9
30 Comments

How we automatically provision SSL for SaaS customers with custom domains

  1. 5

    Did you look at Render? We automate everything in your post:

    • Create custom domains using our API
    • Every domain gets free SSL
    • All static sites get a free CDN
    • Free DDoS protection (powered by Cloudflare)

    P.S. You're reading this on a site hosted on Render!

    1. 1

      Interesting. No, I didn't.

      I was looking for alternatives to Heroku that offered the features that you mentioned, but I never came across Render.

      I was taking a look through your docs and I have two questions:

      • Is it possible to white-label the subdomain customer point their domains to via CNAME? For example, instead of example.onrender.com, we use example.mysaax.com.
      • Does the upcoming charges for custom domains also include each subdomain under a wildcard domain? Or does a wildcard domain count as one?
      1. 1

        We need to get our SEO game going. Answers:

        1. Yes, a lot of customers white-label subdomains using a CNAME.

        2. We only count a wildcard domain once.

        Hope this helps!

        1. 1

          Yeah, that was helpful. Thanks.

  2. 2

    Very well written article, it's not an obvious or easy problem to solve for most apps.

    One thing not mentioned directly was the distributed app problem, where your app runs on globally distributed servers (or on a service like Vercel).

    In that case, if you route everything through a VPS in one location, requests can have a problematically long round trip.

    For example:
    You have a globally distributed app running on servers all over the world.
    Your Caddy server is in US east.

    User A in US east makes a request

    it goes through caddy server in US east
    hits app in US east
    response time is going to be fast

    But if user B in Japan makes a request, it's going to have to go to US east and back because that's where your caddy server is. That's going to be a long trip vs going to a server in Japan.

    Q: So how can you handle this?

    A: Setup a cluster of caddy servers all over the world near your app servers.

    That brings up another problem though - how do you get a custom domain to route to the nearest caddy server?

    Normally you'd have to pick one. So you'll need an Anycast IP address. These can be hard to come by (setting up an Anycast network yourself is a large, corporate sized endeavor), but some services like fly.io will offer them.

    Then you'll want to configure your caddy cluster to share SSL state between them so that they can all use the same certs for the same domains. That's not a hard requirement, but you can run into a variety of issues if you don't.

    From there you can add things like edge caching, ddos protection, etc. if you want to, though none of them are a trivial task and can be quite a bit of effort to get right.

    I liked your solution of pointing the reverse proxy at cloudflare, that's a nice and pragmatic decision to this last bit.

    For anyone who wants any advice on building this yourself, feel free to ping me!

    And if you want this but don't want to build it then I've also built an API service, approximated.app, to do all of this for you at $15/month per region with unlimited custom domains.

  3. 2

    Nice writeup I typically use cloudflare for this but will be looking into caddy for sure.

  4. 2

    Thanks for the writeup. It's especially useful because this can form the basis of a GDPR compliant solution.

  5. 2

    Hello all, one of the challenges SaaS developers can face is figuring out how to provision SSL for their customers with custom domains (provided this is a feature in your SaaS app).

    At Saax, we explored different available options, but none met our criteria. After developing our own custom solution, we would like to share it with all SaaS developers.

    Let us know your thoughts below

  6. 1

    In case anyone is looking for this article, which is currently not resolving, it's on wayback machine:

    https://web.archive.org/web/20211207154130/https://saax.io/how-we-provision-ssl-to-our-saas-customers-with-custom-domains/

  7. 1

    One of the biggest hurdles tech-wise we had on our first project and we didn't want to be paying the money CloudFlare were asking at the time, there are more and more providers allowing SSL secured custom domains now and at more reasonable costs.

    At the time we had no option other than to roll our own using Caddyserver - custom domains are now pointed to our SSL platform and it in turn generates and manages the SSLs for all domains pointed to it as long as its an "allowed" domain, the traffic is then proxied to the correct endpoint (IE the SaaS platform) automatically.

    Works well and runs on a very modest Linode.

    We're thinking of opening it up for free to smaller SaaS platforms if anyone is interested.

  8. 1

    Thank you for sharing this, a great help for us to setup custom domains for people who open shop at https://tradly.app
    I checked your safari website in mobile, your dashboard images looks crunched, may be you want to optimise man.
    Nevertheless looks like an alternative to ghost.

    1. 1

      Glad to know it could help.

      Can you please send a screenshot of how it looks like on your phone if possible?

  9. 1

    Great read, I do also use caddy as a reverse proxy to enable ssl certs for a saas with a few thousand custom domains. It’s working pretty great, but for some reason sometimes a cert that has been renewed upon expiry won’t be available directly.

    For now I have a dirty daily restart of the caddy service to overcome this.

    Have you experienced same issues ?

    1. 1

      Hey, I built approximated.app and use caddy a lot, I might be able to help.

      It depends on what you mean by available directly, but I can but I can think of a few potential causes:

      • It's hitting a lets encrypt rate limit, and Caddy is intentionally throttling to keep you from being blocked for a bit by them (I think it's a week long block with LE if you go over).
      • There were some conditions where the ssl cert status would sort of get stuck in older versions, if you were near the default limits for storing them in memory. Matt Holt had a screencast where he fixed that issue, but a restart would fix it then.
      • If you're using a different storage mechanism than the default filesystem, they sometimes have bugs of their own that might cause something like this

      Honestly Caddy is so fast to startup that restarting now and then is a pretty reasonable solution in the meantime.

    2. 1

      No, I haven't had that issue yet. Might be helpful to contact the guys at Caddy via the community forum, and it might just be a matter of upgrading to the latest version.

  10. 1

    I just tried using approximated.app by @ CarterBryden for custom domains in my application, and it works like magic! Definitely the simplest solution I've found.

    1. 1

      @WilsonSquared Have you tried contacting their support? I sent them a message on December 10th and have followed up several times (including sending an email), but I've got no response so far. While I really want to use approximated.app, I find the lack of support very concerning.

      Also tagging @Carter for visibility.

      1. 1

        @timusk, you're right and it's really not okay for a response to take that long. I'm really sorry that you had to ping me on here to get noticed and sorted out.

        I've sent you an email response now with some API updates based on your questions. I've also added extra trial time to your account to hopefully give you a better chance to try things out. If there's anything else I can do to make that up to you, please just let me know.

        -----

        For the sake of transparency on Indiehackers, it's been a bad month for support requests here, a support tool connection to gsuite stopped working and was silently neither receiving or sending emails.

        Apparently gsuite will occasionally disallow an external "send as" connection out of the blue if it feels like something is unusual. I'd gotten a "someone tried to access your account and was denied" message but that was it. There was no info that it was specifically for that connection. By the time I discovered it, I had a large backlog to get through. My apologies to anyone who's been kept waiting.

      2. 1

        That’s odd. I managed to get a response from them within in a few hours.

  11. 1

    Very interesting, thanks!
    What is the cost of running the proxy server per month, and what scale it should support?

    I personally run everything as cloudflare workers, so I was glad when they came out with their saas offering. $2 per domain is not cheap, but I can move that cost to the customers as add-on.

    1. 1

      Yes, you can shift the cost to your users, but that might affect your margin, or drive you to increase costs compared to your competitors.

      It currently costs us around $20/month to maintain the proxy (the cost of 10 users)

      1. 1

        The question is do you get the same level of scale with one server?
        I'm using cloudflare workers which provides awesome performance due to the fact that it runs on the edge close to the client and it auto scale.
        With this proxy server I have to run all my traffic via one location, and it doesn't auto scale. It also make me dependant on 2 different providers so up time can suffer.
        So for me this is not the best option.
        Not saying that it's a bad solution, I guess that it depends what you are optimizing for.

        1. 1

          Yeah, I agree. This solution might not be the best for all use cases.

          We would have to be vertically scale up to answer to more traffic. This works well for us at the moment, and the app has been developed with performance in mind - smart caching at the front-end and backend, response compression, etc.

    2. 1

      The cost of the proxy server is highly dependent on the incoming traffic. You can easily start with a low-cost VM ($10/month) and scale up as required. Since the server is only running Caddy (which is lightweight), it shouldn't consume many resources.

      There is a track-record of a caddy instance handling hundreds of thousands of SSLs.

    3. 1

      Hey Dan,
      Would like to know more about how you did with cloudflare workers, any link to share ?

      1. 2

        @Jkbaseer I still didn't develop the custom domain feature.
        I meant that I run everything else on Cloudflare, and when I get to this feature I will most likely use them as well for this.
        Feel free to follow me here or follow Typefully product here, and I'll update once I try it.

        1. 1

          Cloudflare has its own product for this - SSL for SaaS providers. I highly doubt that there's a way to handle this through Cloudflare Workers. If you're able to figure out a way, it'd be super!

          1. 1

            This is how I intend to do it.
            I run other things on Workers. This will be on CF for saas

            1. 1

              Is CF for saas available now? Any idea what the price is?

              1. 1

                Yes, it was recently announced GA

                It costs $2 per vanity domain per month.

Trending on Indie Hackers
Yayy! Made my 2nd sale in one month 43 comments Help me positioning my SaaS product 25 comments Need feedback about the landing page 22 comments 🤯Blown Away, Everyday. 20 comments Productized service: Got my 1st client (€2500/m) with 100% upfront payment 17 comments Need Feedback About My Landing Page 14 comments