Proxying and SSL with CNAME

Hey!

I’ve read mixed things on here and elsewhere, but thought I’d try figure it out once and for all.

We are currently building a platform and we provide our users with a domain name when they join. Lets say:
https://user.example.com

That example.com is on Cloudflare. When a user signs up to our platform, we use the Cloudflare API to create a new DNS record for that user.

Now, I want to offer people the opportunity to use their own domain, lets say:
https://user.com

We have built a cert service that can generate certificates for each custom domain name and setup our webserver accordingly.

However, when we then add a CNAME to point user.com to user.example.com, Cloudflare gives a DNS Resolution Error. Probably because of the fact that user.com isn’t on the Cloudflare network.

We don’t want to force user’s to point their name servers to Cloudflare so I have a number of questions.

  1. The FAQ mentions that we can get around this by returning a 301 on the Web Server itself: https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ#CloudflareDNSFAQ-CanICNAMEadomainnotonCloudflaretoadomainthatisonCloudflare
    However we tried that and it doesn’t seem to work. I feel that it’s never even hitting the webserver

  2. I understand the Business Plan has “CNAME set-up compatibility”. Is this what is required to make this scenario work? Or is there no other way it can work outside of this?

  3. If we need Business and it is purchased, do the domains we CNAME to our Cloudflare domain then receive the usual DDoS and Proxy features as if they were on Cloudflare? i.e. does it make it so that whatever request is coming to user.com, is actually going to user.example.com

  4. If we are sometime away from releasing this feature, is there a way to trial this feature for testing purposes?

Thank you!

I think what you are looking for is the SSL for SaaS feature.

Cloudflare SSL for SaaS extends the security and performance benefits of Cloudflare’s network to your customers via their own custom or “vanity” domains.

1 Like

Not so much, unless I’m confusing that product. While that would allow for SSL on our domains, we already have SSL on our domains. If you look at that page, we would fall under the “Challenging in-house approach” :yum:

What we are looking for is just the ability to resolve CNAMES with their DDoS etc.

Hi Mark,

The best for what you want to accomplish it’s really our Managed Custom hostnames feature aka SSL for Saas, but it’s only possible with an Enterprise Plan.

Now going over your details:

However, when we then add a CNAME to point user.com to user.example.com , Cloudflare gives a DNS Resolution Error. Probably because of the fact that user.com isn’t on the Cloudflare network.

Yes, that’s correct, the only way to CNAME would be if you grey-cloud the record user.example.com, but that way traffic woudn’t be proxied (Cloudflare features off only dns resolution).

  1. The FAQ mentions that we can get around this by returning a 301 on the Web Server itself: https://support.cloudflare.com/hc/en-us/articles/360017421192-Cloudflare-DNS-FAQ#CloudflareDNSFAQ-CanICNAMEadomainnotonCloudflaretoadomainthatisonCloudflare
    However, we tried that, and it doesn’t seem to work. I feel that it’s never even hitting the webserver

I don’t think your customers would want this, for instance when someone would visit user.com they would see the redirect and the website with your domain user.example.com

  1. I understand the Business Plan has “CNAME set-up compatibility”. Is this what is required to make this scenario work? Or is there no other way it can work outside of this?

Your customers would need to buy Cloudflare Business plan, configure a CNAME-Setup zone, like this they would keep their nameservers and be able to configure the subdomains that they would like to proxy.
Still as the zone would be in a different account you would need to contact support, to allow this CNAME cross- user.

  1. If we need Business and it is purchased, do the domains we CNAME to our Cloudflare domain then receive the usual DDoS and Proxy features as if they were on Cloudflare? i.e. does it make it so that whatever request is coming to user.com, is actually going to user.example.com

For this only managed Custom hostnames / SSL for Saas because of what i wrote in point 2)

  1. If we are sometime away from releasing this feature, is there a way to trial this feature for testing purposes?

The best here is to contact sales, check the prices and details how you could test it.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.