Got a shiny new domain you want to point at a site or application you have hosted somewhere on the web? If you’re anything like me, you’ll have a bunch of domains you thought sounded cool and that are lying around doing nothing. Well the good news is that you can use Fastly TLS and CDN to point the domain at your site completely for free. Follow the steps below!
What you’ll need:
- Your new domain and access to the DNS settings (these will be where you registered the domain)
That’s it!
Sign up for a free Fastly account
Jump over to fastly.com/signup – fill out your details and get signed up.
We are going to get two things from Fastly:
- A service to deliver our origin website through the CDN
- A TLS certificate to safely send traffic to the domain through Fastly
We get a few other benefits by default:
🤑 Caching – making the site fast and maybe even saving us on costs
🔐 Security – like DDoS protection out of the box
📊 Observability – showing us what’s happening with site traffic
Create a service
In your Fastly account, click Create service and choose CDN.
- Give your service a name of your choice – this is just so that you can identify it in your Fastly account.
- Enter your domain (it's easiest if you include the www – if you need to use an apex domain, like
suesmith.lol
instead ofwww.suesmith.lol
see the note at the end of this guide).
- Enter your origin – for me this is a Glitch site so it has a
.glitch.me
address. - Try the recommended settings in their default state – if you have issues later you can always toggle them off.
Activate your service!
Create a TLS certificate
OK now we need to grab a TLS certificate. In the top menu in your Fastly account, click Security, then Manage certificates under TLS Management.
In TLS management, click Get started. If you have a TLS certificate in your account already you’ll click Secure another domain instead.
We’re going to use a Fastly-supplied certificate. Enter your domain name and click Add.
Fastly will add your domain as the Common name. With Certainly selected, click Submit.
Verify your domain
When you submit your new TLS certificate, Fastly will provide the details to verify your domain.
Click Verification options.
This is where things can get a bit unpredictable depending on your domain registrar! The instructions below should work for most providers. 🤞
Copy the ACME DNS challenge CNAME and value (hit the clipboard icon for the value). The CNAME will be _acme-challenge
followed by your domain name, and the address to point the DNS record at will be a string of characters followed by fastly-validations.com
.
In your domain registrar account (wherever you registered the domain), navigate to the Custom DNS settings. We’re going to add two new CNAME records, one to verify the domain for the TLS certificate, and one to route the domain traffic to Fastly.
First let’s verify the domain:
- Set the host name to the address from the TLS info that’s something like
_acme-challenge
followed by your domain name (note that for some domain management tools you only need to enter the subdomain up towww
and they add the rest) - Set the address (sometimes called data or content, it’ll expect an IP address) to the value you copied that includes
fastly-validations.com
Save your new record. With any luck back in your Fastly account the domain will pass validation!
Shortly after this the certificate will be issued.
Point your domain at Fastly
OK we’re almost there! Now you just need to point your domain to Fastly. This is what will happen once your domain settings are in place:
- Someone visits the domain
- The domain points at Fastly
- Fastly finds the service with the domain in it
- Fastly sends the visitor a response based on the service config – at first it’ll be the origin host response (for me this will be the Glitch site), then later it might be cached, meaning Fastly doesn’t even need to visit the origin
🚨 Do not complete this step until you’re ready to send visitors to your domain to the origin in your Fastly service – this is the point at which your domain traffic will start moving through Fastly.
First you’ll need to grab the correct CNAME to point your domain at – in your Fastly account, navigate to (Secure > TLS Certificates >) Domains and View details for the domain. Copy the CNAME record address – it will be a single character followed by .sni.global.fastly.net
.
🔋 To enable IPv6, append dualstack.
to the start of your address.
Back in your domain registrar DNS settings, add another CNAME record, this time for the www
version of your domain, pointing at e.g. dualstack.t.sni.global.fastly.net
(adjust that single character to match your certificate). If you already have a CNAME record for www
you'll need to replace it with the one for your Fastly service.
💡 If you have an existing CNAME record for the domain, you may want to reduce the TTL value before making a change, to speed up the process of sending your traffic through Fastly – this also helps if things go wrong and you need to make further changes.
Give it some time for your changes to propagate (at least the TTL value, which is in seconds) and you should soon see the origin site you pointed your Fastly service at when you visit the domain you registered!
Well check that out, it’s my Glitch in Bio site being served through a Fastly cache node in Manchester and at my daft domain. 🎉
🛠️ Use the terminal command dig <your-domain.com>
to check what’s happening with the DNS while you wait for changes to propagate.
Note on using apex domains
If you want to use the apex version of your domain (without a subdomain like www
at the start of it, like suesmith.lol
) with Fastly, you'll need a few extra steps – clone your CDN service to edit the configuration, then activate the new version when you're ready:
- Add the apex version of your domain in both your Fastly CDN service and your TLS certificate, carrying out the necessary verification in your DNS settings
- In your DNS settings, in addition to the CNAME record for the
www
version of your site, add A records with the Fastly IP addresses from your TLS subscription – more detail in the Fastly docs - Optional: In your Fastly service, switch on the Redirect traffic to www subdomains setting, choosing the apex version of your domain
Your DNS provider may also be able to redirect your apex domain to the
www
version.
🛟 If you get stuck and can’t get your domain to connect up, pop over to community.fastly.com and ask for help. There will almost certainly be someone who has encountered your issue before, and otherwise your post will help future developers!
Next steps
The Fastly docs have a ton of additional info on using the CDN and TLS for your site:
👀 Check out the Observability stats for your site in your Fastly account.
🍬 If you don’t have a site or host yet but want to point your domain somewhere, grab a Glitch in Bio remix from glitch.new/links and use its .glitch.me
address as your service origin – you can easily switch it out later if you want to point your domain somewhere else!
Top comments (4)
I love how Fastly's TLS Manager succeeds domain verification then as it is requesting the subscription it changes to fails verification and does this over and over for hours when the TXT record was added to my domain once and remains there unchanged and every server around the world on dnschecker.org/ has ZERO issues resolving it but Fastly keeps saying it can't. Seems Fastly is broken and unusable. I get that the first two domains are free, but why would anyone ever want to pay for it if that doesn't even function right? Not a good look Fastly!
A follow up, after 12 hours of trying Fastly's own certificate authority, I check the Let's Encrypt checkbox and that one instantly worked, so Fastly's certificate system just doesn't work it seems.
Hi there! Apologies for the hassle, we did have an outage last week which may have affected you. I have several of my own domains working through Fastly's own certificate authority so can assure you it does work! Since you mention a TXT record which we don't touch in this guide, can I ask if the flow you followed was the one in this post or something different? Any more detail you can provide about errors you were seeing would be great. If you're comfortable sharing your domain, the Fastly TLS team would love to look into this further for you.
Yes, I followed the flow precisely. It is good Fastly offers the Let's Encrypt option as a fallback in case Fastly's certificate system isn't working, that came in handy. Everything is working now and well at that, thanks!