R
Railwayβ€’4mo ago
tjh

Cloudflare bare domain configuration

Hi folks, Have struggled to get my bare domain and www. working with Cloudflare, have read the Railway docs, and Cloudflare ones, and have tried many different settings, have ended up giving up, and now I'm here. Here are the latest steps I've followed, could you please tell me where I'm going wrong? 1. In Railway: add a custom domain for mydomain.com 2. In Cloudflare: add a CNAME for Name = @, target = <host>.up.railway.app -> the name of this DNS record automatically changes to mydomain.com 3. In Railway: add a custom domain for www.mydomain.com 4. In Cloudflare: add a CNAME for Name = www, target = <other_host>.up.railway.app After these steps, I can see Cloudflare proxy detected on both custom domains in Railway. Both my CNAME records are Proxied on Cloudflare. When I do this, the www. version works, the bare domain doesn't (I get 'this site can't be reached' in the browser). I've tried changing SSL/TLS mode from Full to Flexible in Cloudflare, still doesn't work. I've tried disabling Universal SSL/re-enabling, same thing. I only have one other DNS record, which is a TXT to auth with another service. Any help appreciated! Project ID: c18400df-5dee-4fe7-bc56-a98db8d475bd
Solution:
I had to 1. create a custom domain in railway for my bare domain 2. create a CNAME for bare domain, pointing to the railway host 3. create a CNAME for www pointing to @ 4. enable Universal SSL...
Jump to solution
57 Replies
Percy
Percyβ€’4mo ago
Project ID: c18400df-5dee-4fe7-bc56-a98db8d475bd
tjh
tjhOPβ€’4mo ago
(FYI, I've just gone through this again while writing this, and now the bare domain works and the www. doesn't πŸ™ˆ )
Fragly
Fraglyβ€’4mo ago
If you want both to work like that then you'll need to add two custom domains, a www.mydomain.com one and a mydomain.com one Although my recommendation would be to choose one of them and then have the other redirect to your chosen one, this keeps things more consistent
tjh
tjhOPβ€’4mo ago
I have two custom domains I'd be happy to do the redirect - I have tried that in Cloudflare using a Redirect Rule - I think I must have done that wrong, as it didn't work
Fragly
Fraglyβ€’4mo ago
Oh I see now, sorry I misread πŸ™ Based on how you set it up, it should work πŸ€” Quick side note here:
I've tried changing SSL/TLS mode from Full to Flexible in Cloudflare, still doesn't work
SSL/TLS mode should always be on full when on Railway
tjh
tjhOPβ€’4mo ago
Full strict, or just Full?
Fragly
Fraglyβ€’4mo ago
Just Full is fine
tjh
tjhOPβ€’4mo ago
cool if you're doing the redirect, is the best thing to set up a custom domain for the bare, or for www., domain in railway?
Fragly
Fraglyβ€’4mo ago
that's completely up to you, personally I like it when websites don't use www but that's just personal preference 🀣
tjh
tjhOPβ€’4mo ago
and you set up the redirect in Cloudflare using a Redirect Rule? also, should Universal SSL be on?
Fragly
Fraglyβ€’4mo ago
I believe so, although I'm not very experienced with Cloudflare so I can't really help a lot in that context No, that should be turned off
tjh
tjhOPβ€’4mo ago
ok, so I've just: 1. Removed my custom domains 2. Added mydomain.com (the bare url) 3. Added a CNAME for @ and <host>.up.railway.app to Cloudflare 4. Disabled Universal SSL and now none (www.mydomain.com, http://mydomain.com, https://mydomain.com and https://www.mydomain.com) of my urls are working
Fragly
Fraglyβ€’4mo ago
Would you mind sharing the domain you're using?
tjh
tjhOPβ€’4mo ago
DMd
Fragly
Fraglyβ€’4mo ago
Seems the cause is a ERR_SSL_VERSION_OR_CIPHER_MISMATCH, usually these resolve themselves and are usually caused by SSL cache
tjh
tjhOPβ€’4mo ago
interesting - when I do:
$ curl -I -L https://mydomain.com
curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
$ curl -I -L https://mydomain.com
curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
and
$ curl -I -L mydomain.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 09 Aug 2024 15:54:23 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 09 Aug 2024 16:54:23 GMT
Location: https://shareapodcast.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RAt5pqcLCaUK3nHvDZkqM%2FyafZDuw3THGN8Km4eT9OpTLz4B8r2%2FHLyH%2FrfMWdd2GNyrnv3XeinvtjYJOGLlId2oukEQcfXPIGn%2FC3Lx3%2BL3vteuwTRHCH%2BFwAaztN7Kt%2FSLmw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b08eca85d4d949f-LHR
alt-svc: h3=":443"; ma=86400

curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
$ curl -I -L mydomain.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 09 Aug 2024 15:54:23 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 09 Aug 2024 16:54:23 GMT
Location: https://shareapodcast.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RAt5pqcLCaUK3nHvDZkqM%2FyafZDuw3THGN8Km4eT9OpTLz4B8r2%2FHLyH%2FrfMWdd2GNyrnv3XeinvtjYJOGLlId2oukEQcfXPIGn%2FC3Lx3%2BL3vteuwTRHCH%2BFwAaztN7Kt%2FSLmw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b08eca85d4d949f-LHR
alt-svc: h3=":443"; ma=86400

curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure
Brody
Brodyβ€’4mo ago
who do you own the domain with?
tjh
tjhOPβ€’4mo ago
bought on GoDaddy, DNS transfer to Cloudflare I've just reenabled Universal SSL and my bare domain url works again
Dane
Daneβ€’4mo ago
Easiest thing is to point your bare domain at railway, and point www at your bare domain:
No description
tjh
tjhOPβ€’4mo ago
hmm the plot thickens, this is something I haven't tried back in 5 mins
Dane
Daneβ€’4mo ago
If that doesn't work, you can also redirect www to your bare domain: https://developers.cloudflare.com/pages/how-to/www-redirect/
Cloudflare Docs
Redirecting www to domain apex Β· Cloudflare Pages docs
Learn how to redirect a www subdomain to your apex domain (example.com).
tjh
tjhOPβ€’4mo ago
this doesn't seem to work for me: bare domain does, www. doesn't trying second suggestion, thank you Dane
Dane
Daneβ€’4mo ago
I just set one up, had to point the www domain at the bare domain, and add the bulk redirect. The DNS record on the www just allows Cloudflare to listen on www (they are pointing it to a dummy IP), using a CNAME record pointing to the bare domain works as well.
tjh
tjhOPβ€’4mo ago
it works!! Dane, thank you, you are a hero
Dane
Daneβ€’4mo ago
I think that's the cleanest solution as you are also telling google not to index the www because of the 301 redirect
tjh
tjhOPβ€’4mo ago
thank you so much; I really appreciate your help
Brody
Brodyβ€’4mo ago
can you DM your domain? nvm i can grab it from your service
tjh
tjhOPβ€’4mo ago
yeah it's there
Brody
Brodyβ€’4mo ago
show me your dns in cloudflare?
tjh
tjhOPβ€’4mo ago
DMd
Brody
Brodyβ€’4mo ago
ssl tls mode set to full?
tjh
tjhOPβ€’4mo ago
ah man I've just deployed and I now get a 404 annnd it's back
Brody
Brodyβ€’4mo ago
universal ssl off? this should be on, dane is right
tjh
tjhOPβ€’4mo ago
SSL/TSL = Full, Universal is off
Dane
Daneβ€’4mo ago
Universal SSL should be on (unless you have an advanced certificate). The hosts on your universal ssl should be *.example.com, example.com to include www. SSL = Full The connection from Cloudflare to Railway is over SSL, so you need SSL = Full. Full (strict) is only when you are using a cloudflare origin cert on Railway (can be done through a cloudflare warp tunnel)
tjh
tjhOPβ€’4mo ago
turning Universal SSL on stops my www. -> bare domain redirect working (unless there's an amount of time I need to wait after enabling it)
Dane
Daneβ€’4mo ago
There usually is a bit of a time delay. Do you have an advanced certificate as well, or just universal?
tjh
tjhOPβ€’4mo ago
whatever is out of the box/free, I guess universal?
Dane
Daneβ€’4mo ago
ok, so you would need to have universal enabled as that is the only certificate encrypting your connection between the browser and cloudflare. Do you have the orange cloud turned on for your bare domain and www?
tjh
tjhOPβ€’4mo ago
I only have one CNAME now, for @ (which replaces with mydomain.com) and yes, proxied/orange cloud is on
Dane
Daneβ€’4mo ago
You probably need to add a cname for www pointing to @ as well
tjh
tjhOPβ€’4mo ago
done: now, with www. I get "This site can’t be reached" / "DNS_PROBE_FINISHED_NXDOMAIN"
Dane
Daneβ€’4mo ago
what's your domain?
tjh
tjhOPβ€’4mo ago
DMd
Dane
Daneβ€’4mo ago
You may just need to wait a bit both www and bare domain are coming up fine for me
tjh
tjhOPβ€’4mo ago
really hmm I've just flushed my DNS and looks like it's working for me too it's always DNS
Dane
Daneβ€’4mo ago
Glad it's working! DNS is a pain for sure, especially when you add on proxies and SSL rules
tjh
tjhOPβ€’4mo ago
πŸ™
tjh
tjhOPβ€’4mo ago
@Brody if it's useful, LMK if you'd like me to write up the steps I (Dane) just took to make this work, for this page: https://docs.railway.app/guides/public-networking
Railway Docs
Public Networking | Railway Docs
Documentation for Railway
Brody
Brodyβ€’4mo ago
catch me up, what was the final nail in the coffin to make this work?
Solution
tjh
tjhβ€’4mo ago
I had to 1. create a custom domain in railway for my bare domain 2. create a CNAME for bare domain, pointing to the railway host 3. create a CNAME for www pointing to @ 4. enable Universal SSL 5. create a bulk redirect pointing www. to bare domain
tjh
tjhOPβ€’4mo ago
going to check out for now and hope nothing breaks - thanks again Dane
Brody
Brodyβ€’4mo ago
i would love a pr to add that to the docs
tjh
tjhOPβ€’4mo ago
Yeah I can do that, where’s the repo?
Brody
Brodyβ€’4mo ago
scroll down
No description
tjh
tjhOPβ€’4mo ago
@Brody have submitted PR
Brody
Brodyβ€’4mo ago
awesome, I will look at that merged, thanks again!
Want results from more Discord servers?
Add your server