From f32d343260158916d74d6cb387fccb8dd9c233d3 Mon Sep 17 00:00:00 2001 From: dazzling-no-more <278675588+dazzling-no-more@users.noreply.github.com> Date: Wed, 29 Apr 2026 17:28:49 +0400 Subject: [PATCH] docs(fronting-groups): add netlify (CloudFront) example --- config.fronting-groups.example.json | 9 +++++++++ docs/fronting-groups.md | 6 ++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/config.fronting-groups.example.json b/config.fronting-groups.example.json index 11e14f8..27b2cdc 100644 --- a/config.fronting-groups.example.json +++ b/config.fronting-groups.example.json @@ -37,6 +37,15 @@ "pypi.org", "fastly.com" ] + }, + { + "name": "netlify", + "ip": "35.157.26.135", + "sni": "letsencrypt.org", + "domains": [ + "netlify.app", + "netlify.com" + ] } ] } diff --git a/docs/fronting-groups.md b/docs/fronting-groups.md index 772ee5a..ac57c23 100644 --- a/docs/fronting-groups.md +++ b/docs/fronting-groups.md @@ -13,7 +13,8 @@ The same trick works on any multi-tenant CDN edge that: 2. dispatches to the right backend by inner HTTP `Host`, and 3. presents a TLS cert whose name matches the SNI you choose. -Vercel and Fastly fit the bill. Pick a benign-looking domain hosted on +Vercel, Fastly, and AWS CloudFront (which is what Netlify-hosted sites +sit behind) all fit the bill. Pick a benign-looking domain hosted on the same edge, use it as the SNI, and you can route many other domains on that edge through the same tunnel without burning Apps Script quota. @@ -51,7 +52,8 @@ the recipe is: 1. Pick the target edge (Vercel, Fastly, …). 2. Find a neutral, never-blocked domain hosted there. Vercel: `react.dev`, - `nextjs.org`. Fastly: `www.python.org`, `pypi.org`. + `nextjs.org`. Fastly: `www.python.org`, `pypi.org`. AWS CloudFront + (where Netlify lives): `letsencrypt.org`, `aws.amazon.com`. 3. Resolve that domain (`dig +short react.dev A`) — pick one IP, drop it in `ip`. 4. List the domains you actually want to reach via this edge in