Architecture Overview

Watchman Tower uses Cloudflare for SaaS to provide secure, scalable custom domain hosting. This enterprise-grade infrastructure powers millions of custom domains across the web. Here’s what happens behind the scenes when you add a custom domain:
1

Domain Registration

You add your domain (e.g., status.mycompany.com) in the Watchman Tower dashboard. This creates a custom hostname in Cloudflare.
2

DNS Configuration

You create a CNAME record pointing your domain to status.watchmantower.com. This tells DNS servers where to route traffic.
3

SSL Provisioning

Cloudflare automatically requests an SSL certificate from Let’s Encrypt via HTTP validation and issues it for your domain.
4

Traffic Routing

Once active, all requests to your custom domain are routed through Cloudflare’s global network to your status page.

Cloudflare for SaaS

What is Cloudflare for SaaS?

Cloudflare for SaaS is an enterprise service that allows platforms like Watchman Tower to offer custom domains to users without requiring each user to set up their own Cloudflare account. Benefits:

Zero Configuration

Users don’t need Cloudflare accounts or complex SSL setup

Instant SSL

Automatic certificate provisioning in minutes, not days

Global CDN

Fast page loads from 300+ cities worldwide

DDoS Protection

Built-in security against attacks and abuse

How Custom Hostnames Work

A custom hostname is Cloudflare’s term for your custom domain registered in their system. Here’s the lifecycle: 
1. Hostname Created → pending
2. DNS Verified → pending_validation
3. SSL Certificate Issued → active
4. Traffic Routed → active
Each hostname has a status that Watchman Tower monitors and displays in your dashboard.

DNS Resolution Flow

When someone visits your custom domain, here’s the complete DNS resolution flow:
1

DNS Query

User’s browser asks: “What’s the IP address for status.mycompany.com?”
2

CNAME Lookup

DNS server finds your CNAME record pointing to status.watchmantower.com
3

Cloudflare Resolution

DNS follows the CNAME chain to Cloudflare’s edge network (resolves to Cloudflare IP)
4

Edge Routing

Cloudflare’s edge server receives the request and routes it to Watchman Tower based on the custom hostname
5

Status Page Delivered

Your branded status page is served with full HTTPS encryption
Visual Example: 
User Request: https://status.mycompany.com

DNS Query: status.mycompany.com

CNAME Record: status.watchmantower.com

Cloudflare Edge: 104.18.x.x (Cloudflare IP)

Custom Hostname Match: status.mycompany.com → Watchman Tower

Status Page Response (with SSL)

SSL Certificate Validation

HTTP Validation Process

Cloudflare uses HTTP validation (ACME challenge) to prove you control the domain before issuing an SSL certificate.
1

Challenge Created

When you add a domain, Cloudflare generates a unique validation token
2

DNS Propagation

Your CNAME must be correctly configured and propagated for Let’s Encrypt to reach the validation endpoint
3

Validation Request

Let’s Encrypt makes an HTTP request to:
http://status.mycompany.com/.well-known/acme-challenge/{token}
4

Cloudflare Response

Cloudflare responds with the correct validation value proving domain control
5

Certificate Issued

Let’s Encrypt issues the SSL certificate, and Cloudflare installs it (typically within 1-5 minutes)
Important: HTTP validation requires your CNAME to be correctly configured before SSL can be issued. If DNS is incorrect, validation will fail and your domain will remain in pending status.

Certificate Details

Issued by: Let’s Encrypt (via Cloudflare)
Type: Domain Validated (DV)
Validity: 90 days
Renewal: Automatic (happens ~30 days before expiration)
Encryption: TLS 1.2+ with modern cipher suites You never have to manually renew or manage certificates—Cloudflare handles everything automatically.

Status Transitions

Understanding hostname statuses helps you track setup progress:
StatusWhat It MeansNext Step
pendingDomain added, waiting for DNS configurationCreate CNAME record
pending_validationDNS verified, SSL validation in progressWait 1-5 minutes
activeSSL issued, domain fully operational✅ Ready to use
failedValidation failed due to DNS errorCheck CNAME configuration
Watchman Tower normalizes these statuses for clarity:
  • activeWorking
  • pendingSSL Being Issued
  • failedConfiguration Error

Traffic Flow (Active Domain)

Once your domain is active, here’s how traffic flows: 
User Browser

HTTPS Request: https://status.mycompany.com

Cloudflare Edge (nearest to user)
     ├─ SSL Termination
     ├─ DDoS Protection
     ├─ Firewall Rules
     └─ Cache Check

Watchman Tower Origin
     └─ Generates Status Page

Cloudflare Edge
     └─ Applies Response Headers
     └─ Caches Static Assets

User Browser (HTTPS Response)
Performance Benefits:
  • Cached Assets: Static files served from edge without hitting origin
  • Low Latency: User connects to nearest Cloudflare location
  • HTTP/2 & HTTP/3: Modern protocols for faster page loads
  • Always Online: Cloudflare serves cached version if origin is unreachable

CNAME Flattening

Some DNS providers (like Cloudflare) offer CNAME flattening, which allows CNAME records to work at the root domain level. However:
Even with CNAME flattening available, Watchman Tower requires you to use a subdomain, not a root domain. This is because:
  1. Standard CNAME behavior works universally across all DNS providers
  2. Root domain CNAMEs violate RFC specifications and may cause email/MX record conflicts
  3. Cloudflare for SaaS expects subdomain hostnames for optimal routing
Always use status.yourdomain.com, not yourdomain.com.

Why Not Use A Records?

You might wonder: “Can I use an A record instead of CNAME?” Short answer: No. Why:
  • Cloudflare’s IP addresses can change for load balancing and DDoS protection
  • CNAME records follow IP changes automatically
  • A records point to a fixed IP and will break if Cloudflare changes IPs
  • Custom hostname routing requires CNAME for proper SNI (Server Name Indication) handling
Always use CNAME records as specified. A records or other DNS record types will not work with Watchman Tower custom domains.

Cloudflare Proxy Status

If you’re using Cloudflare as your DNS provider, you’ll see a cloud icon next to each DNS record:
  • Gray Cloud (DNS only) ✅ - Required for custom domains
  • Orange Cloud (Proxied) ❌ - Will break custom domain setup

Why DNS Only?

When Cloudflare proxy is enabled (orange cloud), Cloudflare tries to proxy the traffic through their own SSL certificate, which conflicts with the custom hostname SSL certificate expected by Cloudflare for SaaS. Result: SSL errors, connection failures, or endless redirects. Solution: Set CNAME to DNS only (gray cloud).

Security Features

Custom domains inherit Cloudflare’s enterprise security:
Automatic mitigation of Layer 3, 4, and 7 attacks without configuration
Protection against common web exploits and OWASP Top 10 vulnerabilities
Prevents abuse and ensures fair usage across all status pages
Only modern, secure protocols allowed—no legacy SSL or TLS 1.0/1.1
Automatic inclusion of security best practices in HTTP headers

System Architecture

Here’s how Watchman Tower integrates with Cloudflare: 
┌─────────────────────┐
│  Watchman Tower     │
│  Dashboard          │
└──────────┬──────────┘

           │ API Request

┌─────────────────────┐
│  Watchman Tower     │
│  Backend API        │
└──────────┬──────────┘

           │ Create Custom Hostname

┌─────────────────────┐
│  Cloudflare API     │
│  (SaaS Provider)    │
└──────────┬──────────┘

           │ Hostname Registered

┌─────────────────────┐
│  Let's Encrypt      │
│  (SSL Authority)    │
└──────────┬──────────┘

           │ Certificate Issued

┌─────────────────────┐
│  Cloudflare Edge    │
│  (300+ Locations)   │
└──────────┬──────────┘

           │ Status Page Delivered

    [User Browser]

API Integration

Watchman Tower monitors your custom domain status in real-time:
  • Polling Interval: Every 60 seconds
  • Status Updates: Reflected immediately in dashboard
  • Notifications: Optional email alerts on status changes
  • Automatic Retries: Failed validations retried automatically
You don’t need to manually check Cloudflare—Watchman Tower handles all monitoring and updates your dashboard status badge automatically.

What Happens During Deletion

When you delete a custom domain:
1

Hostname Removed

Cloudflare custom hostname is deleted from their system
2

SSL Certificate Revoked

The SSL certificate for your domain is revoked (no longer valid)
3

Traffic Stops

Your domain no longer routes to Watchman Tower
4

DNS Cleanup

You should remove the CNAME record from your DNS (optional but recommended)
Note: Deletion is immediate and cannot be undone. You can re-add the same domain later if needed.

Next Steps

Setup Guide

Follow step-by-step instructions to configure your domain

Hostname Statuses

Learn what each status means and how to respond