Benefits of a managed CNAME setup¶

• Proxy of “bare”/apex domains: DNS RFCs prohibit the use of a CNAME at the zone apex. Managed CNAME setups provide a dedicated IP pair that you can use to protect your bare domains. To retrieve these addresses, run a DNS query against [codebase].acquiaedge.net for the specific domain that Acquia supplied to you for your application.

• Simplified support for “vanity” domains and redirects: You can manage any hostnames for your application in a single configuration, even if they do not share a parent in the DNS namespace.

DNS settings with a managed CNAME setup¶

The DNS tab is not used to manage any hostnames that you can use with Acquia Edge. You will see several Acquia-defined records resolving to your application.

Adding custom hostnames¶

Custom hostnames are third-party hostnames that CNAME to your domain to receive performance and security benefits of Acquia Edge powered by Cloudflare.

1. Confirm that the Fallback Origin status on SSL/TLS - Custom Hostnames is ACTIVE so that the system starts populating custom hostnames into your Cloudflare account.

   Fallback Origin acts as the default origin server for your hostnames, such as fallback.yoursite.acquiaedge.net. Fallback Origin is a proxied DNS record in your zone.

   Important

   If Fallback Origin is not set, contact your Account Manager or Acquia Support to have it set.

   

2. Click Add Custom Hostname.

   The system displays the Add Custom Hostname section.

   

3. In Custom Hostname, enter the domain for which you are creating the custom hostname.

4. In Minimum TLS version, select TLS 1.2.

   Note

   The minimum TLS version is defined based on the hostname.

5. In Certificate type, select Provided by Cloudflare.

   You can also use a custom certificate by selecting Custom certificate. Your custom certificate does not auto-renew so you are responsible for managing it. Acquia Edge only accepts the following types of publicly-trusted certificates:

   • SHA256WithRSA

   • SHA1WithRSA

   • ECDSAWithSHA256

   If you attempt to upload a self-signed certificate or a certificate of another type, it is rejected.

6. In SSL certificate authority, select Google Trust Services or Let’s Encrypt.

   Acquia recommends you to use Google Trust Services or Let’s Encrypt instead of DigiCert. These certificates only last upto 90 days. However, they can be auto-renewed. For information about how to configure them to auto-renew, see Setting your SSL Certificates to Auto-Renew.

7. In Certificate validation method, select TXT Validation.

   Acquia recommends you to select TXT Validation for initial setup. However, you can also select HTML Validation.

8. Select the Enable wildcard checkbox.

   Acquia does not recommend Wildcard certificates as they cannot be renewed automatically. The Google Trust Services and Let’s Encrypt certificates match hostnames that you have entered.

9. In Custom origin server, select Default origin server.

   Acquia recommends you to select Default origin server because in most cases your pair of Acquia dedicated load balancers is shared across your Acquia hosting environments. However, you can also select Custom origin server and specify its value.

10. Click Add Custom Hostname.

Pre-validating certificates¶

If you use the TXT validation method, your certificates are issued before modifying DNS for any hostnames.

Acquia does not recommend you to use email validation unless you are a publicly listed administrator or webmaster in WHOIS for your domains.

After you create the custom hostname with TXT validation, Cloudflare generates two TXT records that must be added to your Authoritative DNS configuration.

1. Add the TXT records through your Authoritative DNS provider.

2. Verify that the Certificate status and Hostname status columns on the Custom Hostnames page display the status as Active.

Launching a domain with Cloudflare for SaaS¶

Prior to launch, Acquia recommends testing all DNS and SSL configurations.

To launch a domain using Cloudflare for SaaS (Managed CNAME for Acquia Edge), complete the following steps:

1. Plan your CNAME records for launch.

   In this step, you do not update your DNS, but instead confirm that you have the correct CNAME records for your DNS update on your scheduled launch date.

   1. For each hostname, create a record in your authoritative DNS resolving to the acquiaedge.net domain for your application

      For example, for the hostname www.example.com with the codebase mysite:

      Type: CNAME
      Name: www.example.com
      Target: mysite.acquiaedge.net
      

   2. For any bare domains, you can use a record resolving the IP addresses returned when performing a DNS lookup against the [codebase].acquiaedge.net domain corresponding to your application.

      Type: A
      Name: example.com
      Target: 192.0.0.1
      

2. Sign in to your DNS provider.

3. Add the planned records for your desired domain to your authoritative DNS provider.

4. Verify whether the traffic is going through Acquia Edge.