I'm working on an app that allows users to link their own custom domains to their static HTML websites. Currently, my setup routes requests from a custom domain (like customdomain.app) to a Lambda function, which finds the correct file path, and then goes through CloudFront to my S3 bucket. However, I'm hitting a snag because I can only associate one SSL certificate with my CloudFront distribution.
Right now, I have a single CloudFront distribution and one S3 bucket for everything. It works for app-generated URLs (like custom.myapp.app) since I set up a wildcard SSL certificate (*.myapp.app) and added that as an alternate domain name in CloudFront. But I'm struggling with how to handle multiple custom user domains.
I've tried a couple of things:
1. I set up Cloudflare and asked users to create a CNAME record pointing to proxy.myapp.app, but it didn't work because Cloudflare doesn't allow CNAME-to-CNAME.
2. I also suggested that users point their CNAME directly to my CloudFront URL, but that failed too due to the lack of a corresponding SSL certificate.
I'm wondering what my options are. Should I set up a separate Nginx server to track all custom domains and serve them over HTTPS before rewiring to CloudFront? Or would it be better to create multiple CloudFront distributions for each user? Is there a way to modify the existing AWS certificate to include user domains dynamically, while managing it correctly? I'm looking for a structural solution rather than just increasing AWS quotas. Any alternatives?
2 Answers
I faced a similar situation and resolved it by using Cloudflare for SSL termination instead of managing SSL on CloudFront directly. It allows you to route traffic to your CloudFront distribution, A/CNAME records should work fine as long as users set them up correctly. This way, you're offloading SSL management to Cloudflare, which has made everything much simpler for me!
Not too much! I just ensured that the SSL settings at Cloudflare were configured properly, and it took care of the rest when they routed traffic to my CloudFront.
You might want to look into the new CloudFront SaaS manager feature. It could help manage multiple custom domains with the right SSL setups, streamlining your process without a complete overhaul. Check out the AWS blog for details on how it can reduce your operational workload. Might just be what you need!
Thanks for the tip! I saw the feature but have some questions about pricing and how to programmatically create tenants. Do you know if they charge per tenant, and can you set everything up automatically?
You definitely can set those up programmatically with the SDK. Confirming those details might take a bit of navigation through the documentation, but it's usually straightforward.
Interesting approach! Did you have to manage anything manually on Cloudflare, especially relating to SSL certificates?