Reputation: 488
Creating Domain Mapping on GCP CloudRun with domain managed by Cloudflare
I was wondering if anyone has any experience with creating a mapped domain within GCP's Cloud Run with on a domain that is managed by Cloudflare.
When I do so, I end up getting a 525 (SSL Handshake Failed). With limited visibility as to what is happening on GCP's side, I can't really debug what the issue is.
Any tips or pointers would be greatly appreciated 🙏
Upvotes: 2
Views: 1719
Answers (2)
Reputation: 3840
I got it working by disabling Cloudflare security, HTTPS rewrites and browser integrity checks for the ACME challenge as described in their community forum. The latter is because otherwise Google is getting blocked by Cloudflare (this can be verified in your security events).
If it helps, this is the Terraform setup I'm using:
## Variables
variable "domain_suffix" {
type = string
description = "The domain suffix used by all subdomains."
default = "example.com"
}
variable "domain_prefix" {
type = string
description = "The subdomain prefix."
default = "sub"
}
variable "cloud_run_location" {
type = string
description = "The location of the Cloud Run services."
default = "us-central1"
}
locals {
full_domain = "${domain_prefix}.${domain_suffix}"
}
## Cloudflare resources
resource "cloudflare_record" "subdomain" {
zone_id = var.cloudflare_zone_id
name = var.domain_prefix
value = "ghs.googlehosted.com"
type = "CNAME"
proxied = true
}
# Disable security and browser integrity checks for the ACME challenge as GCP needs it for custom domain mapping
resource "cloudflare_page_rule" "acme_challenge_bypass" {
zone_id = var.cloudflare_zone_id
target = "${local.full_domain}/.well-known/acme-challenge/*"
actions {
automatic_https_rewrites = "off"
browser_check = "off"
cache_level = "bypass"
security_level = "essentially_off"
}
}
## Cloud Run resources
resource "google_cloud_run_v2_service" "default" {
name = "cloudrun-service"
location = var.cloud_run_location
template {
containers {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
}
resource "google_cloud_run_domain_mapping" "default" {
location = var.cloud_run_location
name = local.full_domain
metadata {
namespace = var.project
}
spec {
route_name = google_cloud_run_v2_service.default.name
}
}
With this setup all my domains get verified and working within 20 minutes.
Upvotes: 1
Reputation: 488
Found my answer here, turns our Cloudflare isn't currently supported by CloudRun: https://github.com/ahmetb/cloud-run-faq#how-can-i-configure-cdn-for-cloud-run-services
Upvotes: 1
Related Questions
- Google Cloud Run - Domain Mapping stuck at Certificate Provisioning
- How to map domain in AWS Route53 with GCP Cloud Run app
- How to allow for cross-project domain mapping in Cloud Run?
- Cloud run service cannot resolve custom domain mapped to a different cloud run service
- Connecting the domain obtained from godaddy to the service running in Google Cloud Run
- Cloud Run - Not able to create a domain mapping with A-record
- Domain Mapping to point to a tag inside a service on Cloud Run
- Google Cloud Run (fully managed): Custom domain mapping not possible
- Adding Google-managed, auto-renewing SSL custom domain with cloudflare DNS