SSL for SaaS with App Engine

I’m trying to configure my Google App Engine instance with Cloudflare’s SSL for SaaS offering. The objective being that I can provide to my customer a “custom domain” (also known as “vanity domain”), such that they don’t go to, but instead

I believe I’ve well configured the DNS records. It can be resumed as:

My main concern being that Google Cloud App Engine doesn’t seem to recognize the original hostname (e.g. and thus refuse to serve the request. Does anyone has successfully configured SSL for SaaS with App Engine?

PS: I’ve written an extensive post on Stackoverflow about this.

Cloudflare will serve SSL for SAAS domains, but your server (in this case GAE) still has to be willing to serve whatever HOST header is sent, and you can’t change this in Cloudflare as it’d be ripe for abuse: Transform Rules Cannot Set Host Header? - #2 by Judge

So you need to set up your GAE server to serve your content for the HOST header (hostname) of any of your clients. I don’t think Cloudflare would implement an override for your account simply because the hostname you’re targeting is a google cloud-wide load balancer, so them allowing you to change the header for that would allow a lot of potential abuse.

1 Like

Thanks for guiding me on this. That’s what I was afraid of. Do you know any other cloud provider (Heroku? AWS?) that would be compatible with SSL for SaaS “out-of-the-box”? Or should I buy an IP address with Google Cloud?

TL;DR. You need to purchase a dedicated IP address with Google Cloud and map requests to it using a Cloud Balancer. If you are interested in learning more, I’ve written an extensive response on Stackoverflow.

1 Like