SaaS Custom Domains integrates with Cloudflare to help you secure your custom domains. We call this SaaS Custom Domains Shield.
Shield is a game-changer for protecting your custom domains. With Shield, you get the best protection against DDoS attacks, you can leverage WAF, and CDN for blazingly fast page loads, Cloudflare Rules and more.
How to enable Shield?
Enabling Shield is very simple, all you need to do is select the DNS-01 domain verification challenge when creating your custom domain.
For the API users, when creating a domain, set the challenge_type field to dns01.
That's it! Your new custom domain is now ready to use Shield.
The default setting for custom domains is to use the HTTP-01 challenge. You'll notice a few differences once you decide to use the DNS-01 challenge.
DNS records
There are two main differences when it comes to DNS records.
Proxy CNAME record difference — CNAME record should point to shield.saascustomdomains.com instead of in.saascustomdomains.com.
Domain ownership verification — additional CNAME is required to verify the domain ownership.
Proxy CNAME record difference
There are two ways to route custom domain traffic to SaaS Custom Domains servers — through in.saascustomdomains.com, and shield.saascustomdomains.com.
You decide which one you want to use when you create the CNAME record for the custom domain hostname with one of the values — in.saascustomdomains.com or shield.saascustomdomains.com.
The in.saascustomdomains.com points directly to our broadcast IP addresses that route your custom domain traffic to the closest SaaS Custom Domain server region.
The shield.saascustomdomains.com first routes your custom domain traffic to Cloudflare servers enabling all the Cloudflare goodies mentioned above, and then the traffic is routed to our servers.
This extra step may sound like your requests will be slower, but in reality, requests will be much faster due to Cloudflare's CDN and their distributed network of edge servers. This means your custom domains will load faster.
Do root domains work with Shield?
Root domains can also benefit from Shield, but your DNS provider has to allow a CNAME record, or ALIAS record, on the root domain so you can point the domain to shield.saascustomdomains.com. Cloudflare is one of the DNS providers that allows CNAME records on root domains through CNAME flattening.
Domain ownership verification
Since Shield requires you to use the DNS-01 challenge, you need to verify the domain ownership by creating an additional _acme-challenge CNAME record. If you are creating a custom domain company.com, that CNAME will look like this:
Type | Host | Value |
CNAME | _acme-challenge.company.com | _acme-challenge.company.com.challenges.saascustomdomains.com |
You can find the DNS instructions in your dashboard. Click on the DNS-01 challenge status badge:
The modal with instructions will pop up:
For API users, when you create the custom domain with the DNS-01 challenge type, the response JSON will contain extra fields:
delegated_domain_control_validation_record_hostname
This is the hostname part of the CNAME record, e.g. _acme-challenge.domain.com
delegated_domain_control_validation_record_value
This is the value or content part of the CNAME record, e.g. _acme-challenge.domain.com.challenges.saascustomdomains.com
With these values, you, or your users, can create the domain control validation CNAME record and verify the domain ownership.
💡Tip — Enable Automated DNS Instructions Emails to send your users detailed instructions explaining how to set up their DNS records.
Once we detect the correct CNAME record, we'll request the certificate from one of the Certificate Authorities.
The TLS/SSL certificate should be issued within a few minutes. It's slower than when you use the HTTP-01 challenge because we wait for the domain verification CNAME to be fully propagated, and Certificate Authority can take a few minutes to do their part. But it's worth it!
Until next time, keep building!
Need more help? Reach out via the Intercom chat widget and we'll be right with you!