Skip to content

feat(nginx): Support routing-only hostnames with externally-terminated TLS #166

Description

@nfebe

A hostname fronted by an external proxy cannot reach the deployment behind it. Example: a Cloudflare app at dashboard.app.com proxies dashboard.app.com/api/... to a FlatRun deployment served on api.app.com. The proxied request arrives with Host: dashboard.app.com, which matches no generated server_name, so it falls to the unknown-domain catch-all and never routes to the deployment. Adding dashboard.app.com as a domain alias does route it by Host, but aliases are also pushed into certificate issuance (internal/ssl/manager.go:447), which fails because the hostname's DNS points at the external proxy, not FlatRun. There is no way to accept a hostname for routing while its TLS is terminated upstream.

Constraint: certificates are issued one hostname per lineage, so a routing-only hostname cannot borrow the primary domain's certificate. It must be excluded from issuance and rely on the connection's SNI (the primary domain) or the upstream proxy's TLS.

Checklist

  • Add an opt-in "routing only, TLS terminated upstream" marker on a domain or its alias.
  • Emit the hostname into server_name so requests route to the deployment.
  • Exclude marked hostnames from certificate issuance and renewal.
  • Confirm marked hostnames are treated as known by the security/traffic layer, so their traffic is not counted as unknown-domain or used to auto-block the source IP.
  • Surface the toggle in the deployment domains UI.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions