[cx201]

Looks really polished and I love the minimalist design.

One thing I've been wondering that a lot of web platforms offer: how do you allow users to bring their custom domain with TLS? What's the tech behind that and how does the process work?

[sirodoht]

That was one of the hard things to figure out how to do in a simple way on mataroa. Just using Let's Encrypt directly was the first iteration. Now mataroa is using a combination of:

- Let's Encrypt with a wildcard certificate for mataroa.blog and all *.mataroa.blog domains

- Caddy's automated certificates for all user custom domains

You can see a few more details about this setup in the server playbook doc [1] and the Caddyfile [2]

[1]: https://github.com/sirodoht/mataroa/blob/master/docs/server-...

[2]: https://github.com/sirodoht/mataroa/blob/master/Caddyfile

[Alacart]

You can do this a variety of ways, most of which boil down to automating a reverse proxy server and generating acme certs. My favorite is Caddy server if you want to build and manage it yourself.

Things get trickier if you want to handle this well for globally distributed servers, since you'll need to have a cluster of reverse proxies near or colocated to your app servers. That needs an anycast IP address to handle A records for apex domains, and usually you want them coordinating to share certs, cache, etc. efficiently. In that situation I'd recommend reaching for a paid service, since there can be a lot to build and maintain.

Source: I built approximated.app, which is a service that does all of that for you.

[mypalmike]

Whatever terminates the connection (e.g. nginx, haproxy, apache) needs to be configured for each supported domain. As a platform this would mean having code to modify and reload the config and put certs in place on behalf of users.

[vbezhenar]

Just letsencrypt, I guess.