Thursday, July 2, 2015

cname record - Handling domain mapping as a SaaS provider



I have looked at similar questions such as this and this, but the answers seem to focus on how to set up virtual hosting. I'm not an expert on it, but I'm more worried about what to do after I have that working. Here's my example:



Let's say I'm a SaaS provider of a service foo. I host at fooservice.com. For each user, they get their own subdomain bob.fooservice.com. I'm pretty sure I can get that part covered. There is lots of documentation on it. Let's also assume that Bob wants the service to appear as a subdomain of his site awesomebob.com. He wants it to be foo.awesomebob.com. I know that what Bob has to do is add a CNAME record from foo.awesomebob.com -> bob.fooservice.com. My question is what do I have to do to make sure that all works on my fooservice server.





  1. Do I have to do anything special to make sure that the address bar stays foo.awesomebob.com?

  2. How can I make sure that only the CNAME foo.awesomebob.com is able to do the domain mapping? On sites like shopify and wordpress, they make you input the domain that is being used for the mapping through an admin panel. What is going on behind the scenes here?

  3. From what I've researched, this would be impossible to do with a single IP address and still have SSL support. Is that correct?


Answer




  1. No, as long as you don't redirect the user, whatever the user types into the address bar is what will stay there. This is a little easy to goof up with autogenerated links that assume the domain name (for instance, your CMS might always use full URLs in links instead of relative ones); this can be corrected, but attention has to be paid.

  2. Assuming your using shared IPs (as dedicated IPs for each site has lots of problems), you'll need to add a mapping for any domain name that you want to work. If Bob sets up bob.awesomebob.com without telling you, it wont work.
    If you're using Dedicated IPs, then the user could add whatever CNAMEs they wanted and they would work. You could add filtering to your web server to block this behavior.


  3. You can do this with UCC certs, which can have multiple completely different domain names on the cert. They get more expensive as you add more, and it's somewhat difficult to add/remove domains from the cert.
    If you only allow SSL for subdomains of your primary domain (bob.fooexample.com would be ok, bob.awesomebob.com not ok) then you can use a wildcard cert for the domain *.fooexample.com. This doesn't cost too much and you wouldn't need to update it when you add a new subdomain. In either case, the cert can't be an EV cert (no green address bar).


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...