A hostname fronted by an external proxy cannot reach the deployment behind it. Example: a Cloudflare app at dashboard.app.com proxies dashboard.app.com/api/... to a FlatRun deployment served on api.app.com. The proxied request arrives with Host: dashboard.app.com, which matches no generated server_name, so it falls to the unknown-domain catch-all and never routes to the deployment. Adding dashboard.app.com as a domain alias does route it by Host, but aliases are also pushed into certificate issuance (internal/ssl/manager.go:447), which fails because the hostname's DNS points at the external proxy, not FlatRun. There is no way to accept a hostname for routing while its TLS is terminated upstream.
Constraint: certificates are issued one hostname per lineage, so a routing-only hostname cannot borrow the primary domain's certificate. It must be excluded from issuance and rely on the connection's SNI (the primary domain) or the upstream proxy's TLS.
Checklist
Related
A hostname fronted by an external proxy cannot reach the deployment behind it. Example: a Cloudflare app at
dashboard.app.comproxiesdashboard.app.com/api/...to a FlatRun deployment served onapi.app.com. The proxied request arrives withHost: dashboard.app.com, which matches no generatedserver_name, so it falls to the unknown-domain catch-all and never routes to the deployment. Addingdashboard.app.comas a domain alias does route it by Host, but aliases are also pushed into certificate issuance (internal/ssl/manager.go:447), which fails because the hostname's DNS points at the external proxy, not FlatRun. There is no way to accept a hostname for routing while its TLS is terminated upstream.Constraint: certificates are issued one hostname per lineage, so a routing-only hostname cannot borrow the primary domain's certificate. It must be excluded from issuance and rely on the connection's SNI (the primary domain) or the upstream proxy's TLS.
Checklist
server_nameso requests route to the deployment.Related