Subdomains On The Fly, but different IPs

Question

My team and I are creating a service that when user request, it creates a new server instance on the fly, with a different IP for each new instance. The issue is that I'm connecting from a client via WebSockets to that newly created server. But I need it to be SSL certificated. So I can't use just the IP.

So, what I'm thinking is to create a subdomain for each one of this server instances. The only issue here is that I need the subdomain to be available super quick, and I don't know if I can trust the DNS propagation times for this.

Is there any solution to this? Like having my own routing server that have a Wildcard Subdomain and then route the traffic based on that? I think I can't use Apache or those kind of solutions because it's not only HTTP/S traffic that I'm handling.

There is no DNS propagation time. When your record is there, it's there. Instantly. — bjoster, Dec 14 '17 at 14:23

score 1 · Answer 1 · answered Nov 14 '17 at 13:40

Probably you know the IP address range in advance? You could create some xxxxxx.dyn.example.com. IN A pattern for the network in advance. That enables you to use *.dyn.example.com wildcard certificate for them all without any issues caused by DNS caching.

score 1 · Accepted Answer · answered Feb 13 '18 at 12:16

I've ended up using a reverse proxy. In this case Traefik was exactly what I needed.

I did a simple API that modifies the configuration file and it has some good features like requesting SSL Certificates on configuration

Below is the configuration I ended up using in case someone needs something similar.

InsecureSkipVerify = true
defaultEntryPoints = ["https"]

[entryPoints]
    [entryPoints.https]
    address = ":443"
        [entryPoints.https.tls]

[acme]
dnsProvider = "dnsprovider"
email = "lets@encypt.account"
storage = "acme.json"
entryPoint = "https"
acmeLogging = true
delayDontCheckDNS = 0
onHostRule = true

[frontends]
  [frontends.frontend0]
  backend = "backend0"
    [frontends.frontend0.routes.main]
    rule = "Host:din0.instance.mydomain.com"
[backends]
  [backends.backend0]
   [backends.backend0.servers.server1]
   url = "wss://165.227.200.126"

score 0 · Answer 3 · answered Nov 14 '17 at 14:25

DNS propagation time is not a real thing (in most scenarios)

Depending on how much control you have over the environment:

IP-addresses for your server instances usually will be assigned from certain reserved ip-ranges.
Simply populate your forward (and ideally also the reverse) DNS zones with some correspondingly predictable boilerplate hostnames for every ip-address in those ranges:
ip-10-9-8-7.instances.example.com. IN A 10.9.8.7
and include a wildcard certificate for *.instances.example.com. in the instance template as the server certificate.
When you really don't know the ip-address before-hand and can't pre-create the records, then you'll be dependant on how responsive your master DNS server in starting to respond for newly created records and how fast your authoritative name servers replicate a newly created record to each other. That is the only propagation delay that matters and really depends on the DNS implementation but can be near instantaneous. (Note: It can also be a manual change process and take days...)
Regardless of those extremes, when that is not fast enough in your situation: you can additionally still pair the newly assigned IP-address with a boilerplate hostname in /etc/hosts ...

Subdomains On The Fly, but different IPs

3 Answers3