multi-tenant-architecture
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseMulti-Tenant Platform Architecture (Cloudflare · Vercel)
多租户平台架构(Cloudflare · Vercel)
Workflow (order matters)
工作流程(顺序至关重要)
- Choose platform
- Cloudflare: Workers for Platforms + dispatch namespaces for per-tenant code isolation; best when tenants run untrusted code or you need edge-first compute with D1/KV/DO primitives.
- Vercel: Next.js App Router + Middleware for shared-app multi-tenancy; best when tenants share one codebase and you need ISR, React Server Components, and managed deployment.
- Pick one; do not mix hosting. The remaining steps apply to both with platform-specific guidance in reference files.
- After choosing, load only the references for that platform unless you are explicitly comparing Cloudflare vs Vercel.
- Choose domain strategy
- Use a dedicated tenant domain (separate from the brand domain) for all subdomains/custom hostnames. Reputation does not isolate; a phishing site on damages the whole domain.
random.acme.com - Register a separate TLD for tenant workloads (e.g. for tenants,
acme.appfor brand).acme.com - Consider PSL for browser cookie isolation; it does not protect reputation. See psl.md.
- Start PSL submission early; review can take weeks.
- Choose tenant identification strategy
- Subdomain-based: . Requires wildcard DNS. Simplest for many tenants.
tenant.yourdomain.com - Custom domain: Tenant brings own domain, CNAMEs to your platform. Best for serious/paying tenants.
- Path-based: . No DNS/SSL per tenant, but limits branding and complicates cookie isolation.
yourdomain.com/tenant-slug - Pick one primary strategy; offer custom domain as an upgrade path.
- Define isolation model
- Cloudflare: Prefer per-tenant Workers for untrusted code (Workers for Platforms dispatch namespaces). Avoid shared-tenant branching unless you fully control code and data.
- Vercel: Single shared Next.js app with scoping. Middleware resolves tenant from hostname; all data queries include tenant context. Use Postgres RLS for defence-in-depth.
tenant_id
- Route traffic deterministically
- Cloudflare: Platform Worker owns routing; hostname -> tenant id -> dispatch namespace -> tenant Worker. 404 when no mapping exists.
- Vercel: Next.js Middleware extracts hostname, rewrites URL to dynamic segment. Edge Config for sub-millisecond tenant lookups. 404 when no mapping exists.
/domains/[domain] - Tenants never control routing or see each other on either platform.
- Pass tenant context through the stack
- Cloudflare: Platform Worker resolves tenant and injects headers or bindings before dispatching to tenant Worker.
- Vercel: Middleware sets ,
x-tenant-id,x-tenant-slugon forwarded request headers. Server Components read viax-tenant-plan; API routes read from request headers.headers() - Middleware/platform Worker is the single authority; never trust client-supplied tenant identity.
- Bind only what is needed
- Cloudflare: Least-privilege bindings per tenant (DB/storage/limited platform API), no shared global state. Treat new bindings as explicit changes; redeploy to grant access.
- Vercel: Edge Config for tenant config (domain mappings, feature flags, plan info). Vercel SDK () for domain management. Database connection scoped by
@vercel/sdkor database-per-tenant (Neon).tenant_id
- Support custom domains
- Provide DNS target, verify ownership, store mapping, and route by hostname.
- Cloudflare: Cloudflare for SaaS custom hostnames + managed certs. See cloudflare-platform.md.
- Vercel: Vercel Domains API via for programmatic domain CRUD + automatic Let's Encrypt SSL. Wildcard subdomains require Vercel nameservers. See vercel-domains.md.
@vercel/sdk - Custom domains shift reputation to the tenant and create natural user segments (casual on platform domain, serious on own domain).
- Serve per-tenant static files
- ,
robots.txt,sitemap.xmlmust vary by tenant; do not serve fromllms.txt./public - Cloudflare: Generate per-tenant responses in the tenant Worker.
- Vercel: Use route handlers per domain segment. See vercel-platform.md.
- Surface limits as plans
- Map platform limits to pricing tiers; expose in API + UI.
- Do not run long jobs in requests; use queues/workflows.
- See limits-and-quotas.md for limits snapshots and source links.
- Re-check limits in official docs before final architecture or pricing decisions.
- Make the API the product
- Everything works over HTTP; UI is for ops/incident/billing.
- Platform logic stays in the routing layer (dispatch Worker or Middleware); tenant content serves requests.
- If it only works in the UI, the platform is leaking.
- Extend without breaking boundaries
- Add queues/workflows/containers as optional modes.
- Keep routing explicit and isolation intact.
- 选择平台
- Cloudflare:使用Workers for Platforms + 调度命名空间(dispatch namespaces)实现租户级代码隔离;最适合租户运行不可信代码,或需要基于边缘的计算并使用D1/KV/DO原语的场景。
- Vercel:采用Next.js App Router + Middleware实现共享应用多租户模式;最适合租户共享单一代码库,且需要ISR、React Server Components和托管部署的场景。
- 二选一,不要混合托管。后续步骤适用于两者,参考文件中会提供平台特定的指导。
- 选定平台后,仅加载该平台的参考文件,除非你明确要对比Cloudflare和Vercel。
- 选择域名策略
- 为所有子域名/自定义主机名使用独立的租户域名(与品牌域名分离)。域名信誉无法隔离;上的钓鱼网站会损害整个域名的信誉。
random.acme.com - 为租户工作负载注册独立的顶级域名(TLD),例如用于租户,
acme.app用于品牌官网。acme.com - 考虑使用公共后缀列表(PSL)实现浏览器Cookie隔离,但它无法保护域名信誉。详见psl.md。
- 尽早提交PSL申请;审核可能需要数周时间。
- 选择租户识别策略
- 基于子域名:。通配符DNS是必需的。适用于大量租户的最简单方案。
tenant.yourdomain.com - 自定义域名:租户自带域名,通过CNAME指向你的平台。最适合付费/核心租户。
- 基于路径:。无需为每个租户配置DNS/SSL,但会限制品牌化并增加Cookie隔离的复杂度。
yourdomain.com/tenant-slug - 选择一种主要策略,将自定义域名作为升级选项提供。
- 定义隔离模型
- Cloudflare:对于不可信代码,优先使用租户级Workers(Workers for Platforms调度命名空间)。除非你完全控制代码和数据,否则避免共享租户分支。
- Vercel:单一共享Next.js应用,通过进行范围限定。Middleware从主机名解析租户信息;所有数据查询都包含租户上下文。使用Postgres RLS(行级安全)实现纵深防御。
tenant_id
- 确定性路由流量
- Cloudflare:平台Worker负责路由;主机名 -> 租户ID -> 调度命名空间 -> 租户Worker。无映射时返回404。
- Vercel:Next.js Middleware提取主机名,将URL重写为动态路径段。使用Edge Config实现亚毫秒级租户查询。无映射时返回404。
/domains/[domain] - 在两个平台上,租户都无法控制路由,也无法看到其他租户的存在。
- 在技术栈中传递租户上下文
- Cloudflare:平台Worker解析租户信息,在调度到租户Worker之前注入请求头或绑定信息。
- Vercel:Middleware在转发请求头中设置、
x-tenant-id、x-tenant-slug。服务端组件通过x-tenant-plan读取;API路由从请求头读取。headers() - 仅信任Middleware/平台Worker作为租户身份的唯一权威;绝不信任客户端提供的租户身份。
- 仅绑定必要资源
- Cloudflare:为每个租户配置最小权限绑定(数据库/存储/受限平台API),无共享全局状态。将新绑定视为显式变更;需重新部署以授予访问权限。
- Vercel:使用Edge Config存储租户配置(域名映射、功能标志、方案信息)。使用Vercel SDK()进行域名管理。数据库连接通过
@vercel/sdk进行范围限定,或为每个租户单独配置数据库(如Neon)。tenant_id
- 支持自定义域名
- 提供DNS目标、验证所有权、存储映射关系,并按主机名路由。
- Cloudflare:使用Cloudflare for SaaS自定义主机名 + 托管证书。详见cloudflare-platform.md。
- Vercel:通过调用Vercel Domains API实现程序化域名增删改查 + 自动Let's Encrypt SSL。通配符子域名需要使用Vercel域名服务器。详见vercel-domains.md。
@vercel/sdk - 自定义域名将信誉风险转移给租户,并自然划分用户群体(普通租户使用平台域名,核心租户使用自有域名)。
- 提供租户级静态文件
- 、
robots.txt、sitemap.xml必须按租户动态生成;不要从llms.txt目录直接提供。/public - Cloudflare:在租户Worker中生成租户专属响应。
- Vercel:按域名路径段使用路由处理器。详见vercel-platform.md。
- 将限制与方案关联
- 将平台限制映射到定价层级;在API和UI中同步展示。
- 不要在请求中运行长时间任务;使用队列/工作流处理。
- 详见limits-and-quotas.md中的限制快照和官方链接。
- 在最终确定架构或定价决策前,务必重新核对官方文档中的限制信息。
- 以API为核心构建产品
- 所有功能均通过HTTP API实现;UI仅用于运维/事件处理/计费管理。
- 平台逻辑保留在路由层(调度Worker或Middleware);租户内容负责处理请求。
- 如果某项功能仅能在UI中使用,说明平台设计存在疏漏。
- 扩展时不打破边界
- 可添加队列/工作流/容器作为可选模式。
- 保持路由规则明确,隔离机制完整。
Deliverables
交付物
- Platform choice rationale: Cloudflare vs Vercel with justification
- Tenant identification strategy: subdomain, custom domain, or path-based
- Domain map: brand vs tenant domain, PSL plan, custom domain flow
- Isolation plan: per-tenant Workers or shared-app with tenant scoping
- Routing plan: hostname lookup, dispatch/rewrite logic, fallback behavior
- Tenant context flow: how tenant identity propagates through middleware/headers/DB
- Binding/config matrix: per-tenant capabilities and data access
- Limits-to-pricing map: CPU/memory/request/domain budgets per tier
- API surface + ops UI scope
- 平台选择依据:Cloudflare与Vercel的对比及选型理由
- 租户识别策略:子域名、自定义域名或基于路径的方案
- 域名映射:品牌域名与租户域名的区分、PSL方案、自定义域名流程
- 隔离方案:租户级Workers(Cloudflare)或共享应用+RLS(Vercel)
- 路由方案:主机名查询、调度/重写逻辑、 fallback行为
- 租户上下文流转:租户身份如何通过Middleware/请求头/数据库传递
- 绑定/配置矩阵:租户级能力与数据访问权限
- 限制与定价映射:各层级的CPU/内存/请求/域名配额
- API接口范围 + 运维UI功能边界
References to load
需加载的参考文件
- Always load PSL submission and cookie isolation guidance: psl.md
- If platform is Cloudflare, load platform primitives and routing: cloudflare-platform.md
- If platform is Vercel, load platform primitives and routing: vercel-platform.md
- If platform is Vercel, load domain management and SSL: vercel-domains.md
- Load platform limits and plan mapping last: limits-and-quotas.md
- 始终加载PSL提交与Cookie隔离指导:psl.md
- 若选择Cloudflare平台,加载平台原语与路由规则:cloudflare-platform.md
- 若选择Vercel平台,加载平台原语与路由规则:vercel-platform.md
- 若选择Vercel平台,加载域名管理与SSL配置:vercel-domains.md
- 最后加载平台限制与方案映射:limits-and-quotas.md
Pre-commit checklist
提交前检查清单
- Platform chosen with clear rationale documented
- Tenant workloads off the brand domain; PSL decision + timeline set
- Tenant identification strategy chosen; custom domain upgrade path defined
- Isolation model defined: per-tenant Workers (Cloudflare) or shared-app + RLS (Vercel)
- Routing authoritative and tenant-blind; dispatch or middleware handles all traffic
- Tenant context flows through middleware/platform Worker only; no client-supplied identity trusted
- Custom domain onboarding defined with DNS target, verification, and cert provisioning
- Per-tenant static files (robots.txt, sitemap.xml) served dynamically
- Limits tied to billing; API parity with UI
- Limits snapshot refreshed from official docs and dated in planning notes
- 已选择平台并记录明确的选型理由
- 租户工作负载已与品牌域名分离;已确定PSL决策及时间线
- 已选择租户识别策略;已定义自定义域名升级路径
- 已定义隔离模型:租户级Workers(Cloudflare)或共享应用+RLS(Vercel)
- 路由规则权威且对租户透明;所有流量由调度器或Middleware处理
- 租户上下文仅通过Middleware/平台Worker流转;绝不信任客户端提供的身份信息
- 已定义自定义域名入驻流程,包括DNS目标、验证和证书颁发
- 租户级静态文件(robots.txt、sitemap.xml)已实现动态提供
- 限制规则与计费绑定;API与UI功能保持一致
- 已从官方文档刷新限制快照,并在规划笔记中标记日期