Hello, Great Netlify Team. We have a business and we need to make sure that Netlify can support that.
We are a SAAS company that allows our customers to white-label our service. So, we may have thousands of custom domains that point to the same application and we distinguish between them using the original URL the user hits.
So, we imagine the setup to be as follows: caddyserver (as a reverse proxy and SSL certificates manager) → Netlify. However, we have some concerns about the DDOS protection as Netlify now will see all the traffic come from one host (caddyserver), will Netlify block the caddyserver? or it protects based on x-forwarded-for, not the connecting-ip?.
If Netlify blocks based on the connecting-ip, how could I whitelist the caddyserver IP address?
Hey @abdelhamid-attaby,
We can definitely support you white labeling our service as long as you’re on a Pro plan or higher. That said, we strongly recommend that you don’t proxy to us! If you proxy to us, you lose the benefit of our CDN and it will impact your end users’ site performance.
What we’d suggest instead is that you use our wildcard subdomains feature, which we can enable on a Pro account or higher. This means you could have a custom subdomain for each of your customers, i.e. customer1.yourstore.com, customer2.yourstore.com, etc. all pointing to the same underlying site. If you’re using Netlify DNS to host your DNS, we can take care of the SSL certificate for this configuration. Otherwise, you’ll need to bring your own wildcard SSL certificate.
A few caveats about this feature:
You can’t use domain aliases on a site with wildcard subdomains enabled, just the bare domain and subdomains under your primary domain. If you try to add a domain alias then it won’t work.
The primary custom domain for the site, if it is a “site.com+www.site.com” setting in our UI, must be www.site.com and NOT site.com!
Let us know if this helps or if we can answer any other questions!
Ah, and to your question about DDOS, we do not block IPs except in rare cases where there is an attack against our network, in which case we may temporarily block an IP in the course of mitigating the attack.
Thanks for your quick response. Actually, the wildcard option will not work for us because our customers need to have their own domain points to our service (not a subdomain of our domain). So, we may have to provision thousands of certificates (that is why we are putting caddyserver to handle this stuff).
An option that I am thinking in is to create a website for every customer in Netlify and adjust their custom domain using the API. The problem here is in the CD stuff, if we made a change in the production, we need to deploy thousands of the same copy to these websites. So, the question is, how could we deploy the same code to thousands of websites?
Another option is to add custom domains to the same website. The problem here is that Netlify can support only 50 custom domains for a single website. To handle our business, we need to create multiple websites of the same code base and manage these groups of 50 custom domains programmatically.
Hey @abdelhamid-attaby,
Ah, thanks for explaining. What an interesting use case! I think both options you describe would work for you.
Let’s start with the first option you shared. If the exact same site is being deployed to all your customers, you could just link the same repo to each site. Whenever you pushed out a change to your git provider (Github?), it would push out the change to us. You could configure this and update custom domains via API as you describe when you set up the sites. This should make certificate setup easy for you, as we automatically try to provision a cert when you change the domain.
You mentioned that you might handle certs yourself- note that we do not have a way to bulk import custom certificates, so that could be challenge, especially if you are grouping domains per site as you describe in option 2.
Would it be okay if I connect you with someone from our Sales team? They may have more ideas for solutions at your scale.
For the first option, we may have a challenge here in the concurrent builds. Imagine we push to the master branch something, it will trigger thousands of concurrent builds. What I am thinking is make the build in a separate CD and push that to all the websites. But I cannot see bulk update for the websites in the Netlify API.
There are ways around that, fortunately! One is that you can selectively disable builds (also possible via API): Stop or activate builds | Netlify Docs to avoid unnecessary rebuilds.
Thanks, Fool for this great article. However, I cannot find a way to deploy the same build to thousands of sites efficiently and concurrently. If you have any ideas, please advise.
Imagine we push to the master branch something, it will trigger thousands of concurrent builds.
And trying to show you how you could prevent that.
As far as deploying to thousands of sites, it’s going to take awhile no matter how you do it:
wait for us to build them all. This will go really slowly unless you buy a custom build setup from us, since we limit Pro accounts to 3 builds at once.
Imagine we push to the master branch something, it will trigger thousands of concurrent builds.
Hello, we also have a single repo out of which we build hundreds of domains and if you push to that repo, only the last site connected to the repo gets rebuild, not all of them.
When we need to deploy all to fix something possibly affecting everything, we just do that using webhooks - we have a webhook for each site stored in our DB and we just hit them all. We do that really rarely.
We have a similar use case. We’re also a SaaS company and each client is provided with a custom subdomain under our main domain (client1.business.com, client2.business.com) pointing to the same web application. Additionally, our primary domain (business.com, www.business.com) must point to another web application.
Is it possible to create two sites with the following setup:
This part should also be possible but may depend on your DNS provider and whether it make an exception to a wildcard CNAME record that you make. Netlify DNS does this, but if you’re using external DNS, I would double check with your provider.
Once you take care of that piece, please let us know the Netlify site name that we’ll be enabling wildcard subdomains for!