For example, if your application needs to offer “custom domains” where your customers can set up a custom CNAME record and access your application via their own domain.
I’ve done this in the past for a different project, where I used rails-letsencrypt. I set up ngx_mruby in Nginx so that it would dynamically load an SSL certificate from Redis.
Another idea is to set up a small proxy service that handles the SSL termination and responds to any host, and then proxies any requests to the normal application domain.
Is it possible to do this with Convox? Has anyone done something like this?
I did this for a small number of custom domains, which means I didn’t automate the procedure, and it worked within the constraints of the max number of certificates (25?) supported by an ALB.
In my case we had to dispatch requests for each custom domain to a specific app, so we used a proxy (nginx) app in-between to route the requests, but if you only have one app that serves all custom domains, then replace “proxy app” in the following procedure by “main app”:
Go to the AWS console > EC2 > Load balancers
Select the convox ALB, go to the Listeners tab, then edit the default Rules (for both 80 and 443 ports) to point to the target group of the proxy app. This makes sure any incoming requests for an unknown host end up on the proxy app, without the need to define target group rules for each custom domain. This only needs to be done once, just after the proxy app is initially created in convox.
Whenever you need to add a new custom certificate, select the convox ALB, go to the Listeners tab, then edit the certificates associated with port 443. Assuming the certificate for the custom domain is already in ACM, click the + button to select and add it. Done!
The last point could be automated if required, and the change to the ALB (point 2) survives any update to the convox rack.
If you need to handle a lot more custom domains than what ALB allows, then you either need to use SNI certificates with many domain names, or possibly setup an NLB + proxy app (which would terminate the SSL connection) in front of the convox ALB.
Thanks @crohr, that’s very helpful! I think I might also use the proxy app approach to get more control over the routing. I might even be able to get the dynamic rails-letsencrypt / Redis setup working again if I configure the load balancer to send plain TCP connections instead of terminating SSL with a cert in ACM.
The main thing for my app is that I want to let users add their own custom domain with an automated process that also issues a new SSL cert. So I’ll look into that!