I have a static site using Cloudflare Pages.
I am not using any custom reverse proxy functionality provided by the Cloudflare CNAME DNS Proxy i.e. when you tell Cloudflare to use an A record instead of CNAME to reverse proxy the request to your upstream.
By default, when setting up a custom domain on Cloudflare Pages, Cloudflare sets the DNS CNAME to "Proxy". I have disabled this, because I assume this will cause a small performance hit due to the extra proxy hop.
Does anyone have any deeper understanding of this?
My contrary thought is that maybe the Cloudflare Pages team is relying on the caching of the reverse proxy instead of providing more edge node asset distribution on the Pages nodes.
I have disabled this, because I assume this will cause a small performance hit due to the extra proxy hop.
That's true. I was getting consistent ~200ms response time to a cached static site –let's call it foo.com– and ~110ms for foo.pages.dev.
By turning Proxy off, I am getting ~110ms response time for both foo.com and foo.pages.dev.
My only doubt was if they generated SSL certificates for non-proxied domains, but turns out they do.
Proxy is enabled by default just in case you'll need some of the other services Cloudflare offers for managed domains, as Analytics, Page Rules, custom DDoS protection, custom cache... Those services won't work for your custom domain if you opt out of the Proxy (although you'll still get DDoS protection and cache through Cloudflare Pages).
Just remember that if you have www.foo.com pointing to foo.com with a Bulk Redirect, Page Rule or Dynamic Redirect, that CNAME does have to be proxied so that the redirect works, as they explain in the documentation.
Related
I need to mask the subdomain URL http://3477er.domainB.com with https://sub.domainA.com Both in different servers.
So I create the "sub" alias in domainA server pointing to https://34tter.domainB.com with a CNAME record and waited for its propagation.
I thought I should see http://3477er.domainB.com content when I type http://sub.domainA.com in browser. Instead I get the message DNS_PROBE_FINISHED_NXDOMAIN Isn't this the way a CNAME record works?
Is there any other way to achieve my subdomain masking goal?
If you are receiving a DNS_PROBE_FINISHED_NXDOMAIN error, it means one of the subdomains you listed is not resolving to an IP address. I would test both subdomains here -
https://mxtoolbox.com/DNSLookup.aspx
There are a couple important notes here though -
This will only work if the server on domainB has a binding setup for either any (wildcard) domains (usually bad idea), or a binding specifically for your domainA subdomain.
This will only hide your domainB subdomain on a very basic level, if this is what you need. So, in other words, hiding it from non-tech savvy users. It can't be relied upon if security is a concern, since someone could easily find domainB with a DNS lookup.
To truly mask the 'origin' server, you'd need to implement a proxy. This could either be done by making the requests on your domainB server itself, or by using serverless tech (such as Cloudflare Workers, AWS Lamba, etc.). However, this still won't prevent people making requests directly to domainA if they do discover it.
Just updated our website, and migrated our DNS routing to the new server. The issue we are having now, is sometimes when a user types in our website 'example.com', it will sometimes route them to an HTTPS://example.com which isn't currently enabled.
Is there a way to have users routed to our HTTP://example.com instead of HTTPS://example.com, while we are waiting for SSL to be enabled on the new site?
No.
DNS is for resolving the hostname (example.com) to an IP address. You can't tell the browser to use HTTPS or HTTP via DNS.
I'm assuming that in the past, you've supported HTTPS. Once you've done that, the browsers often remember. The best thing to do is get your certificate place ASAP. You can use Lets Encrypt and Certbot and be done in a couple minutes in most cases.
So I had github pages set up with a custom domain without problem on namecheap a day ago. Then I tried switching to Https via github's newly added support for https on pages. After too much frustration I switched over to CloudFlare for Https but I'm now getting an error ERR_TOO_MANY_REDIRECTS
Here's my DNS settings on CloudFlare.
Check your SSL setting in the Crypto tab. You should have it set to "Full". If it is set to "Flexible", then Cloudflare will use HTTP to connect to the origin, even when the client browser connects to Cloudflare over HTTPS. GitHub is probably responding with a redirect to HTTPS in this case -- not realizing that the original client is already using HTTPS, and so this redirect creates a loop.
More info here:
https://support.cloudflare.com/hc/en-us/articles/115000219871
The two typical causes of redirect loop errors are:
Cloudflare SSL options that are incompatible with your origin web
server’s configuration, and
Page Rule misconfiguration.
you can update in Custom domain github pages
https://github.com/yourusername/yourusername.github.io/settings/pages
Custom domains allow you to serve your site from a domain other than xxx.com with www, i was clear this issue with this way.
I'm trying to find a current, up to date answer for setting up naked domain with Godaddy and Heroku SSL. My goal is for all pages to land on a secure page at https://www.example.com
https://www.example.com does go to a secure page.
example.com goes to an insecure page.
https://example.com does not work.
My current set up is as follows:
In heroku settings:
Domain Name | DNS Target
example.com | example.com.herokudns.com
www.example.com | www.my-domain.herokudns.com
Go Daddy Settings:
CNAME | www | www.example.com.herokudns.com
Forwarding settings:
Forward to: https:// | www.example.com
Yeah, it's a pretty stupid issue that some of the big DNS manager providers out there still have. The way to solve it is to have a server with an SSL certificate installed, and then point your naked domain to that static IP. The server then will redirect to the "www" version of your domain, which is now served under SSL by Heroku. Tedious.
If you don't want to do all that, just use https://www.nakedssl.com, which does exactly that – but automated (and for free for one domain).
Disclaimer: I'm part of the team that created NakedSSL, but I hope you take this as help and not as self-promotion. As explained above, the problem is as easy as tedious to solve, and I think NakedSSL is a pretty straight forward workaround.
Root domains on Heroku require the use of ALIAS ANAME or FLATTENING records.
Unfortunately, a number of popular DNS hosts such as GoDaddy, Bluehost, Google Domains, OVH, Hostinger and others do not support these types of records. Many of these Providers will tell you there is no such thing as ALIAS, ANAME or FLATTENING Records and many of these providers will tell you to set an A Record instead, however;
A Records do not work with Heroku for routing
A Records require static IP Addresses and static IP Addresses do not work with Heroku for routing, because Heroku (and many other cloud platforms) use dynamic IP's.
Instead, you can either:
Not use a naked domain and just use your www sub domain
Redirect/ Forward your HTTP root domain to your www sub domain. This won't work for your HTTPS root domain though
Use an Alternate DNS Provider. Heroku recommends the following: https://help.heroku.com/NH44MODG/my-root-domain-isn-t-working-what-s-wrong
Solved it.
Best way to get SSL set up is to use this package which automatically makes every page on your app SSL. Fantastic package. https://www.npmjs.com/package/force-ssl-heroku
Getting the naked domain set up with Godaddy easily: Set forwarding to your domain: https://www.my-domain.com. This will redirect non www to the correct place. :)
I believe naked subdomain or wildcards are not supported by heroku automated certs because of the let's encryption restrictions. So you need to set up a subdomain everytime you want to use Heroku's automatic certs.
ALSO VERY IMPORTANT! Don't forget to remove or edit any unsercured links to external assets. Otherwise browsers will jugde the page with those links unsecured as described in the Modzilla support page about mixed content.
I have my domain pointed in Cloudflare with SSL. My website runs with HTTPS protocol. The reason i mention them running is this.
I have my blog at blogspot and want to give it custom domain name which google allows. Unfortunately google wont allow HTTPS there. I had created my blog like this in DNS as blog.domain.com which runs as https://blog.domain.com and if i host this subdomain via Github, it opens correctly. The problem is when i use this subdomain in blogger, then there arises conflict and my site goes offline. Where am i mistaking in setting up all this?
Don't enable full or restricted SSL option in cloudflare. Use flexible SSL instead. This will setup things correctly.