I have a CakePHP web app hosted on app.mydomain.com. The DNS of this is managed by cloudflare and I am using Cloudflares free SSL.
Now I want a client to use his domain as a white label.
app.clientdomain.com ------> app.mydomain.com
This is not a domain redirection. I tried to find out and it seems something with custom CNAME pointing. Any help regarding this is really appreciated.
It is necessary for the app to have an SSL. The app.mydomain.com has an SSL, but the client might not. How do I cope with that?
I understand I can just tell the client to set A records to my server IP, but that is not what I want. I do not want to give away my IP and would like to use my cloudflare as DNS resolver.
I have tried searching everywhere for this and couldn't find much. If you could also tell me what this is called, I can hopefully search more about it.
Thank You :)
Compare to similar applications
What is described in the question is a fairly standard thing. Compare with equivalent instructions from, for example, google apps:
Follow the instructions that appear to add a CNAME record for each
service address you're customizing. To add a CNAME record, sign in to
your account at your domain host's website, not with Google.
For example, to create the Gmail address mail.yourdomain.com, add a
CNAME record that points mail to ghs.googlehosted.com. Your domain
host records will look something like this:
----------------------------------------------
| Type | Name or Host | Value or Address |
----------------------------------------------
|CNAME | mail | ghs.googlehosted.com |
|CNAME | calendar | ghs.googlehosted.com |
----------------------------------------------
SSL
It is necessary for the app to have an SSL.
You're likely to have problems with this. Because cloudflare isn't likely to even route requests that hit it for app.clientdomain.com unless that domain name exists on their servers. If you continue to use cloudflare's free plan, you or the client are going to have to add their domain to cloudflare so that it'll route requests - and if the client wants to use their own ssl certificate, that certificate needs uploading to cloudflare (which means: you or they need a business plan) as that's where requests for app.clientdomain.com are going to go.
All in all if this is your business plan it seems incompatible with using cloudflare - unless the idea is to force clients to use cloudflare too.
Related
I'm trying to find a current, up to date answer for setting up naked domain with Godaddy and Heroku SSL. My goal is for all pages to land on a secure page at https://www.example.com
https://www.example.com does go to a secure page.
example.com goes to an insecure page.
https://example.com does not work.
My current set up is as follows:
In heroku settings:
Domain Name | DNS Target
example.com | example.com.herokudns.com
www.example.com | www.my-domain.herokudns.com
Go Daddy Settings:
CNAME | www | www.example.com.herokudns.com
Forwarding settings:
Forward to: https:// | www.example.com
Yeah, it's a pretty stupid issue that some of the big DNS manager providers out there still have. The way to solve it is to have a server with an SSL certificate installed, and then point your naked domain to that static IP. The server then will redirect to the "www" version of your domain, which is now served under SSL by Heroku. Tedious.
If you don't want to do all that, just use https://www.nakedssl.com, which does exactly that – but automated (and for free for one domain).
Disclaimer: I'm part of the team that created NakedSSL, but I hope you take this as help and not as self-promotion. As explained above, the problem is as easy as tedious to solve, and I think NakedSSL is a pretty straight forward workaround.
Root domains on Heroku require the use of ALIAS ANAME or FLATTENING records.
Unfortunately, a number of popular DNS hosts such as GoDaddy, Bluehost, Google Domains, OVH, Hostinger and others do not support these types of records. Many of these Providers will tell you there is no such thing as ALIAS, ANAME or FLATTENING Records and many of these providers will tell you to set an A Record instead, however;
A Records do not work with Heroku for routing
A Records require static IP Addresses and static IP Addresses do not work with Heroku for routing, because Heroku (and many other cloud platforms) use dynamic IP's.
Instead, you can either:
Not use a naked domain and just use your www sub domain
Redirect/ Forward your HTTP root domain to your www sub domain. This won't work for your HTTPS root domain though
Use an Alternate DNS Provider. Heroku recommends the following: https://help.heroku.com/NH44MODG/my-root-domain-isn-t-working-what-s-wrong
Solved it.
Best way to get SSL set up is to use this package which automatically makes every page on your app SSL. Fantastic package. https://www.npmjs.com/package/force-ssl-heroku
Getting the naked domain set up with Godaddy easily: Set forwarding to your domain: https://www.my-domain.com. This will redirect non www to the correct place. :)
I believe naked subdomain or wildcards are not supported by heroku automated certs because of the let's encryption restrictions. So you need to set up a subdomain everytime you want to use Heroku's automatic certs.
ALSO VERY IMPORTANT! Don't forget to remove or edit any unsercured links to external assets. Otherwise browsers will jugde the page with those links unsecured as described in the Modzilla support page about mixed content.
I recently started using linode to host my site.
Prior to using linode, I normally used hosting offered by my domain registrar. In those cases, i thought I understood how DNS worked, because the registrar automatically updated your DNS records to point to the server hosing the site.
When following linodes guide, to setting up a website: https://www.linode.com/docs/websites/hosting-a-website
Their instructions tell you to set the DNS servers as:
ns1.linode.com
ns2.linode.com
ns3.linode.com
...
But the point I am making is, that ANYONE can open an account on linode, and fill in the same DNS settings! So now anyone trying to access your website, could be directed to someone else who wants to pretend to be your site!
Am I correct in understanding how DNS works ? I know that the only way to ensure (from a visitors perspective) that a site being visited is actually the domain intended is to install a certificate (https) etc. But based on the above instructions, it seems almost trivial to pretend to be someone else, if they also use linode.
I am not an expert on DNS so my answer may be mistaken, but I had the same question so looked into this.
I think your understanding is correct, and this seems to be a problem but apparently it happens rarely in practice so hosting providers (including Linode) aren't doing anything about it.
Here is Ryan Quinn from DigitalOcean (another hosting company that has this problem) answering a similar question:
A domain can only exist on one account so any user attempting to add it would not be able to. Cases where a domain already exists or is hijacked are extremely rare (I've seen 3 cases in 2+ years and in each case it was a former owner of the domain who still had records in place). In these rare cases the user can open a support ticket where we will verify the domain whois information against their billing details to verify ownership.
Here is a question on Information Security Stack Exchange that asks the same thing.
In the case of DigitalOcean, I found a post (HackerNews discussion) of someone describing how they took over around 20,000 inactive domain names that pointed to DigitalOcean's nameservers. I haven't found anything similar for Linode, although I imagine basically the same attack is possible (2020 Update: This actually recently happened to someone I know, where their website got taken over by a spammer after they took down their Linode without changing the DNS settings to stop pointing to Linode).
Amazon Route 53 seems to use randomly generated nameservers (rather than Linode/DigitalOcean's constant ns1.linode.com etc.) to make this attack highly unlikely to succeed.
Apparently some other services (Google Apps?) "verify domain ownership by requiring the domain owner to add a TXT record to their domain with a special code."
So what? Someone may use the same DNS servers. But they can't register for the same domain. Once you have registered for example.org, you own that domain and nobody else will be able to register for it.
You have registered for example.org and use the following DNS configuration at Linode:
Domain | Nameserver
-------------------+---------------------
example.org | ns1.linode.com
example.org | ns2.linode.com
... | ...
An "evil hacker" may have registered evil-hacker.com and uses this configuration:
Domain | Nameserver
-------------------+----------------------
evil-hacker.com | ns1.linode.com
evil-hacker.com | ns2.linode.com
... | ...
example.org | ns1.linode.com << Those are the lines that bug you, right?
example.org | ns2.linode.com
For simplicity's sake let's say that the IP of your site is 1.1.1.1 and the IP of the evil hacker's site is 2.2.2.2. You are worried that because the "hacker" used the same DNS configuration, your site example.org might resolve to 2.2.2.2, right?
This is what happens, when I try to resolve example.org:
I connect to the DNS root servers to find out which nameserver is responsible for the org top-level domain.
I connect to the nameserver of the org top-level domain and ask it for the IP address of example.org. The org nameserver is managed by your domain registrar. It will look up the information you entered and tells me look at one of the linode nameservers.
I connect to ns1.linode.com and ask it for the IP address of example.org. Linode knows which IP your site has and answers me with 1.1.1.1.
In the above process, I will never see evil-hacker.com or 2.2.2.2. Since our evil hacker (hopefully) can't control the DNS root servers, the nameserver of the org top-level domain or the Linode nameservers, all DNS requests for your site will be answered by "trusted" name servers.
However, a hacker might intercept DNS traffic from my particular machine. He might install malware that always resolves example.org to his IP address 2.2.2.2 (e.g. /etc/hosts) or compromise my network router. So using an SSL certificate for your site is still a good idea :).
i am not sure whether this correct words to describe the problem, but i try my best to explain.
Suppose i deployed a cloud service with A Name. now client ask me give me something good domain name rather than A.cloudapp.net, so according to need i given him fancy domain name A.myapp.com.
After some time they thinks A is not a good name , give me B. so i change the deployment to B.cloudapp.net and then configured custom Domain Name as B.myapp.com.
Client again comes as says my customer is still using A.myapp.com. Can you do something to redirect them to B.myapp.com. with message that it moved to another address.
As i know i used only CNAME and ARecord on domain registrar . how can show a message over there. That this page is moved to other domain.
If A.myapp.com is no longer in the DNS records then the only way that it's still working is that the DNS propagation hasn't taken full effect yet. That can take even up to a few days. Once that happens then A.myapp.com should no longer resolve. This might also be working if you have a wildcard record for #.myapp.com pointing to the same A.cloudapp.net site.
You can create the A.myapp.com DNS record (if it's not still there) and point it to the same cloudapp.net app again, but then in your cloud app look at the hostname as it comes it to the request. If it is A.myapp.com show them a specific page that reminds them this is now B.myapp.com and then redirect them.
I am having a bit of a struggle grasping how to use custom domains with my app. Its the common case of having an app that assigns users to subdomains, ex. user.theapp.com and they want to use a CNAME so m.theirsite.com resolves to the application. It seems that most services that do this require you to tell them what your custom domain is, and that just adding a CNAME record doesn't work. Steps:
User creates an account.
We tell them they can make a CNAME entry to yourstuff.theapp.com (which is the current location).
This is my confusion. After 1&2 my custom domain still isnt working.. so once the client makes that CNAME record and provides us with "m.theirsite.com", what special magic do we do with it to make those sites "the same"?
Thank you in advance.
Our solution was to use PHP/MySQL to solve this. As normal, you should have the external domain/subdomain CNAME'd to your app, however as you will see, the CNAME entry doesn't need to be to the exact subdomain on the app. Next, you will build an area into your database where a user can tell you what external site they have CNAME'd from. At this point, you will perform most of your authentication on the website based on the HTTP host, either grabbing the subdomain and using it as a client, or checking if the HTTP host is in your list of CNAME's and then referencing the client from there.
What the CNAME does is just point to a server location, so if you are using wildcards in your apache configuration, foo.myapp.com resolves to the same location as bar.myapp.com, but in the app can use the host to pull out the subdomain and find the client ("foo" and "bar"). When using a CNAME, like m.mywebsite.com --cnamed--> foo.myapp.com, the application no longer has that client information in the HTTP host, and as we mentioned, the apache wildcard setup (*.myapp.com) just tosses out the subdomain.. so because of this the client must tell us "I will be visiting from m.mywebsite.com, so make that a valid host name for my authentication as well."
I currently have my own domain name and dedicated server and I offer different packages to my clients. What I want to be able to do is have them sign up with my website and create a package automatically that they can access via their username as a subdomain e.g.
http://yourusername.mywebsite.com
I currently have DNS entries set up for various subdomains with real information for my website e.g.
Name Type IP Address
# A 1.2.3.4
bugs A 1.2.3.4
support A 1.2.3.4
However, if a new customer signs up at the moment I have to go and manually create an entry for them with their username in it.
I'm sure I've seen websites that manage to do this automatically, does anyone have any ideas how, or any other methods that I should be using?
Thanks,
Mark
Since you apparently do not control the name servers, your choices are quite limited. One possibility is to use a wildcard DNS record:
* A 192.0.2.1
where the star will replace every name. Not ideal (inexisting domains will also appear).
The details depend on which DNS server you're using.
One approach is to have some code that opens the DNS zone file and adds the desired records. On Linux with Bind, you will then need to signal the server to get it re-read the zone file.
With Simple DNS Plus, you can easily add such a DNS record through the included HTTP API. For example:
http://127.0.0.1:8053/updatehost?host=yourusername.mywebsite.com&data=1.2.3.4
Since you apparently do not control the name servers, your choices are quite limited. Nevertheless, every serious DNS hoster provide you with a API (see for instance Slicehost's API). So, you may use this API and write a small program to update the DNS data.
(Foot note: handling paying customers when you do not even control the name servers seem... bad)