Getting 404 on CNAME (orange cloud mode)

Hello,
We have a web app hosted on Framer. We can hit it directly with the framer URL, no problem.

We created a CNAME record on CF that points to the same URL (with orange cloud).

We got too many redirect errors. We realize the issue is that CF was in flexible mode and was talking http to Framer, which redirected to https, which goes back to CF (infinite redirect loop).

So, we configured our domain to operate in Full SSL/TLS. Now CF talks https to framer.

However, we not get 404 from framer. So, the request gets to framer, but somehow framer doesn’t recognize it. Since CF talks directly to framer I don’t see in the request or response headers, which URL CF is actually hitting on framer.

How can I further troubleshoot it?

Thanks in advance.

Have you added your custom custom domain to your Framer project (in your Framer dashboard)? You need to do this before Framer can direct the custom domain to the appropriate project.

Also, where are you CNAMEing your custom domain to? According to the Framer documentation, you should point it to sites.framer.site, and not to your personal Framer subdomain.

UPDATE:

See Framer’s specific documentation for Cloudflare below:

2 Likes

Hi George,
This process requires expensive add-on or enterprise plan. Also, I don’t want my domain to be managed by framer. I just want to CNAME from CF to Framer. My understanding is that CF in orange cloud + Full SSL/TLS mode is supposed to just call Framer like a user would via https. Then, CF returns the response to the original caller.

Does CF do something different when calling Framer as part of resolving the CNAME than if I browse directly to the Framer site?

If you’re using Cloudflare’s Proxy, then, of course, Cloudflare is not merely resolving the domain.

If you simply want Cloudflare to resolve the domain, then disable the Cloudflare Proxy (in DNS, change: Proxied :orange: to DNS only :grey:) so Cloudflare will merely resolve the domain to Framer, and Framer should then handle the SSL/TLS termination.

Note that if you still haven’t done so, you need to add the custom domain to your Framer Project for this to work.

Note also that Framer doesn’t support custom domains on their free plan. So if you have a free Framer plan, the best you can do is to configure a Cloudflare redirect to forward your domain to your Framer site: but once on the site, all URLs will still be using your Framer subdomain and not your custom domain.

2 Likes

Hi George,
Thanks for all the information. Yes, we thought of redirect and as you say the downside is that URLs will be Framer URLs.

When I create a CNAME with DNS-only and I have TLS/SSL rule set to Full for my hostname I ERR_CERT_COMMON_NAME_INVALID

I’m trying to understand why CNAME Proxied doesn’t work. I know that Cloudflare does a lot of work in this mode, but eventually when it calls Framer, then I expect with these settings to be just an https request to Framer. Is Cloudflare adding some headers to the request that allow Framer to detect it?

Is it possible to see the request that Cloudflare sends to Framer?

I tried to use the new Trace tool, but it didn’t show anything.

Best,
Gigi

Also, we did connect our domain in Framer.

As the name implies, with the zone in DNS-only :grey: mode, Cloudflare is merely doing DNS resolution. Since Cloudflare is not proxying the traffic, it cannot serve the SSL certificate.

So with the hostname set to DNS only, the SSL/TLS mode setting has no effect on that hostname at all.

I mentioned this (in a passing) earlier: you’ll need to handle SSL/TLS certificate and setup at Framer’s end since Cloudflare is ONLY doing DNS resolution and nothing else.

From this Framer community post, this is supposed to happen automatically. You may just have to give it a little time for the LetsEncrypt gods to do their work :smiley:

I’ve no direct experience with Framer, but you said yourself earlier that this requires an “expensive addon or Enterprise plan”? Not any more?

By the way, can you share the domain you’re trying to set up so I can take a look?

1 Like

Our framer app is: https://authentic-project-607455.framer.app
Our domain is getinvisible.com
The CNAME record is app-staging.getinvisible.com → authentic-project-607455.framer.app

I added configuration rule to use Full SSL/TLS mode for app-staging.getinvisible.com to get around the too many redirects error.

The two Framer custom domain tutorials I’ve linked above both say you should CNAME your domain to sites.framer.site. I even reminded you of this in my first post. But that’s not what you did.

Please fix that, unless Framer is telling you to point to your own Framer subdomain.

I’m willing to stay with you until you get this resolved. But you have to pay a little attention and do exactly what’s required – else we’ll just be going back and forth forever.

Standing by.

1 Like

Hi George,
Yes. I did it earlier before starting this conversation. It didn’t work either. I got ERR_QUIC_PROTOCOL_ERROR

Based on my understanding a direct CNAME as is currently configured with Full SSL/TLS mode should work if it appears to Framer just like direct user request.

But, the request from Cloudflare to Framer is opaque for me, so I try to figure out if there are some extra headers or anything else (IP block?) that lets Framer detect that the request is coming from Cloudflare and return 404 (which is a strange error for this case).

Hi!

I think you misunderstand how this works. A CNAME record does not mean that Cloudflare changes the name of requested site, so Cloudflare will still sent a request for app-staging.getinvisible.com to Framer. Framer will then respond with a 404, because they don’t know about that name unless you configured it on their server.

So you simply need to follow Framer’s guide, anything else will not work.

Yes, absolutely. Cloudflare does add headers to the request that let’s the destination know the request is coming from Cloudflare, but that isn’t the problem here.

Hi Laudian,
Thanks for the info. Looks like there is no workaround for custom domains.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.