from Hacker News

How do you solve custom domain HTTPS support in your SaaS products?

by erinmez on 8/14/23, 1:42 PM with 6 comments

Hi there

I'm coming from GCP and need to look into AWS ALB's certificate support to terminate the traffic of customer domains. I asked AWS support, the hard limit is at 100 certificates per ALB unfortunately. So that would mean I would need to provisions/unprovisions/bin-pack ALBs and certificates myself, I guess.

Do you know of another approach on AWS that one could take?

On Google Cloud one can have up to a million certs per Loadbalancer via their "Certificate Manager" (I haven't tried :-)

Best Tanju

by Alacart on 8/15/23, 4:44 PM
I'm the founder of https://approximated.app, which is a service focused entirely around making this easy, affordable, and reliable. We have a 30 day free trial if you want to check it out risk free. It works with any lang/framework/hosting platform so that you're not locked in to anything. If you have any questions, there's a 24 hour chat widget and email where you can reach an engineer or myself.
Cloudflare SSL for SAAS is also another option, though (and I'm biased here) there's quite a bit locked behind their enterprise plan, which jumps the cost up significantly. We have an article describing the differences here: https://approximated.app/approximated-cloudflare-comparison (Obviously biased towards us, but also backed up by links to their docs for each point)
Finally, you can build and self-host your own service to do this if you want. I'd recommend https://caddyserver.com for it if you'd like to go that route. It will handle a lot for you, and is very well designed - we use a customised version of it under the hood. That said, it's still something you'll need to host, sort out dynamic config updates, and monitor. Custom domains, especially securing them, can have a lot of unexpected issues crop up at random times.
Caddy will do a lot to try and deal with those, but if you're doing this for very long or at any kind of scale, you'll run into some pretty obscure issues that are usually caused by external factors (like a CA suddenly revoking a bunch of certs, or changing the way certs can be verified). It can be stressful trying to figure those out while your custom domains are down, and they're usually hard to predict. A paid service will almost certainly be cheaper, easier, and much more reliable unless you dedicate engineers to maintaining it. For instance, Approximated starts at $10/month, or about the price of the VM/VPS you'd host Caddy on anyways.If you're going to be scaling up, we also give automatic volume discounts for every 1,000 custom domains.
by ac2u on 8/14/23, 1:57 PM
If you can afford to have a service handle it, (like cloudflare in another commenter's reply which provides a service especially for this) go for that.
Otherwise, I've played around with OpenResty for doing this on top of nginx with on the fly letsencrypt certs. This isn't my post, but it's the same thing.
https://medium.com/@vibhoragrawal/how-to-setup-ssl-on-the-fl...
Of course now you have to own your own ops for your load balancers, but you could always scale up the nginx instances and put them behind a NLB instead of an ALB.
by jgrahamc on 8/14/23, 1:51 PM
https://blog.cloudflare.com/introducing-ssl-for-saas/