Cloudflare is returning a 301 and 403
I have a domain from namecheap, managed on cloudflare pointing to a CNAME record on an app server deployed on render.com. There is no other record on that domain. It is consistently returning 301 or 403 based on the settings on cloudflare.
I want to allow custom domains on the app so that users can point their own domains for their profiles.
CNAME record points to cname.mydomain.com, I have also tried pointing it to naked domain but I believe its not the issue as the request never reaches the app.
SSL is Full Strict and Proxied. Returns 403
SSL is Full, Not Proxied. Redirects 301
Any help would be appreciated. I'll be happy to add more information on request.
Thanks.
17 Replies
hmm, you're trying to use CF for Saas / Custom Hostnames with Render/the host you don't control, ex:
yourcustomer.com -> CNAME -> yourdomain.com -> CNAME -> render
If you access your domain directly, which is a CNAME to render, does that work?
Yes, the cname to render works fine, it renders the app landing page as expected.
In general, trying to use CF for SaaS or any setup where customers CNAME to you when you don't completely control the origin server isn't likely to work well. Render receives the host header/sni of your customer and is just confused. Specifically in this case, Render is a CF customer that I believe uses CF for SaaS as well, so you're trying to layer CF for SaaS/O2O.
I believe your options would be either to use a Worker to proxy it, and use the worker as your fallback domain, or add the domains to Render directly and have them CNAME therre
I am not using CF for SaaS for my app. When you talk about controlling the origin server, you mean the app server or render in general controlling the access to the server ( reverse proxy)
Oh, then you're having customers just CNAME to your site without Cf for SaaS or anything else?
yes, it just happen to be that my testing domain is using CF dns, customer domain could be on any registrar.
yea that's just not going to work at all
for instance, mydomain.com would have a cname record => cname.myapp.com
The CF Proxy uses Shared IP Addresses, your site is sharing the same IP as many other CF Sites. When Customers CNAME to your site, the visitor resolves the CNAME into an IP Address and then connects to that IP Address with the host header/sni of your customer's site. The Cloudflare Proxy would just get confused, it doesn't have an SSL Cert for their site (unless they use Cloudflare) or if they do, it's banned for security reasons(without CF for SaaS)
There is different behavior if you are CNAMEing from a CF site to another CF site in the same account, it'll resolve the CNAME, in this case you're probably confusing Render because your testing domain isn't configured on their end to work
Oh, then you're having customers just CNAME to your site without Cf for SaaS or anything else?You can't point non Cloudflare domains to Cloudflare proxied domains without Cloudflare for SaaS
This will give a 1xxx error. https://developers.cloudflare.com/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/#error-1000-dns-points-to-prohibited-ip
Troubleshooting Cloudflare 1XXX errors · Cloudflare Support docs
The errors described in this document might occur when visiting a website proxied by Cloudflare. For Cloudflare API or dashboard errors, review our …
SSL is Full, Not Proxied. Redirects 301This will be from the origin. SSL level is non applicable if the domain isn't proxied. If you're using third party services who say they use Cloudflare they should provide you with instructions to get set up.
yea that whole setup is just cursed because Render itself uses CF for SaaS in the first place. I think the only way he could get it to work is if he used Cf for SaaS + a worker proxying the requests, but not very clean. don't think render is made for the use of having your customers do that, unless by adding them to your Render custom domains, and having them CNAME to render directly
They actually cover this per public docs: https://render.com/docs/configure-cloudflare-dns
Finally, add CNAME records for both your base domain and wildcard domain pointing to your onrender subdomain. Pointing your base domain to Render is required for an orange to orange setup. With this configuration, Cloudflare will send traffic to your zone first. The Worker that you just set up will match the route and trigger an origin override, so traffic for the base domain will not get sent to Render. If you do not do this, Cloudflare will send the traffic directly to Render’s zone and the Worker you set up wil have no effect.
Configuring Cloudflare DNS | Render
Configuring Cloudflare DNS | Render
Configure Cloudflare DNS settings to point to your Render app with this guide.
don't know if the resolveOverride part of that would work, because it only changes lookup and not host header, and the request url/host header would be that of his customer's domain via CF for SaaS. Unless there's some magic in Cf for SaaS I don't know about, but I don't see why you couldn't just fetch the custom domain you would have for render anyway without the resolveOverride, in his case at least.
o2o2o is weird to think about
@highflyingdwarf by non-cf domains means buying through CF or managed through CF?
Thanks for the article, I'll go through it.
I have gone through render docs for cloudflare domain, it still returns Error 1000.
@highflyingdwarf
You'll need to reach out to Render directly if this relates to setting up their service. Sorry.