Amazon CloudFront seems to have this feature since 2013 for free.
Would be nice to have it in Cloudflare too.
Why
I have an idea for a low-budget service where I want to use Cloudflare Workers on all unregistred subdomains to output a page customized according to the subdomain name.
Of course I may do it with client side JavaScript but it may hurt SEO (and deprive me of all other benefits of Cloudflare like fast CDN and DDOS mitigation).
Because the project is just an idea and budget is low I canât afford myself acquiring an Enterprise plan or even Pro.
A further abstraction of the project idea would be allowing users to bring their own domains to the service and manage them but as Cloudflare plans are per domain I doubt it will be feasible, without Enterprise plan at least.
Offtopic
Have you thought to start providing static site hosting service with CF? Maybe in partnership with Netlify.
The wildcard info message in the DNS settings page currently says: (emphasis mine)
Wildcards may be added to DNS, but only Enterprise customers can proxy wildcards through the CDNâŚ
And according to Cloudflare support, the enterprise plan starts at $5,000 per month ($60,000 annually).
Thatâs not âdig a bit deeper into [your] pocketsâ, thatâs well into âcompletely empty your pocketsâ territory (for anyone that isnât actually an enterprise).
So while I can kind of understand if this was a feature of the Pro ($20/mo) plan, right now itâs extremely cost prohibitive for developers / personal users (and probably many small businesses too) - especially when AWS route53 includes it (for no extra cost, which ends up being like $1/mo for a small site).
Chances are you donât need a proxied wildcard entry if youâre doing anything other than SAAS or giving out subdomains, things which arenât common for anyone other than businesses with millions in revenue that can afford Cloudflare enterprise.
If youâre, as you said, a âdeveloperâ or âpersonal userâ, then you probably could take the time to automatically add the desired DNS subdomains using the API when needed.
Here are two ideas that require bringing own domains to fight censorship:
A user brings his own domain, from which we serve text files which may be personalized based on a user token supplied by client/user. Personalization is done via Cloudflare Workers (with KV) on the edge. These text files may be PAC-scripts constructed according to client preferences. PAC-scripts may be used to fight censorship or for internal networking. The ability to bring own domains is crucial because any public domain that fights censorship may be easily censored but if user brings his own domain which we use secretly then it canât be revealed and blocklisted.
Iâm a big site being censored. I create a service on Cloudflare which allows users bring their own domains and create mirrors on them of my site by proxying requests via Cloudflare Workers. Mirrors are used privately or may be shared with others if so desired.
Both use cases deal with fighting censorship and censorship being abused in bad hands is a problem in some countries.
I was going to mention the API as well, @judge, but the problem there is that Cloudflare limits the amount of DNS records per domain. A wildcard would point every possible combination; individual subdomains would be eating away at the domainâs quota.
Seems like not true any more, big news for me, I wonder how I manged to skip the announcement.
So out of two problems discussed here: 1) proxied wildcard subdomains and 2) ability to bring many domains via API â only the first remains unresolved.
I understand you want to get more profit for your services but isnât getting wildcard certifiacte an easy task that requires little resources? And then price for proxying wildcard subdomains can be calculated based on number of requests served.
@Judge doesnât work for and has no influence over their pricing decisions. Cloudflare provides both a root domain and a wildcard certificate. What it doesnât provide (except on enterprise plans) is support for proxying of a wildcard DNS record through their service.
How many individual records have you added so far? At your current rate of growth how long until you hit the maximum number of records for your particular plan type?
The problem is that I want to serve responses for subdomains that I donât know beforehand. E.g., imagine chat/forum server where each subdomain is a room/channel/forum topic. Itâs just an example, not a real project.
UPD: ok, maybe itâs fine to have some installation process which creates a subdomain as forum topic. And after installation it can be proxied via CF.
UPD2: Another example â each subdomain is a search result for that subdomain as a search term.
I would also like to explain how wildcard subdomains may be used to mitigate censorship.
Russian providers are obliged to censor exact domains/subdomains and sometimes their ips (or ip ranges).
If provider blocks one subdomain he shouldnât block other subdomains. I donât know the details but it may be illegal to block subdomains that are not in the official blacklist registry.
E.g., we use subdomain name which is not known beforehand to show search results using subdomain name as a search keyword. And we want to use CF workers so we need the orange cloud.
If some subdomain as a search keyword returns something offending mr. Putin (itâs illegal in Russia to offend Putin or his government) then it gets blocked but our whole search engine mounted on second level domain mustnât be blocked because itâs not in the blacklist.
The benefit of this approach: while some subdomains are blacklisted other subdomains continue to work.
UPD: Iâm not sure if offending Mr.Putin may be the cause of censorship but for sure Iâve heard about people got fined for this kind of crime.
Another example where you want proxied/orange wildcard subdomains. kasparov.ru is a political site blocked in Russia.
You want kasparov.ru.anticensority.cf to use CF workers as a proxy to retrieve kasparov.ru response, cache it and serve to users in some format. The idea should work for other blocked sites as subdomains so the wildcard is needed.
You canât use CF for illegal activity but kasparov.ru is illegal only in Russia not in USA. Do the CFâs Terms of Service target only USA or all counties where their platform is located (including Russia, e.g.)?
For one, that solution wouldnât work with HTTPS since wildcard SSL canât cover two-level down subdomains.
As for the TOS: the only thing is general Intellectual Property:
you will not use the Cloud Services to [âŚ] (b) post, transmit, store or link to any files, materials, data, text, audio, video, images or other content that infringe on any personâs intellectual property rights or that are otherwise unlawful; [âŚ]
The issue with a service like you describe is that it would make Cloudflare a âforward proxyâ, something CF is not in the business of doing (otherwise they would provide official forward proxy services).
, hence, no Workers.
and has no influence over their pricing decisions. Cloudflare provides both a root domain and a wildcard certificate. What it doesnât provide (except on enterprise plans) is support for proxying of a wildcard DNS record through their service.