I help with IT for a local group. They have a simple static website which (for legacy reasons) is running on Google Sites.
However, the custom domain feature of Google Sites only allows you to use a subdomain, like www.domain.com, rather than a “naked domain”, @, “apex record”.
Okay, fine. Now the first problem: anyone coming from a search engine will get sent to the right site, https://www.domain.com , but someone typing in the address into their search bar, domain.com, will get a This site can’t be reached.
No worries, in the domain registrar’s DNS settings we’ll add a URL Redirect, from @.domain to www.domain .
That works some of the time, but causes a heisenbug. See, if the user’s browser first tries https://domain.com, as modern browsers are wont to do, it will not find anything there, because the domain registrar doesn’t attempt to process the redirect for HTTPS traffic.
[!note] Possible alternative to all this mess:
There are two brand-new DNS record types,
SVCBandHTTPS, the latter of which allows the apex domain to be redirected when used in Alias mode. Namecheap didn’t support these record types as of this date, and browser support is somewhat limited.
A solution would be some service that offers the browser an SSL Cert for the apex domain, and then does the URL forward. I recently had this problem on another personal site that’s hosted with Apache2, and this technique worked great.
This is a feature that some domain registrars - specifically EasyDNS - support - but this domain wasn’t hosted on one of them.
Many recommendations online suggested using Cloudflare to make the redirect. This is a pretty reasonable solution, and I started setting it up - until the point where Cloudflare nonchalantly asked me to change the domain’s nameservers from the domain registrar’s to their own.
Some sophistry
So this is just how Cloudflare works. It’s a proxy, it’s a CDN, it’s a sorta kind of MITM. There’s nothing wrong with this - but it gives me the heeby-jeebies.
The web has an lasting undercurrent of this lovely peer-to-peer decentralized nature. I’m okay with pointing an A record at someone to get a redirect, but there’s something in the way CF takes ownership of your DNS that seems like something Cory Doctorow would get grumpy at me for.
Fastly
I made a new account under Fastly’s trial tier and added the apex domain to it (and put their A record IPs in the registrar’s DNS settings), and got them to create a certificate for it. Then I created a Service under that domain entry, with the Host: field set to www.domain.com.
Fastly has a feature they call “apex redirect” which sounded promising, but I wasn’t able to figure out how to get it to do what I needed.
No matter though, because what I really needed was their Override Host setting.
Now everything works seamlessly.