Cloudflare SaaS custom hostname 525
Hi. I'm trying to test out Cloudflare SaaS with custom hostnames for a new feature of mine. I'll write out what I've currenlty done.
1. Created a fallback origin
https://proxy-fallback.fivemanage.com/
. This is an A record to a IP where the page is running on a caddy webserver.
2. Created a CNAME customers
to proxy-fallback.fivemanage.com
.
3. Created a custom hostname whitelist.error-interactive.com
that is a CNAME record to customers.fivemanage.com
.
FYI: In this case both domains go through CF and all the records mentioned here are proxied.
Now, if I go to the fallback domain, we see the webpage, if I go through whitelist.fivemanage.com
, its just a 525 handshake error.
I've tried to enable Total TLS with Google Trust Services, without that working - disabled again.
Am I missing some certificates? I have not touched anything related DCV. Neither did I add any TXT records for error-interactive.com
domain. Could it be related to Caddy? (I'm open to change to anything else if need be).
Would be great if someone could give some pointers. (Scream at me if I'm duplicating a post, couldn't find any) 🙂8 Replies
I see blank 200's/OK responses on
https://whitelist.error-interactive.com/
and https://customers.fivemanage.com/
525 would be an origin ssl error, not something that total tls or edge side could help withHey! Yeah, I added the cloudlfare dns plugin to Caddy for the whitelist.error-interactive.com domain, and atleast its returning 200 with a blank page, but it is still not routing the traffic to proxy-fallback it seems.
I'll try to create a 'ask' endpoint for Caddy to send requests to and see if it see if on demand tls fixes it?
You're saying you don't think it's reaching your origin? They've both got cf-cache-status: Dynamic so it's reaching somewhere, I would assume that Caddy isn't configured for that hostname/doesn't have a fallback so it's just going nowhere
Yeah, I'll try to mess a bit more around with Caddy. When I see 'Hello World' I know it's working 😄
Hm, I removed the cf cloudflare plugin and now I'm only running this on_demand_tls and tls on_demand for :443. I read through this: https://logsnag.com/blog/setting-up-vanity-subdomains-for-your-saas-using-caddy
although it seems like they are only using one port, although in my case that won't work as I this is only supposed to be for one specifc app running on portt 8084 something.
Still getting a 200 back which nice!
Sending some screenshots too, just to clarify how the setup looks like.
LogSnag
Setting Up Vanity Subdomains for Your SaaS Using Next.js and Caddy ...
Learn how to set up vanity subdomains for your SaaS using Next.js and Caddy and provision SSL certificates on the fly using Let's Encrypt.
I wonder if just not using the 'customers.fivemanage.com' subdomain could be a thing too.
you could have them cname directly to your fallback
you don't need to issue ssl on your origin for each of them, CF is fine as long as it has a certificate covering the fallback. I'm confused where you're stuck at though, you don't see any of the incoming requests in your logs? If you only have server blocks for the fallback I don't think that would work, the incoming hostname should be
whitelist.error-interactive.com
No logs unless I go directly to proxy-fallback.fivemange.com. It's a small express server running and printing headers on request - which yeah, only happens on proxy-fallback directly
not through whitelist.fivemanage.com nor customers.fivemanage.com
https://whitelist.error-interactive.com/, sweet!
Now it works