chore: extend Custom Hostname documentation to advise customers to di…

…sable proxing their CNAME record (#1597) * chore: add note to disable proxying for CNAME records * chore: fix escaping * chore: format * chore: fix note
ory · Nov 6, 2023 · 70f74f0 · 70f74f0
1 parent 14b08a4
commit 70f74f0
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/docs/guides/custom-domains.mdx b/docs/guides/custom-domains.mdx
@@ -90,6 +90,14 @@ settings.
 
 ## Setting up a CNAME record
 
+:::note
+
+If your DNS provider/registrar automatically activates a proxy on the CNAME record, it can keep the custom domain in a pending
+state. Please make sure to deactivate proxying on the CNAME record. We use a tailored Cloudflare configuration on our side, to
+ensure requests to the custom hostname are fully protected.
+
+:::
+
 If you're with any of these registrars, you can use their respective guide on how to add a CNAME record:
 
 - [GoDaddy](https://www.godaddy.com/help/add-a-cname-record-19236)
@@ -107,6 +115,38 @@ requires you to specify 3 values:
 3. The value, which is provided by us. Check the value provided in the form (detailed in the first step of this article) to know
    what this should be for your project.
 
+If your Custom Hostname remains in `pending` or `error` state, you can check your configuration using a command line tool like
+`dig`, which outputs how the DNS query is resolved:
+
+```
+❯ dig auth.foobar.com
+
+; <<>> DiG 9.10.6 <<>> auth.foobar.com
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7283
+;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 512
+;; QUESTION SECTION:
+;auth.foobar.com.             IN      A
+
+;; ANSWER SECTION:
+auth.foobar.com.      300     IN      CNAME   <your-project-slug>.projects.oryapis.com.
+<your-project-slug>.projects.oryapis.com. 300 IN A 104.18.12.126
+<your-project-slug>.projects.oryapis.com. 300 IN A 104.18.13.126
+
+;; Query time: 28 msec
+;; SERVER: 8.8.8.8#53(8.8.8.8)
+;; WHEN: Tue Oct 31 11:47:22 CET 2023
+;; MSG SIZE  rcvd: 135
+```
+
+If the ANSWER SECTION lists an IP address instead of the generic Ory network URL `<your-project-slug>.projects.oryapis.com`, it
+indicates you did not deactivate proxying. Check the configuration of your CNAME record in your DNS Provider/registrar and disable
+proxying.
+
 ## Automated emails
 
 The Ory Network sends emails for certain actions a user can take, for example