CNAME from external domain to CloudFlare DNS with HTTPS

2
votes

A site which has been developed for a client should live on domain test.clientdomain.com, obviously I'm not in control of this domain.

I'm hosting the website on test.mydomain.com using CloudFlare as DNS. On my server I have a self-signed SSL certificate and I use the SSL option Full SSL on CloudFlare.

Because the IP address of the production server might change I don't want to give the client the IP address of this server (so he could add an A-record in his DNS file). I want them to add a CNAME record pointing test.clientdomain.com to my test.mydomain.com. In this case if the IP address changes I can change it in my DNS file and the customer needn't worry. To make this work I also setup a vhost file that looks like this:

<VirtualHost *:80>
    ServerName test.clientdomain.com
    ServerAlias *.test.clientdomain.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html/test.mydomain.com

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/html/test.mydomain.com>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride all
                    Order allow,deny
                    allow from all
    </Directory>
</VirtualHost>

This setup works fine for HTTP. When I want to add HTTPS I create a vhost record for port 443 as well:

<IfModule mod_ssl.c>
    <VirtualHost *:443>
            ServerName test.clientdomain.com
            ServerAlias *.test.clientdomain.com

            DocumentRoot /var/www/html/test.mydomain.com

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            SSLEngine on

            SSLCertificateFile      /etc/apache2/ssl/apache.crt
            SSLCertificateKeyFile /etc/apache2/ssl/apache.key

            <Directory /var/www/html/test.mydomain.com>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride all
                    Order allow,deny
            </Directory>
            BrowserMatch "MSIE [2-6]" \
                            nokeepalive ssl-unclean-shutdown \
                            downgrade-1.0 force-response-1.0
            # MSIE 7 and newer should be able to use keepalive
            BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    </VirtualHost>
</IfModule>

I turn on the CloudFlare proxy so all requests are proxied through CloudFlare but for some reason it gives me the following error:

SSL connection error

ERR_SSL_PROTOCOL_ERROR

I have a couple of other web applications running on this Apache, all with a vhost file for HTTP and HTTPS and they are working perfectly (so there's no problem with the self-signed certificate), the only difference is that in this case the request first goes to a completely separate domain (test.clientdomain.com) instead of directly to my own domain *.mydomain.com.

So to summarize, DNS file for test.clientdomain.com would have:

CNAME test.clientdomain.com -> test.mydomain.com

DNS file for test.mydomain.com would have:

CNAME test.mydomain.com -> production.mydomain.com
A production.mydomain.com -> 123.123.123.123 (IP address of my production server)

Do I need to configure something differently for this use case?

2
apachesslhttpsdnscloudflare
Are you saying Cloudflare lets you setup vhost file on their edge?!wick

2 Answers

1
votes

As I can understand from your question, you are using the same certificate for the various web applications that are running in that Apache. So it must be a certificate for test.mydomain.com, production.mydomain.com or *.mydomain.com.

But, for this access, you need a certificate for test.clientdomain.com. Other way, the certificate's name won't match the name in the URL, so it wouldn't be possible to continue. I don't know CloudFlare proxy, so I can't tell if that error really makes sense with the disparity in the names or you have another added problem.

I should have asked for more information on this, but I don't have enough reputation for a comment. Hope this helps.

0
votes

Generally speaking, you can't use the Cloudflare CDN benefits for a CNAME from an external domain, but you can still make use of Cloudflare nameservers and DNS zone management if the CDN part is not important to you.

Just make sure the CDN is deactivated for the target subdomain in your zone (test.mydomain.com in your case) and then the incoming requests will be routed directly to your server.

You can tell if the CDN is activated or deactivated for a given subdomain by looking at the cloud icon on the right of its DNS entry: if the cloud is orange the CDN is active, if it is gray, it isn't.

Cloudflare also supports external CNAME resolution in their CDN infrastructure (i.e. providing all its CDN benefits), but it's only available for its Enterprise customers:
https://support.cloudflare.com/hc/en-us/articles/217371987-Managed-CNAME