When using a CDN (Content Delivery Network) with wildcard domains, the SSL/TLS termination happens at the CDN level rather than on your Blossom servers. This guide explains how to configure wildcard domains when using popular CDNs.

Note: If you want to handle SSL termination directly on your Blossom servers instead of using a CDN, see our guide on Direct Wildcard Domains.

Overview

With CDN-based SSL termination:

  • Your CDN handles the SSL certificate for *.example.com
  • Traffic between users and the CDN is encrypted
  • Traffic between the CDN and your Blossom servers uses a different security model

CDN Provider Configuration

Cloudflare

  1. Add your domain to Cloudflare
  2. Create a wildcard DNS record (*.example.com) pointing to your Blossom load balancer
  3. In Blossom, configure the domain with:
    • Mode: HTTP Only for Flexible SSL
    • Mode: Self-signed SSL for Full SSL

AWS CloudFront

  1. Request a wildcard certificate in AWS Certificate Manager
  2. Create a CloudFront distribution
  3. Configure the wildcard domain as an alternate domain name
  4. Point the distribution to your Blossom load balancer
  5. In Blossom, configure the domain with:
    • Mode: HTTP Only (CloudFront doesn’t support self-signed certificates)

Note: With CloudFront, even though we configure HTTP Only mode in Blossom, the traffic is still encrypted. Here’s how it works:

  • Your origin (e.g., origin.example.com) can use HTTPS
  • Your CloudFront distribution handles *.example.com and www.example.com
  • CloudFront passes the Host header through to your origin
  • The traffic between CloudFront and your origin remains encrypted via https://origin.example.com

Akamai

  1. Configure your wildcard certificate in Akamai
  2. Create a property for your domain
  3. Configure origin settings to point to your Blossom load balancer
  4. In Blossom, configure the domain with:
    • Mode: Self-signed SSL or HTTP Only depending on your Akamai configuration

SSL Modes Explained

HTTP Only Mode

  • Use when your CDN doesn’t support self-signed certificates
  • Traffic between CDN and Blossom is unencrypted
  • Example: CloudFront, Cloudflare Flexible SSL

Self-signed SSL Mode

  • Use when your CDN supports self-signed certificates for origin
  • Provides end-to-end encryption
  • Example: Cloudflare Full SSL, Akamai with custom certificates

Important Notes

  • The CDN handles the public SSL certificate for your wildcard domain
  • Your CDN’s DNS must be properly configured to point to your Blossom load balancer
  • Certificate renewal is handled by your CDN, not by Blossom

Troubleshooting

If you encounter issues:

  1. Verify your CDN’s DNS configuration
  2. Check your CDN’s SSL/TLS configuration
  3. Confirm the correct SSL mode is selected in Blossom
  4. See our Caddy debugging guide for origin connection issues

In this section: