SSL encryption with CNAME redirect

Here is my current architecture: I have a simple site hosted in the cloud that needs to be served from my company. Thus, mysite.com has a CNAME redirect to 1234.cloud.com. I understand that the SSL certificate needs to be created for mysite.com.

Here are my questions:

a) how does the CNAME redirect work when fetching content? does DNS resolve the cloud IP address and allow just one HTTP connection to the cloud or is the HTTP connection sent to my server and then relayed to the cloud? which server presents the SSL cert for mysite.com? I believe that I need to configure a local server to offer the SSL certificate because DNS alone would not suffice, but I am not sure on the architecture.

b) how can I ensure that the communication between my server and the cloud is also encrypted? do I need to configure client/server SSL between the two servers?


Solution 1:

I think you're confusing terms a little bit. A CNAME is not a redirect per se. It's just a record type in DNS, also known as a DNS alias. The DNS protocol is ultimately about mapping names to IP addresses. The most common record type is a "A" record which is a one-way mapping of Name to IP. The CNAME record instead is a one way mapping of Name1 to Name2.

In your case, the CNAME record tells clients requesting the IP "mysite.com" to instead request the IP for "1234.cloud.com". So the client then requests the IP for 1234.cloud.com, gets its IP (10.10.10.10 for example) and continues connecting. This is all done on the network stack of the client. The web browser doesn't know anything about this exchange. All it knows is that the network stack says "mysite.com" maps to "10.10.10.10".

Your cloud server is the one that will host both the site and the SSL certificate (unless you have a load balancer in front of the cloud server). No servers from your company are involved except the DNS servers that are authoritative for your company's DNS zone, mysite.com.

The only way to ensure the communication is encrypted between clients and your cloud server is to disable non-HTTPS requests on the cloud server.