R
Railway•11mo ago
nikolalsvk

How to point a client's subdomain to Cloudflare and then to Railway?

Hi there, we want to achieve the following: subdomain.client.com -> subdomain.our-domain.com -> our-app.up.railway.app Right now, we instructed our client to create a CNAME subdomain.client.com -> subdomain.our-domain.com And we have in our Cloudflare this CNAME subdomain.our-domain.com -> some-app.up.railway.app But the problem arises when we turn on the Cloudflare proxy for the CNAME subdomain.our-domain.com -> some-app.up.railway.app. With the Cloudflare Proxy, we're getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH when visting subdomain.client.com in the Chrome-based browser. Everything works fine without Cloudflare proxy, but we want to use Cloudflare's features. The SSL/TLS encryption mode is Full, and we have no Page Rules set. Is it possible to have this setup with Cloudflare proxy turned on?
15 Replies
Percy
Percy•11mo ago
Project ID: fd3a1eb3-4d39-45cf-9eb9-e39101d6eee5
nikolalsvk
nikolalsvkOP•11mo ago
fd3a1eb3-4d39-45cf-9eb9-e39101d6eee5
Fragly
Fragly•11mo ago
How does it not work? Like what errors does it give?
nikolalsvk
nikolalsvkOP•11mo ago
We're getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH - via Chrome-based browser Or if the subdomain.client.com is request via curl - curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
Brody
Brody•11mo ago
railway does host based routing, if subdomain.client.com isnt listed in the domains of the service it wont work for a few reasons: - that domain wont have ssl issued by railway - railway wont know where to route the traffic to that comes from that domain two options (that i can think of) - add subdomain.client.com to your services domain and ask your client to set the cname to our-app.up.railway.app (or the auto generated cname) - use a proxy service to proxy traffic to subdomain.our-domain.com with host masking (mask to subdomain.our-domain.com since that domain is in your railway service) that will also issue you your own cert, i know fastify can do this, dont know if cloudflare can
nikolalsvk
nikolalsvkOP•11mo ago
Got it, thanks The subdomain.client.com is listed in Railway and it is showing "Cloudflare proxy detected", so from that point it should be all good 🤔
Brody
Brody•11mo ago
can you send the actual domain?
nikolalsvk
nikolalsvkOP•11mo ago
I'll send you a PM
Brody
Brody•11mo ago
you said you have subdomain.client.com in the services domains, and it set to full in cloudflare, given that information i think you have it all setup correctly. and with that said i have seen ERR_SSL_VERSION_OR_CIPHER_MISMATCH many times, each time it has always worked itself out within a few hours, ssl cache or something
nikolalsvk
nikolalsvkOP•11mo ago
Yes, I will wait a bit more then. I enabled the Cloudflare proxy around 12 hours ago. It might need some more time. I also found a similar problem on Cloudflare community https://community.cloudflare.com/t/cname-tls-issue-from-cloudflare-to-cloudflare-domain/205005
Brody
Brody•11mo ago
interesting, you have been getting the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error for 12 hours?
nikolalsvk
nikolalsvkOP•11mo ago
Cloudflare for SaaS · Cloudflare for Platforms docs
Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare’s network to your customers via their own custom or …
Brody
Brody•11mo ago
sounds good, let me know how that goes!
nikolalsvk
nikolalsvkOP•11mo ago
Works well, but you need a paid plan to use it. I will try on my private plan to see if it works and post a solution here. You need to enter your payment details for this to work. But once you're on a paid plan, you go to SSL/TSL in Cloudflare and go to Custom Hostnames. There, you can add your client's domains and verify them either via HTTP (quicker way) or via TXT files. So far it works great for us.
Brody
Brody•11mo ago
awesome, glad to hear it
Want results from more Discord servers?
Add your server