Heroku+Fastly CNAME guide


This article will walk you through the process of:

  • setting up your custom frontend domain on Fastly (between the client and us) to use TLS
  • serving requests from your Heroku TLS instance


  1. Add your custom domain to our Fastly app.

  2. Have your custom (www.example.com) front-end domain added to one of our SAN certs. This will allow your users to access and verify the domain correctly when connecting to Fastly’s nodes. Pricing for our options can be found at the bottom of the page here.

  3. Set your default host in the Fastly app under the Configure–> Settings --> Default host tab. The default host maps front end domains correctly to their respective Heroku bucket. (OR you can add that domain in your Heroku app instead).

  4. Set your backend/origin in the Fastly app to your Heroku app name on port 443 or 80 (dependent on if you’re using Heroku’s TLS offering or not). This name might be something like yourappname.heroku(app|ssl).com.

  5. You will CNAME your front-end domain in the Fastly app to the correct certificate that we assign (during step 1).

  6. Once you have all these done (in that order too) your domain will resolve in DNS to a Fastly node. The node will then either reply via Fastly caches or pass the request on to Heroku over TLS.

More information can be found here: https://devcenter.heroku.com/articles/fastly

Caching ONLY static assets on Fastly && not using a custom domain

If you do not need to use your own custom domain to serve static assets (this works really well for people who build mobile-apps and use this to terminate API traffic) and would still like to take advantage of our TLS offerings, you’ll simply prepend your hostname to a Fastly TLS wildcard domain (for example, global.ssl.fastly.net).

This domain is provided to you in your initial set-up under the variable, FASTLY_CDN_URL. Once you have this domain, you can skip the steps above relating to adding it to a shared SAN cert or CNAME-ing, and simply skip to the caching configuration here.


Backend : represents the address of the dyno where Heroku pulls content from; in other words, your Heroku app’s name

  • usually formatted as yourappname.herokuapp.com or yourappname.herokussl.com

Port : If you’re using Heroku’s TLS offering, you’ll set it 443. Otherwise to serve plain HTTP, port 80 will work.

Domain : the custom top-level hostname used for routing requests to your website.

  • the FASTLY_CDN_URL provided when you run the heroku config:get command is not your custom domain, i.e.:
$heroku config:get FASTLY_CDN_URL