Support » Networking WordPress » Cloudflare SSL for Mapped Domain in Multisite Network

  • I just created a new site in a subdomain multisite network (ie. site1.domain.com) and mapped my top level domain (ie. toplevel.com) to the new network site since I don’t want to be using the network provided domain (site1.domain.com). I have cloudflare SSL for my top level domain and DigitalOcean hosting with RunCloud web server. What is the optimal setup so that my mapped domain (toplevel.com) has SSL working properly?

    So far in my cloudflare dashboard, I changed the DNS A record to point to the IP address of my web server and have a CNAME for www that points to toplevel.com.

    Is this the right way to do it to have SSL?

    In doing an SSL and DNS check, the toplevel.com shows SSL active but it is resolving to my cloudflare IP address NOT my web server IP address. Is this just a matter of waiting for propagation to happen?

    Help please, thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • For all practical purposes consider CloudFlare to be the public facing web server of your domain. This is the same thing as having a load balancer, HaProxy, or a reverse proxy. So DNS is done propagating if the client in question sees the website via CloudFlare.

    Let Cloudflare deal with the SSL.

    If you want to do so, then you may spend the extra money, time, and/or effort to secure your origin server too and you should if there’s any sensitive data running there.

    On the off chance CloudFlare can’t reach your site they may offer to put the connection through to your origin host (I think there’s an option for that) and if you don’t have SSL between the origin and the CloudFlare server then you’re not exchanging data via SSL. Not what you want at that point.

    I’m sure others will chime in with other thoughts but that’s the way I handle things here. There are other considerations, too, such as Google’s preferences for sites running https and contractual considerations for your payment gateway on a storefront system. HIPAA expectations is another consideration.

    It’s up to you to secure your data connections if and when they may become exposed per your own preferences or ‘best practices’.

    CloudFlare calls their service a CDN, which it is, but it also acts more like a proxy box than a typical image or file CDN. Splitting hairs when it comes down to it but thinking proxy helps to ‘picture’ the system better in my opinion.

    @jnashhawkins Thanks for the reply! I hear you loud and clear. The multisite network is fully secured on the main domain and subdomains (wildcard SSL using LetsEncrypt) but that unfortunately doesn’t cover mapped domains such as mine so that is why I am trying to configure my own SSL on my domain.

    A few hours ago, I changed my DNS settings in Cloudflare to point to the DigitalOcean (Multisite Host) IP address but the site is loading a “cannot connect to server error” and when I run a DNS/SSL check, it spits out the Cloudflare IP not the DigitalOcean IP. Maybe it hasn’t propagated?

    Here’s the flow at which I am looking at this and maybe someone can chime in and tell me how stupid I am.

    1. Top Level Domain Registrar points to Cloudflare Nameservers
    2. Cloudflare A Records points to DigitalOcean IP Address (on RunCloud server)
    3. RunCloud Server points to the WordPress Multisite
    4. WordPress Multisite Domain Mapping points to my Top Level Domain

    • This reply was modified 3 months, 2 weeks ago by  ehong33234.
    • This reply was modified 3 months, 2 weeks ago by  ehong33234.

    Oh, I misunderstood the bit about CloudFlare but on the World Wide Wait the IP will be a CloudFlare IP address for the domain.

    Inside CloudFlare looking to your origin server will show your origin server but the public won’t see that origin server’s IP address.

    So far in my cloudflare dashboard, I changed the DNS A record to point to the IP address of my web server and have a CNAME for www that points to toplevel.com.

    That sounds right to me. CloudFlare’s proxy hides your origin server’s IP address. So don’t expect to see that Digital Ocean IP there.

    If you plug the Digital Ocean IP address into your browser bar you should see their server answer with some kind of a message.

    Since reading your second post I wonder if maybe you should try making sure your server is actually answering CloudFlare though. If you’ll go back to CloudFlare’s dashboard for that domain try clicking the little orange cloud to gray to disable the proxy side of CloudFlare. That will expose your digital Ocean server’s IP and let your domain work from the multisite if it will.

    It’s possible you’ll need to tell the Digital Ocean webserver about the domain name and where to send it on that server. Digital Ocean can help you with that if needed.

    One other caveat is the browser and machine you have been using through all this may have cached the older DNS info and the browser might get very confused. When I troubleshoot problems like this I usually work from two different machines in-house. And there’s been times when I’ve gone to the next town over to use a wIfI hotspot over there to keep the confusion down.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.