ArylLabsArylLabs/Docs
DocsPage

Custom Domains & SSL Architecture

Learn how ArylHive securely manages unmetered Custom Domains using Cloudflare Custom Hostnames (SSL for SaaS) and dynamic routing logic at the Edge.

1. SSL for SaaS Provisioning Lifecycle

To provide seamless wildcard support and zero-configuration SSL certificates, ArylHive utilizes Cloudflare's Enterprise SSL for SaaS endpoint architecture. Users simply add a domain, point a CNAME, and everything else is completely automated down to certificate renewals.

sequenceDiagram participant User participant Worker as CF Worker API participant CFAPI as Cloudflare SaaS API participant DNS as Domain Registrar User->>Worker: Add Domain (example.com) Worker->>CFAPI: POST /custom_hostnames CFAPI-->>Worker: Fallback Origin & Verification TXT Worker-->>User: Please add CNAME to cname.aryl.app User->>DNS: Add CNAME Record loop Automated Verification CFAPI->>DNS: Poll DNS for CNAME match end CFAPI->>CFAPI: Automatically Issue Let's Encrypt / Google SSL CFAPI-->>User: Traffic active via TLS 1.3 Strict

2. Edge Router Resolution Logic

When a user connects to a custom domain (e.g., https://my-blog.com), the Edge Controller needs to understand which internal project it belongs to.

  • The Edge Controller reads the Host header of the incoming request.
  • Instead of the standard subdomain project.aryl.app, the script identifies it as an alien custom domain.
  • It queries the Turso DB projects table by attempting to match the custom_domain column instead of the subdomain column.
  • Once the project is resolved, the deployment logic resumes normally.
flowchart TD Req[Incoming Edge Request] Parse{Parse Host Header} Parse -- "*.aryl.app" --> SubCheck[Resolve by Subdomain] Parse -- "Custom Apex/Subdomain" --> DomainCheck[Resolve by Custom Domain] SubCheck --> Turso[(Turso Fast Query)] DomainCheck --> Turso Turso --> CacheLogic[Edge Routing & Zip Extraction Pipeline]

3. Domain Ownership Verification

To protect against domain hijacking, users who want to connect Apex domains (example.com) must verify their ownership via a generated TXT record. Subdomains (docs.example.com) utilize CNAME chaining to automatically pass ownership verification since pointing the CNAME intrinsically proves DNS control.

4. Advanced: Wildcard Propagation

The platform fallback endpoints (*.aryl.app and *.aryl.cloud) utilize wildcard DNS and wildcard Universal SSL. This means that a user instantly gets HTTPS coverage the exact millisecond they create a new project—there is no waiting for SSL propagation on default hostnames.

Next: Learn about Environment Variables →