Profiles
Cache profiles outline the broad settings most applicable to your site. They provide a reliable default configuration, which you can modify to match exactly what your site needs.
| Profile | HTML Pages | Redirects | 404s | Assets | Cache-Control Respected |
|---|---|---|---|---|---|
| Full Site Profile | 180 mins | 180 mins | 4 mins | 3 days | No |
| Assets Only Profile | Not Cached | 10 mins | 1 min | 3 days | Yes |
Full Site Profile
Use this profile if your entire site is public, with pages that don’t require users to log in and nor displays different information to different users.
- Pages cached 180 minutes
- Redirects cached 180 minutes
- 404’s cached for 4 minutes
- Asset files (images, js, and css) cached 3 days
- Cache-Control headers ignored
Assets Only Profile
Use this profile if your application is mostly dynamic. For example, if pages are customized to the user that is logged in, or update with data in the background.
- Pages aren’t cached
- Redirects cached for 10 minutes
- 404’s cached for 1 minute
- Asset files (images, js, and css) cached 3 days
- Cache-Control headers respected
HTTP Response Cache-Control header directives are how your application tells the CDN what URLs to cache and for how long.
Asset File Caching Details
The edge network caches asset files such as multimedia files, JavaScript, and CSS typically according to the profiles shown previously.
Modern web framework asset handling often renames files with distinct fingerprints or means of assisting with asset caching. If those methods aren’t available in your framework, you must manually clear the cache after deploying your application.
Asset File Extensions
Files served by your Heroku application that end in any of the following file extensions are considered assets. Expedited CDN caches these assets for 3 days:
js, css, png, swf, jpg, jpeg, svg, svz, gif, ico, mp3, mp4, odf, pdf, woff, woff2, ttf, thumb, webp, txt, otf, 7z, aac, ai, asf, avi, bmp, bz2, doc, docx, eot, eps, fla, flv, gz, ind, m4a, m4v, mkv, mko, mpeg, oga, ogx, pptx, psd, rar, rtf, tar, tgz, tiff, wav, xlsx, xml, zip, zipx
Versioning Cache URLs
Expedited CDN considers URL parameters to be distinct resources for caching. For example:
https://example.com/users/?id=1
and
https://example.com/users/?id=2
are distinct. Requesting the second doesn’t return the cached results for the first. You can version URLs within your application by appending different URL parameters to any URL that you don’t need cached.
Clearing the Cache Manually
On the Site Speed Up page of your Expedited CDN dashboard, there’s a Clear Cache button. Clicking this button removes all currently cached responses and assets stored across the edge network and served to clients.
Compression Settings
Compression settings are enabled by default and are unlikely to interfere with proper functioning of your application.
Enabling doesn’t automatically compress your files but supports passthrough compression.
GZip Compression
GZip compresses pages to reduce the overall amount of time spent sending information from the edge network to the user’s browser.
Brotli Compression
Modern browsers can use Brotli compression instead of GZip. This compression helps further reduce the overall amount of time spent sending information from the edge network to the user’s browser.
HTTP2 (“SPDY”)
HTTP2 is an improved protocol for web traffic. It takes fewer resources, uses them more effectively, and gracefully falls back on clients where it’s not supported.
SSL Certificates for HTTPS
All sites are automatically issued a new SSL/TLS certificate as part of their setup. This certificate encrypts communications between clients and the site via HTTPS.
TLS 1.2 and 1.3
Expedited CDN only connects to HTTP clients via TLS 1.2 and TLS 1.3.
Prior versions of TLS and SSL used by legacy HTTP clients aren’t accepted. This prevents downgrade attacks and ensures that your Heroku app can establish secure communications with external clients.
Expedited CDN defaults to TLS version 1.3 (latest) and sets of secure cipher suites. These suites are selected specifically to work with Heroku and provide optimum speed and security.
TLS 1.2+ is a common requirement for GDPR, HIPPA, CCPA, and PCI compliance regulations.
Logging
As the CDN exists between your Heroku application and the general Internet, log entries aren’t passed back to Heroku.
Similarly, requests blocked by the CDN aren’t displayed in the Heroku logs.
Troubleshooting
The most common issues with setting up your CDN relate to DNS and delayed DNS propagation. Check that the built-in DNS tester in the CDN dashboard states you’re set up correctly. If so, the best option is to wait an hour for DNS to fully propagate before making additional changes.
Migrating Between Plans
You can migrate between plans at any time as your security, site traffic, and caching needs change.
Removing the Add-on
Expedited CDN can be removed via the CLI.
This action brings down your running application if you haven’t first migrated your DNS to another endpoint.
$ heroku add-ons:remove expeditedcdn --app your-app-name
-----> Removing expeditedcdn from sharp-mountain-4005... done, v20 (free)
Support
Submit all Expedited CDN support and runtime issues via one of the Heroku Support channels. Any non-support related issues or product feedback is welcome at mike@expeditedsecurity.com