3

We currently have a self-hosted solution that allows our customers to add CNAMES to access their content through their own domains.

We're moving the entire stack to Google Cloud, with the main product residing on a Firebase Hosting deployment, with serverless functions, storage and Firestore databases.

I am aware that we can manually and programatically add CNAMES to our Firebase hosting account, but there is a hard limit of 20 on Firebase.

My question: does GCP offer a solution where we can programatically add CNAMES, generate a self signed certificate, and point them via a proxy to our Firebase hosting URL, while retaining the originating CNAME, but serving our Firebase content? Or recommended approaches for this stack?

Things we don't want to do:

  • have multiple Firebase deployments with 20 domains each
  • Add any hosted solutions (compute engine etc) as an intermediary
  • Move away from Firebase

We have reached out to the Firebase team but was recommended point 1 above, split them between multiple deployments as they had no visibility to other GCP products.

DavidP
  • 131
  • 4
  • 1
    The best place to ask what solutions GCP offer would be at GCP support. – Jenny D Jul 19 '19 at 08:41
  • Thanks Jenny, GCP support points us to Firebase, Firebase points us to GCP. ¯\_(ツ)_/¯ – DavidP Jul 19 '19 at 08:45
  • 3
    I don't see how anyone other than GCP/Firebase can know what solutions GCP/FIrebase are offering. – Jenny D Jul 19 '19 at 08:47
  • 2
    Host your own Authoritive DNS and add anything you want. – Overmind Jul 19 '19 at 09:21
  • Hi Overmind, CNAMES not added to Firebase hosting, does not resolve. We cannot just simply add a CNAME and point it to our Firebase hosting. Or am I missing your suggestion? – DavidP Jul 19 '19 at 09:27
  • 1
    @Overmind - your comment is incorrect. Firebase custom domains must be configured. Anything else will fail. The reason is that most GCP services are fronted by GFE/Load Balancer which uses the HTTP Host header to direct traffic. Unconfigured host names are considered invalid. – John Hanley Jul 20 '19 at 01:07
  • I have been experimenting with GCP since I asked yesterday and came up with a workable solution: 1. Deploy our site code to a Cloud Run container 2. Change our Firebase rewrite config to point to the cloud container, and not the serverless function it currently points to 3. Programatically map new domains and CNAMES using the Cloud Run API for domain mappings. We cannot find any hard limits on domain mappings within the Cloud Run documentation, as you are able to point multiple domains to a single service. Any areas of concern with an approach like this? – DavidP Jul 20 '19 at 08:18
  • Cloud Run is in beta. I am not aware of a published metric for the number of custom domains that you can configure. However, I expect that Cloud Run will have the same limits that Firebase does when the service reaches GA. The reason is that neither Firebase nor Cloud Run manage the custom domains. This is performed by the GFE/Load Balancer which is implemented globally for many Google Cloud services. I have started a deep dive article series on my website covering Cloud Run. In my first article, I discuss the Cloud Run components including GFE. https://www.jhanley.com – John Hanley Jul 20 '19 at 08:50
  • I have indeed found your articles and will def read a little deeper. Many thanks for your inputs. – DavidP Jul 20 '19 at 10:20
  • This is a specific feature of a specific service. There's not much you can do about it's limitations. As I said, if you want to do what you want you should have a completely different approach and not use a service that has such limitations. – Overmind Jul 22 '19 at 05:57
  • @Overmind My question is not regarding skirting Firebase limits, but what *other* GCP tool we can use to accomplish this. Apologies if not clear. – DavidP Jul 22 '19 at 10:02
  • Yes, but product recommendations are unfortunately offtopic; why not simply ask some cloud service providers for a solution ? – Overmind Jul 22 '19 at 10:33

1 Answers1

2

The answer to your question is not how many hostnames Firebase can support, but how many hostnames SSL can support.

The SSL certificate recommendation is that no more than 20 entries be placed in the SAN field of an SSL certificate. This is called SSL certificate minting limits. Some SSL certificates do support up to 100*, but Firebase supports 20. The more entries, the more overhead to process each connection. Each time you add a new domain to the certificate all of the existing domains have to reverified as a new certificate is issued.

Note: I am not including wildcard (*.example.com)

*Note: RFC 5280 does not specify a maximum for SubjectAltNames. Microsoft imposes a maximum size of an encoded extension to be 4KB (link).

John Hanley
  • 4,287
  • 1
  • 9
  • 20
  • 2
    Thanks John, as mentioned in my original post, we're aware of the hard limit, but your explanation makes it clear *why* there is a limit. – DavidP Jul 20 '19 at 08:17
  • Can you provide a citation as to the "technical limit" of 100 subjectAltName entries in a single TLS certificate? – womble Aug 02 '19 at 01:14