Using CloudFlare for CNAME Access on Alibaba Cloud

发表于 更新于 分类于 Disqus: 本文字数: 1.1k 阅读时长 ≈ 4 分钟

Normally, Cloudflare does not support CNAME access. When using Cloudflare, I always thought that I had to change the DNS to Cloudflare’s DNS in order to use it properly. However, CloudFlare provides a way to access it using CloudFlare for SaaS (Software-as-a-Service). I spent 3 hours tinkering with it because some of the information I found online was incorrect. For example, in Alibaba Cloud DNS resolution, if you set the txt record for websocket.ruteraliyun.com, you can no longer set the cname record for websocket.ruteraliyun.com. This really messed things up. So this time, I will write an article on how to use Alibaba Cloud domain names to proxy and resolve through CloudFlare without changing the DNS.(English version Translated by GPT-3.5, 返回中文)

Introduction

There are actually many CDN service providers in China, but most of them are paid services. As a poor dog, I can only rely on free options like Baidu Yun Acceleration or 360 Yun Accelerator (they may require real-name registration). Unfortunately, Baidu Yun Acceleration only supports HTTPS, but does not support WebSockets, while 360 Yun Accelerator seems to support WebSockets but not HTTPS which is quite outdated, to be honest. So, I have to turn to a well-known overseas company, CloudFlare CDN (even though they had an outage three weeks ago).

Prerequisites

The goal this time is to use Alibaba Cloud’s domain name resolution service to point to CloudFlare via CNAME and proxy my WebSocket service deployed on Alibaba Cloud (yes, I know, I went abroad and then came back…). There are only three things you need to prepare: 1. A server with port 80 open. 2. An Alibaba Cloud domain name with Alibaba Cloud’s DNS. 3. A domain name in CloudFlare (can be any domain name, but you need to use CloudFlare’s DNS resolution).

Reference article: CloudFlare Official Free CNAME Access Tutorial

Scenario

Let’s say I have the following requirements (some content is modified or hidden):

The domain name ruteraliyun.com is resolved using Alibaba Cloud’s domain name resolution service, and the DNS server status in Alibaba Cloud DNS shows [Normal].

Alibaba Cloud - Domain Name Resolution

Then, rutercloudflare.com is the site I added in CloudFlare, like this:

CloudFlare - Domain Name List

Now, I want a subdomain websocket.ruteraliyun.com where the server is located in Alibaba Cloud, and let’s assume the IP address is 122.11.22.33. I want to use Cloudflare as a CDN for this server and I don’t want to add the entire ruteraliyun.com to Cloudflare.

Step 1: Enable CloudFlare’s SaaS service

Note that Cloudflare’s SaaS service is not free, but it provides 100 custom domains for free users, which should be enough for most regular users. The billing rules are as follows: CloudFlare Products & Plans - cloudflare.com

CloudFlare Product & Plan Pricing

So, the first step is to enable CloudFlare’s SaaS service. To activate the service, you need to provide a credit card. If you are concerned about being charged, you can use a virtual card (I used a real card). Since I have already enabled it, I will use someone else’s screenshot as a reference 【Source】.

Image from luotianyi.vc - Step 2: Configure Access

After enabling the service, you will see a page like this:

Interface after enabling the service

Step 2: Add the source server IP to CloudFlare

Here, I will use the name back-to-aliyun to make it easier to understand, and use an A record to point to my Alibaba Cloud source server IP, which is 122.11.22.33.

Configure CloudFlare DNS

Step 3: Add a host

Go back to the left tab in CloudFlare, under SSL/TLS - Custom Hostnames, which is the place where you entered your credit card information earlier. Add a custom hostname, in this case, add websocket.ruteraliyun.com as we mentioned earlier.

Add a custom hostname

Then, add the domain name you want to proxy to. In this case, add websocket.ruteraliyun.com. Keep the minimum TLS version as default, you don’t have to match mine.

The most important part is the certificate verification method, do not use TXT verification here. If you have a business email for this domain name, choose email verification; otherwise, choose HTTP verification. If you use TXT verification, you will receive an error like this (I fell into this pit myself).

Error if TXT verification is used

I used HTTP verification, which means CloudFlare will access http://websocket.ruteraliyun.com/.well-known/pki-validation/*******.txt and check if the server returns the content that CloudFlare wants. So, we need to first resolve the domain name to the source server, which is mentioned earlier as 122.11.22.33. You can upload a txt file or use other methods with Nginx or any other server to achieve this. Finally, you just need to enter http://websocket.ruteraliyun.com/.well-known/pki-validation/*******.txt in the browser and check if the content is displayed, like this:

URL access

After setting it up, your Alibaba Cloud resolution page should look like this:

Resolution after setting up

Step 4: Set up SaaS fallback origin

If everything went well, CloudFlare will display the following content when you click Refresh:

Still missing hostname

The reason is that the fallback origin has not been set up yet. Remember we added a resolution in CloudFlare’s DNS earlier? It is resolved to the source server IP 122.11.22.33, and the resolution is named back-to-aliyun. In this step, fill in back-to-aliyun.rutercloudflare.com as the fallback origin:

Set up the fallback origin

After adding it, wait for a moment and refresh the page. You will see that everything is now valid:

All valid

At this point, the CloudFlare configuration is complete. Let’s go back to Alibaba Cloud.

Final Step: Use CNAME Resolution in Alibaba Cloud

We’re almost there, the final step is to change the A record for the source server that we set up in Alibaba Cloud to a CNAME record, and the address should be the fallback address we mentioned earlier, back-to-aliyun.rutercloudflare.com.

Modify Alibaba Cloud resolution to CNAME

Click OK and wait for up to 10 minutes before accessing the address again. You don’t have to worry about the CloudFlare certificate for HTTPS, as they will take care of that. You only need to maintain your own domain name, such as websocket.ruteraliyun.com.

If a 526 error occurs, troubleshoot it yourself

Certificate error

If you encounter a 526 error, you can troubleshoot it according to the prompt above. If the source server uses port 80, just set SSL/TLS - Overview to “Flexible”. If the source server uses a self-signed certificate, set it to “Full”. If the source server uses a trusted certificate, set it to “Strict”.

Brief description of SSL/TLS settings
“””