Blossom Logo Blossom

CDN Wildcard Domains

Categories: domains networking ssl cdn configuration
3 min read

When using a CDN (Content Delivery Network) with wildcard domains, the SSL/TLS termination happens at the CDN level rather than on your Blossom servers. This guide explains how to configure wildcard domains when using popular CDNs.

Note: If you want to handle wildcard SSL termination directly on your Blossom servers instead of using a CDN, see our guide on Direct Wildcard Domains.

Overview

With CDN-based SSL termination:

  • Your CDN handles the SSL certificate for *.example.com
  • Traffic between users and the CDN is encrypted
  • Traffic between the CDN and your Blossom servers uses a self-signed cert or HTTP. Blossom only allows the wildcard domains.

CDN Provider Configuration

Cloudflare

For basic Cloudflare setup instructions, see our Cloudflare Setup Guide.

  1. Add your domain to Cloudflare
  2. Create a wildcard DNS record (*.example.com) pointing to your Blossom load balancer
  3. In Blossom, configure the domain with:
    • Mode: HTTP Only for Flexible SSL
    • Mode: Self-signed SSL for Full SSL

AWS CloudFront

For basic CloudFront setup instructions, see our CloudFront Setup Guide.

  1. Request a wildcard certificate in AWS Certificate Manager
  2. Create a CloudFront distribution
  3. Configure the wildcard domain as an alternate domain name
  4. Point the distribution to your Blossom load balancer
  5. In Blossom, configure the domain with:
    • Mode: HTTP Only (CloudFront doesn’t support self-signed certificates)

Note: With CloudFront, even though we configure HTTP Only mode in Blossom, the traffic is still encrypted. Here’s how it works:

  • Your origin (e.g., origin.example.com) can use HTTPS
  • Your CloudFront distribution handles *.example.com and www.example.com
  • CloudFront passes the Host header through to your origin
  • The traffic between CloudFront and your origin remains encrypted via https://origin.example.com

Akamai

  1. Configure your wildcard certificate in Akamai
  2. Create a property for your domain
  3. Configure origin settings to point to your Blossom load balancer
  4. In Blossom, configure the domain with:
    • Mode: Self-signed SSL or HTTP Only depending on your Akamai configuration

SSL Modes Explained

HTTP Only Mode

  • Use when your CDN doesn’t support self-signed certificates
  • Traffic between CDN and Blossom is unencrypted
  • Example: CloudFront, Cloudflare Flexible SSL

Self-signed SSL Mode

  • Use when your CDN supports self-signed certificates for origin
  • Provides end-to-end encryption
  • Example: Cloudflare Full SSL, Akamai with custom certificates

Important Notes

  • The CDN handles the public SSL certificate for your wildcard domain
  • Your CDN’s DNS must be properly configured to point to your Blossom load balancer
  • Certificate renewal is handled by your CDN, not by Blossom

Troubleshooting

If you encounter issues:

  1. Verify your CDN’s DNS configuration
  2. Check your CDN’s SSL/TLS configuration
  3. Confirm the correct SSL mode is selected in Blossom
  4. See our Caddy debugging guide for origin connection issues
Custom Domains Direct Wildcard Domains
Blossom Docs