Our saas is in aws, with load balancer with dns that changes in relation to the availability zone, so it works perfectly for CNAMEs, but not for RECORDs A (IP)
Is there a service out there that massivly redirect naked domains to their www version? and handle TLS certificates, too?
We have no problem with domains with NS in aws or cloudflare, of course, due to their ability to set naked domain to a DNS, but many of our customers do not have their NS there.
Or, is there some proxy that automatically handle it (and automatically creates and renew TLS certificates): we know haproxy, but certificates needs a restart of it: Traefik could work, too, but free version has limitations on certificates storage.
The request is for a (reliable/redundant/ HA) service that provide an IP to which our customer will set their naked domain (record A), then any web http or https call to that domain will redirect it to the www version of that domain
1. Major services use CNAMEs or otherwise 'special' DNS records for the APEX record. But sometimes they offer the ability to just add IPs to an A record, like Cloudflare does.
2. You may need to add a domain verification and/or SSL verification TXT records which means more interactions with your clients. Azure Front door even requires renewal of the APEX TXT record for SSL cert renewal (but not subdomains). Looks like ACM does the same (https://docs.aws.amazon.com/acm/latest/userguide/renew-publi...), but I haven't used it.
At least for Azure and AWS, I think you're going to run into some frustrations over time if you don't control the DNS zone. Based on the docs, Cloudflare Universal SSL may be different, if you can pair it with one of their gateway products.
Or you can wait for RFC 9460.
Nginx example: https://stackoverflow.com/a/11733363
I might be misunderstanding you, something about the way you wrote your question is really hard to follow.
In AWS you could front with a load balancer with ACM certificates and then send that traffic to an nginx proxy fleet where you can do whatever you need to do. You could even put AWS global accelerator in front of those AWS load balancers if you want to be able to give your customers just a couple of IP addresses globally.