How to point a client's subdomain to Cloudflare and then to Railway?
Hi there, we want to achieve the following:
subdomain.client.com -> subdomain.our-domain.com -> our-app.up.railway.app
Right now, we instructed our client to create a CNAME subdomain.client.com -> subdomain.our-domain.com
And we have in our Cloudflare this CNAME subdomain.our-domain.com -> some-app.up.railway.app
But the problem arises when we turn on the Cloudflare proxy for the CNAME subdomain.our-domain.com -> some-app.up.railway.app. With the Cloudflare Proxy, we're getting
ERR_SSL_VERSION_OR_CIPHER_MISMATCH when visting subdomain.client.com in the Chrome-based browser.
Everything works fine without Cloudflare proxy, but we want to use Cloudflare's features.
The SSL/TLS encryption mode is Full, and we have no Page Rules set.
Is it possible to have this setup with Cloudflare proxy turned on?15 Replies
Project ID:
fd3a1eb3-4d39-45cf-9eb9-e39101d6eee5fd3a1eb3-4d39-45cf-9eb9-e39101d6eee5How does it not work?
Like what errors does it give?
We're getting
ERR_SSL_VERSION_OR_CIPHER_MISMATCH - via Chrome-based browser
Or if the subdomain.client.com is request via curl - curl: (35) LibreSSL/3.3.6: error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failurerailway does host based routing, if
subdomain.client.com isnt listed in the domains of the service it wont work for a few reasons:
- that domain wont have ssl issued by railway
- railway wont know where to route the traffic to that comes from that domain
two options (that i can think of)
- add subdomain.client.com to your services domain and ask your client to set the cname to our-app.up.railway.app (or the auto generated cname)
- use a proxy service to proxy traffic to subdomain.our-domain.com with host masking (mask to subdomain.our-domain.com since that domain is in your railway service) that will also issue you your own cert, i know fastify can do this, dont know if cloudflare canGot it, thanks
The subdomain.client.com is listed in Railway and it is showing "Cloudflare proxy detected", so from that point it should be all good 🤔
can you send the actual domain?
I'll send you a PM
you said you have
subdomain.client.com in the services domains, and it set to full in cloudflare, given that information i think you have it all setup correctly.
and with that said i have seen ERR_SSL_VERSION_OR_CIPHER_MISMATCH many times, each time it has always worked itself out within a few hours, ssl cache or somethingYes, I will wait a bit more then. I enabled the Cloudflare proxy around 12 hours ago. It might need some more time.
I also found a similar problem on Cloudflare community https://community.cloudflare.com/t/cname-tls-issue-from-cloudflare-to-cloudflare-domain/205005
interesting, you have been getting the
ERR_SSL_VERSION_OR_CIPHER_MISMATCH error for 12 hours?Yep, seems like we need to use Cloudflare for SaaS https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/
Cloudflare for SaaS · Cloudflare for Platforms docs
Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare’s network to your customers via their own custom or …
sounds good, let me know how that goes!
Works well, but you need a paid plan to use it. I will try on my private plan to see if it works and post a solution here.
You need to enter your payment details for this to work. But once you're on a paid plan, you go to SSL/TSL in Cloudflare and go to Custom Hostnames. There, you can add your client's domains and verify them either via HTTP (quicker way) or via TXT files.
So far it works great for us.
awesome, glad to hear it