I´ve 100 customers on subdomains, do I need 100 A-records?

Hi ya’ll,

Ive a website and every customer has its own subdomain:

Its easy to install Cloudflare on my rootdomain but how to install it for my customers who are on a subdomain?

I saw a topic that you can install Cloudflare on a subdomain (CNAME or A-Record) but I have more than 100 customers. So do I need to create a CNAME / A-Record for every new customer or is there a smartner way to do that?

Kind Regards,
Ron

What is your objective? To create different accounts for different customers which allows them to manage their own subdomain? Or you just purely want to manage the Cloudflare configuration on behalf of them?

It sounds like you just need to proxy all subdomains. Is that correct? You could create a wildcard DNS record for *.example.com pointing to your origin.

1 Like

Well, each customer gets a unique link so that he can log-in into their prive space. (customer.rootdomain.com). They do not need to manage their own subdomain or Cloudflare or anything.

The problem I am facing is that when I change the DNS only the rootdomain works and all the customer.rootdomain.coms go offline.

I only want Cloudflare to “install/work” on www.rootdomain.com without the problem that all customer log-in pages go offline.

@Albert
So if I put in the DNS *.rootdomain.com the log-in pages will be back online? (a wildcard)

Let’s say you create the following DNS record: *.example.com A 127.0.0.1. This will cover all subdomains of example.com like:

  • www.example.com
  • customer-1.example.com
  • customer-3928282.example.com
  • dashboard.example.com

Do you want to only use Cloudflare DNS for www.example.com and keep your existing DNS provider for customer subdomains?

Well I have tried the *.domain.com (wildcard) but that didnt work.
See image 1

After the change I get an error on the subdomains. The main domain keeps working.
See image 2

Error 525 means the Cloudflare DNS is doing its part, but you don’t have a wildcard SSL on your domain to make the SSL work. So you have to generate a wildcard SSL at host level and that error would go away.

2 Likes

Thanks for your answer.
I thought that we have a SSL wildcard. See this screenshot.

SSL should be available at the root of every subdomain too I believe.

What do you mean @twitter-luckyankit ? The website is symson[.]com and an example of subdomain is vink[.]symson[.]com. The website is hosted by webflow[.]com and the domains are at transip[.]nl

Try setting the SSL encryption setting to full only, not Full(Strict). If that doesn’t solve it, I would suggest considering changing the host and moving to a self-hosted setup with Plesk. I can provide help on that.

No, the OP should not remove encryption from his site. The encryption mode should be Full Strict and he should fix the server certificate.

1 Like

Full (Strict) is not going to solve this issue as the OP is not generating a separate SSL for each subdomain. If you have any solutions to this situation, you’re welcome to share them.

Well, the OP will either need a certificate for each host or a wildcard one. Which one is up to him, but his site needs to work. Recommending to make his site insecure, certainly is not a good option.

2 Likes

Keeping it to FULL doesn’t make it insecure. Also, he already has a wildcard SSL which isn’t working for him. At least the solution I am suggesting will help him achieve what he wants. As long as he has enforced https redirect, it is definitely okay to keep it to FULL only if that secures his whole site further.

Of course, setting it to just Full will make it insecure because you disable the validation and anyone on the line can tamper with his data, which is per se insecure.

@albert already suggested four weeks ago what to do and that’s to configure a wildcard certificate. Essentially, the site needs to work without Cloudflare, then it will also work with Cloduflare.

Recommending to lower his site’s security is not exactly a good option.

If the subdomains have the same origin as the apex domain, you can create a CNAME record for *.example.com pointing to example.com.

This will allow you to use Full (strict) while only having an SSL certificate for the apex domain due to a non-standard quirk in how Cloudflare validates certificates.

https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/#use-when-3

Your origin needs to be able to support an SSL certificate that is:

  • Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.
3 Likes

That is quite a good answer. Hope that works

Its very technical stuff to be honest. Thanks for all the answers. The subdomains (vink.symson,com) are hosted at Azure and the apex domain (symson,com) is hosted by webflow so they dont have the same origin, correct? Can creating a CNAME record *.symson,com pointing to symson,com doenst work, right?

So I need to upload the SSL certificate to each of our customers enviroment on the Azure server and I can try to use Full instead of Full(strict) if the above doenst do the trick.

The subdomains do not necessarily need to work with Cloudflare. As long as the main/apex domain (https:// www,symson,com or https:// symson,com) use Cloudflare, its all good. The subdomains are only used for customers to log-in.