We are migrating into Vercel and want to use a rolled migration where we can point individual routes of our application to Vercel. We are also running behind an external WAF. We’ve read the proxy docs but are unclear on how to get things working when the domain itself is not pointed to Vercel.
Our current configuration is as follows:
Primary domain (domain.com) points to WAF, then forwards onto a different hosts depending on routes
domain.com/myroute points to Vercel via a hidden subdomain (vercel.hiddendomain.com). This subdomain has been added to Vercel and uses the Vercel DNS CNAME
We have to add a rule in our WAF that rewrites the host header to be that of the hidden subdomain in order for vercel to respond correctly. It fails the SSL handshake otherwise. This also causes problems with things like NextAuth
What it seems we need to do to avoid rewriting the host header is to add our primary domain to Vercel. Vercel wont verify it of course because the domain itself isn’t pointed at Vercel, only on that specific route.
Has anyone accomplished this? Or have any ideas on how to proceed?
The domain troubleshooting guide can help with most custom domain configuration issues. You might be able to use that guide to solve it before a human is available to help you. Then you can come back here and share the answer for bonus points.
You can also use v0 to narrow down the possibilities.
That domain troubleshooting guide has some tips about common SSL cert issues which can help you understand what’s needed to get the cert to work for your project.
If you need more help, please share the domain so we can help you investigate
I was able to solve this issue by temporarily pointing the domain to Vercel for verification, then pointing it back to where it was going originally. Once my domain was verified, Vercel could resolve traffic against it. However, I think it will only last for 90 days (domain verification lasts this long according to Vercel)
If anyone else comes across this issue, here is my final setup:
Verified domain.com to Vercel (required temporarily pointing the entire domain to Vercel)
Hidden subdomain also verified in Vercel
Main domain pointed back to original host
myroute points to Vercel via the hidden host
It would be helpful if there was another mechanism available in Vercel to verify domain ownership without having to point the entire domain to Vercel.
