Cloudflare can be used as a Content Delivery Network in front of your Platform.sh project
Requirements
- An up-and-running Platform.sh project
- A Cloudflare CDN subscription
Set up your Cloudflare CDN
On the Cloudflare side: refer to Cloudflare official documentation on how to get started
- Decide on a custom domain will be used to access your project with Cloudflare in front of it
- In Cloudflare have the custom domain point to your project's target URL with a
CNAME
record
- Find your project's target URL value
-
Via the Web Console
-
Navigate to your project
- Click Settings
- Under Project settings, click Domains
-
- Via the CLI
platform environment:info edge_hostname
-
- Find your project's target URL value
- Add the domain to Platform
-
Via the Web Console
-
Navigate to your project
- Click Settings
- Under Project settings, click Domains
- Click "Add" button
-
- Via the CLI
platform domain:add YOUR_DOMAIN
-
- Visit the custom domain in your browser to verify that it is all set up correctly
Handling apex domains
Since CNAME
records can’t point to apex domains, Cloudflare offers CNAME
flattening
Tips
Avoid double-caching
To avoid stale content that can’t be cleared, avoid using Cloudflare with HTTP caching.
For routes where Cloudflare is used, disable HTTP caching using the following configuration:
.platform/routes.yaml
https://{default}/:
type: upstream
...
cache:
enabled: false
Ownership verification
To allow our Let's Encrypt TLS-certificate provisioning works for your domain, ensure that
- The domains point to your CDN
- The
_acme-challenge.
subdomain, as in_acme-challenge.example.com
, points to your CDN - The
/.well-known/
route, as inhttps://www.example.com/.well-known/
, is accessible with no redirects
If you don’t follow those requirements, you get an error message similar to:
W: Failed to verify the challenge at the gateway for the domain 'www.example.com'
E: Error validating domain www.example.com: Couldn't complete challenge [HTTP01: The client lacks sufficient authorization]
Protect your site from on-path attacks
An on-path attack occurs when a hacker intercepts or modifies the communication between a client and a server. This can lead to sensitive data leaks. To prevent such attacks, make sure all communication with your site is encrypted through HTTPS and can’t be downgraded to HTTP.
To do so, enable full strict SSL/TLS encryption. Any communication between a client and Cloudflare or between Cloudflare and your Platform.sh server is then encrypted through HTTPS. In addition, Cloudflare checks that your Platform.sh server’s TLS certificate was issued by a trusted certificate authority. This confirms the client is truly communicating with your Platform.sh server.
For enhanced security, make sure your HTTPS connections can’t be downgraded to HTTP. To do so, in your Cloudflare account, enable HTTP strict transport security (HSTS).
Futher references
- Content delivery networks (CDNs): for more information regarding CDNs setups