From 70f74f0a5354af3d35b7aaa2d0d54d86663af9a1 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Mon, 6 Nov 2023 17:46:34 +0100 Subject: [PATCH] chore: extend Custom Hostname documentation to advise customers to disable proxing their CNAME record (#1597) * chore: add note to disable proxying for CNAME records * chore: fix escaping * chore: format * chore: fix note --- docs/guides/custom-domains.mdx | 40 ++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/guides/custom-domains.mdx b/docs/guides/custom-domains.mdx index 5bb08c323..1f669b88e 100644 --- a/docs/guides/custom-domains.mdx +++ b/docs/guides/custom-domains.mdx @@ -90,6 +90,14 @@ settings. ## Setting up a CNAME record +:::note + +If your DNS provider/registrar automatically activates a proxy on the CNAME record, it can keep the custom domain in a pending +state. Please make sure to deactivate proxying on the CNAME record. We use a tailored Cloudflare configuration on our side, to +ensure requests to the custom hostname are fully protected. + +::: + If you're with any of these registrars, you can use their respective guide on how to add a CNAME record: - [GoDaddy](https://www.godaddy.com/help/add-a-cname-record-19236) @@ -107,6 +115,38 @@ requires you to specify 3 values: 3. The value, which is provided by us. Check the value provided in the form (detailed in the first step of this article) to know what this should be for your project. +If your Custom Hostname remains in `pending` or `error` state, you can check your configuration using a command line tool like +`dig`, which outputs how the DNS query is resolved: + +``` +❯ dig auth.foobar.com + +; <<>> DiG 9.10.6 <<>> auth.foobar.com +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7283 +;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 512 +;; QUESTION SECTION: +;auth.foobar.com. IN A + +;; ANSWER SECTION: +auth.foobar.com. 300 IN CNAME .projects.oryapis.com. +.projects.oryapis.com. 300 IN A 104.18.12.126 +.projects.oryapis.com. 300 IN A 104.18.13.126 + +;; Query time: 28 msec +;; SERVER: 8.8.8.8#53(8.8.8.8) +;; WHEN: Tue Oct 31 11:47:22 CET 2023 +;; MSG SIZE rcvd: 135 +``` + +If the ANSWER SECTION lists an IP address instead of the generic Ory network URL `.projects.oryapis.com`, it +indicates you did not deactivate proxying. Check the configuration of your CNAME record in your DNS Provider/registrar and disable +proxying. + ## Automated emails The Ory Network sends emails for certain actions a user can take, for example