A possible solution to custom domains


#1

I know white label custom domains have been removed in version 7 and I’m really disappointed that happened. I’ve been working on different solutions to the problem myself but one viable solution is a static HTML file deployed on the server which then makes AJAX calls to Surreal CMS.

I discovered this when checking out Forestry. Forestry is more aimed at those who want to use Static Site Generators. It doesn’t have amazing inline editing like Surreal CMS.

I think Cory could decouple the admin area and create a HTML file that makes AJAX calls to the Surreal CMS server. The file could be deployed easily via FTP.

This solution solves the whole problem of custom domains and SSL since the file is deployed onto the user’s web hosting and the user is responsible for obtaining an SSL certificate.

The documentation for this feature in Forestry.

I hope a solution can be found soon.


#2

To clarify, custom domains were a side effect of CNAMES + not requiring SSL. Custom domains have never worked over SSL in Surreal :slight_smile:


I would love to offload the SSL problem, but this approach puts the admin on a different domain, which will break authentication and XHR requests. (Currently, the backend is proxied through the /api subdirectory, so XHR requests are always on the same domain.)

Auth cookies are HTTP/secure/sameSite, which is the most secure way to store auth credentials in a browser.

  • HTTP cookies aren’t accessible to JavaScript, so they can’t be exposed via XSS exploits
  • secure cookies require HTTPS so they aren’t vulnerable to MITM attacks
  • sameSite cookies will not be passed with cross-site requests, so they won’t be leaked to other origins (preventing CSRF attacks)

So to do something like this, I’d need to remove the /api subdirectory proxy (which would put the backend on a different domain) and soften cookie restrictions (dangerous for auth) OR rework authentication entirely — that latter isn’t something I really want to do at the moment.

Perhaps there’s a solution with ALIAS records, which many DNS providers are offering now.


#3

Thanks Cory. ALIAS records sound promising. I’ll need to look into them.


#4

To clarify, is this currently possible using ALIAS records? A custom domain is a deal breaker for moving more sites to Surreal at least for us. We love Surreal, but the custom domain is a feature I don’t think we are willing to go without.


#5

I have a solution to custom domains but I’m not sure if I should share it just yet as I don’t want to see native support pushed back because of a workaround.

If your really desperate, I can possibly share but I want to see if ALIAS records will work first.


#6

Keep in mind you can still use you.clientcms.com. This experience has been more polished than in the past with edit-content.com.

Now, unless a valid subdomain is specified clientcms.com shows a 404 Not Found page. The only way a client will be able to login is by going to your custom URL, where they will see your branding.

If you don’t want to share it publicly, send me a PM or an email. I’m open to alternative options.


#7

I have it setup right now working on a subdomain on my website. My solution will work regardless of the plan the user is on. I can send you a link to it setup.

I’m happy with publishing a tutorial… I’d like to see if the ALIAS record would work though but I don’t see that happening as I think an ALIAS record is much like a CNAME record and will still have the SSL problem. Don’t ALIAS records only work on the root domain anyway?


#8

Not all hosts offer ALIAS records, so you’d need to have a DNS provider that does. On top of that, I believe it would be up to the user to provide their own certificate.

It could work, but an ideal solution would be “Enter your domain” and we handle the SSL side of things. The user would just need to create a basic A record.


#9

Yes, that would work since you would be obtaining the certificate for whitelabel-cms.example.com instead of both whitelabel-cms.clientcms.com and whitelabel-cms.example.com.