Using Cloudflare CDN

Tim Lim

Updated June 26, 2023 07:40

Cloudflare can be used as a Content Delivery Network in front of your Platform.sh project

Requirements

An up-and-running Platform.sh project
A Cloudflare CDN subscription

Set up your Cloudflare CDN

On the Cloudflare side: refer to Cloudflare official documentation on how to get started

Decide on a custom domain will be used to access your project with Cloudflare in front of it
In Cloudflare have the custom domain point to your project's target URL with a CNAMErecord
- Find your project's target URL value
  - Via the Web Console
    - Navigate to your project
    - Click Settings
    - Under Project settings, click Domains
  - Via the CLI
    - platform environment:info edge_hostname
Add the domain to Platform
- Via the Web Console
  - Navigate to your project
  - Click Settings
  - Under Project settings, click Domains
  - Click "Add" button
- Via the CLI
  - platform domain:add YOUR_DOMAIN
Visit the custom domain in your browser to verify that it is all set up correctly

Handling apex domains

Since CNAME records can’t point to apex domains, Cloudflare offers CNAME flattening

Tips

Avoid double-caching

To avoid stale content that can’t be cleared, avoid using Cloudflare with HTTP caching.

For routes where Cloudflare is used, disable HTTP caching using the following configuration:

.platform/routes.yaml

https://{default}/:
    type: upstream
    ...
    cache:
        enabled: false

Ownership verification

To allow our Let's Encrypt TLS-certificate provisioning works for your domain, ensure that

The domains point to your CDN
The _acme-challenge. subdomain, as in _acme-challenge.example.com, points to your CDN
The /.well-known/ route, as in https://www.example.com/.well-known/, is accessible with no redirects

If you don’t follow those requirements, you get an error message similar to:

  W: Failed to verify the challenge at the gateway for the domain 'www.example.com'
  E: Error validating domain www.example.com: Couldn't complete challenge [HTTP01: The client lacks sufficient authorization]

Protect your site from on-path attacks

An on-path attack occurs when a hacker intercepts or modifies the communication between a client and a server. This can lead to sensitive data leaks. To prevent such attacks, make sure all communication with your site is encrypted through HTTPS and can’t be downgraded to HTTP.

To do so, enable full strict SSL/TLS encryption. Any communication between a client and Cloudflare or between Cloudflare and your Platform.sh server is then encrypted through HTTPS. In addition, Cloudflare checks that your Platform.sh server’s TLS certificate was issued by a trusted certificate authority. This confirms the client is truly communicating with your Platform.sh server.

For enhanced security, make sure your HTTPS connections can’t be downgraded to HTTP. To do so, in your Cloudflare account, enable HTTP strict transport security (HSTS).

Futher references

Content delivery networks (CDNs): for more information regarding CDNs setups