Does the origin need a TLS cert of the client-requested URL?

What is the name of the domain?

a.com

What is the issue you’re encountering

I want to proxy requests from a.com to b.com (my origin), so when a user requests a.com in a browser it uses b.com as the origin.

I have set up a CNAME proxied (orange) from a.com to b.com.

Issue: It seems the HTTPS request CF is making to b.com is not including the b.com host/SNI (it seems to be requesting with the host set to a.com, but b.com is only configured to respond via HTTPS on its b.com).

Question: Does b.com require a https cert for a.com? Why can’t CF just make a https://b.com request without setting the host to a.com?

How should I be configuring this? Is a CNAME the proper way?

Does the CNAME orange proxy just resolve the hostname to an IP and then discard the hostname (not using the hostname in the https request host/SNI)?

What feature, service or problem is this related to?

DNS records

Thanks for any help, appreciated.

Yes, using a CNAME you need your origin to answer to the a.com name, including the certificate. Otherwise you could point it to someone else’s site and hijack their content under your domain name.

4 Likes

Thanks.

Is there not a way to config CF to act like a simple reverse proxy to b.com?

I can use a workers script to do this, but it seems like this would be built in somewhere to CF (reverse proxy to origin, using the origins own domain as host/SNI).

Cloudflare offers different ways to achieve that.

You can use Cloudflare for SaaS. You would add b.com as a domain to Cloudflare, and then a.com as a custom hostname via Cloudflare for SaaS.

In that case, Cloudflare would still send a.com in the host header and SNI, but accept certificates for b.com as well as a.com.

As a second option, Cloudflare allows you to override host header and SNI on Enterprise plans.

And you have already found the third option, using Workers.

2 Likes

For the Cloudflare for SaaS, it is the Custom Origin Server feature?

No, it’s a basic custom hostname.

1 Like

You can use Cloudflare for SaaS. You would add b.com as a domain to Cloudflare, and then a.com as a custom hostname via Cloudflare for SaaS.

So I need to own b.com and update its name servers so it becomes a CF managed domain?

The issue is that I do not control b.com, as it is one of my services hosted on another cloud.

Then workers are probably your only choice if you can’t make the origin answer to a.com.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.