Some notes I made about Heroku hosting for Rails applications.
-
Asset storage is done via Amazon S3, so would have to connect whatever handles uploads (e.g. Paperclip directly with S3. See Using AWS S3 to Store Static Assets and File Uploads. Also see my S3 notes for info about securing files.
-
Cannot freeze Rails, but have to use version provided by Heroku.
-
You can freeze gems, as this is what bundler does by default.
-
Only hostname-based SSL is feasible for price ($20/m and you have to supply your own certificate), which means you can’t have SSL on root domain (i.e. can only have https://*.example.com and not https://example.com). Note that you have to use a wildcard certificate for multiple sub domains. Also note that hostname based SSL can strip some HTTP headers, for example the IP of the client.
-
You can backup a Postgres database using Heroku’s PGBackups addon, which stores them on S3. See PG Backups.
-
To back up S3 files (including DB backup), the s3cmd command line tool can be used from the backup server. See Amazon S3 Tools: Command Line S3 Client Software and S3 Backup.
-
One way to secure files in an access-restricted area is to obscure the filenames. See AWS S3/Ruby on Rails/ heroku: Security hole in my app. You could also set a time restriction, as per Restricting Access to Objects Stored on Amazon S3 and Protecting your Paperclip downloads. Could time-restricted URLs be problematic if running an SSL resource through Heroku?