How Heroku apps run


Apr 25, 2015
So, apparently some forms when inspected that utilize Heroku will display "cowboy", then via "vegur" so I was like wtf is this?

It's a Heroku proxy/load-balancer adding the Via header.

Heroku's proxy library based on a forked Cowboy frontend (Cowboyku). This library handles proxying in Heroku's routing stack.

Looks like Vegur is open source (not sure when they open sourced it, but commits go back to 2013):

So, ultimately it looks like Heroku forked cowboy:

Which they forked over to

Also, they proxy their server also - think NGINX and NGINX Reverse Proxy?

So basically the web server is called Cowboy (like Apache), then their proxy is Vegur (think NGINX reverse proxy).

For a full-blown summary of Heroku's Vegur, just read their blog

As mentioned in one of my last postings about email spamming due to insufficient (no) rate limiting; - we can also immediately realize that people using Heroku seemingly just want to develop a project quickly and may easily overlook security similar to when everyone started making PHP file uploading and image uploading scripts. If you just uploaded a PHP file to a PHP uploading script and could execute, you just "shelled a box" that easy.

In this case, the exploitation seems more along the lines of bad (or no) rate limiting, allowing for service abuse. Not as critical as "shelling boxes" but still sloppy.

I am curious to further inspect Heroku typical Heroku stack deployments to assess their overall stability and posture in terms of security.

Lunch break is almost over - getting food.

There is a few negatives to using Heroku that I can see - ultimately you still need to tie back into their enterprise platform when using all features, this drains the enterprise-ish features from being self-hosted and forces you into a life of their hosted APIs thus centralizing your app deployment.

If you are in search of alternatives:

"Heroku is a container-based cloud Platform as a Service (PaaS)", just a fancy way to have everything managed for you. Makes it easier for a developer to just focus on the app and have to worry less about everything else (platform). I would suspect in a deployment you may typically find less IT staff, less security staff, and such. While this could be a generalization or stereotype - this is my gut instinct that when someone is using Heroku, they are likely cutting corners. To me this feels similar to when an app developer chooses to get 100% the framework route to save cycles on code development by dropping in modules/libraries/templated code - it speeds up dev but can also hinder optimization (performance).. think RAM-heavy apps or apps that make high use of CPU utilization for no apparent reason. This is ugly crap, and this is likely the future.

So just watch out for dev laziness coming to town - it is all over the place, lol.. people like easy and Heroku makes it easier for a developer to not require IT security, IT infrastructure, and more. This is the 1-click-go solution for a developer to go from a team of 10 guys down to 1 person to say "I run all the IT here, we use PaaS."

;) my $0.02 overview

This blog hits the nail on the head:

If you want full control and care to manage your own containers 100%, then IaaS makes more sense. PaaS just adds middle-men somewhere typically (think Heroku APIs and such). It might make everything work together easier but at the expense of providing full control of your own stuff. Not end of the world, just not practical if you want to truly own something in entirety. This is why whenever I find Heroku apps, somewhere I see calls to Heroku servers usually.

Last edited: