Better On Demand TLS support for custom domains on Load Balanced clusters
Some applications need to respond to custom domains with SSL. Users specify the domains they want to use in your application and configure their DNS to point to your domain with a CNAME record.
Hatchbox supports this with On Demand TLS and asks your application for permission to generate an SSL certificate when a request hits the server with an unknown domain.
Previously, you could set a URL in Hatchbox for these SSL domain permission requests. This endpoint is checked during the initial HTTP request from the user, so they need to execute quickly.
One issue with our old configuration was these requests had no way of setting headers. In a load balanced cluster, a request to an upstream web server for this endpoint wouldn't be able route to the correct application because it couldn't set a Host header. The upstreams would also try to redirect to SSL because there was no X-Forwarded-Proto header.
We've refactored our configuration to solve these problems and make it easier to configure.
To configure On Demand TLS for your Hatchbox cluster now, it's 3 easy steps:
- Set the default application for the cluster. This application responds when a request to an unknown domain is received (like customer-domain.com).
- Set the On Demand TLS app. This is where SSL permission requests are sent. You can have multiple apps in the cluster, so you'll have to choose one to handle these requests. Typically, it's the same as the default application.
- Choose a path to send On Demand TLS requests. Something like
/check-domainthat responds with a200 OKto approve or a422to deny.
That's it! Everything stays within the internal network allowing you to respond lighting fast to these requests, providing a seamless SSL experience for applications that support custom domains.