DNS Proxy for multi-level CNAME
I'm looking into using the Cloudflare WAF in front of a web application where my DNS is already hosted authoritatively as part of an account on the free tier in Cloudflare. I can't figure out from the documentation if what I'm trying to do is supported.
There are two scenarios (based on DNS records):
1.
staff.env.mydomain.com (CNAME) -> resourceName.mydomain.com (A)
2. staff.prod.externaldomain.com (CNAME - not in Cloudflare) -> prod.mydomain.com (CNAME) -> resourceName.mydomain.com
In testing scenario #1, I enable "Proxied" feature on the resourceName.mydomain.com (A) record, however I don't see traffic in Cloudflare Analytics, and my test IP block rule doesn't fire.
Is this is a supported configuration?
If I set staff.env.mydomain.com (CNAME) to "Proxied" directly, then I get a warning about "Advanced Certificate Manager being necessary, which I haven't got to testing yet; and this wouldn't be possible in my scenario #2 where the actual hostname is external to me as it is.
My hope was to enable Proxied on my resource A record and get at least some of the features of the WAF working.3 Replies
staff.env.mydomain.com (CNAME) -> resourceName.mydomain.com (A)Need Adv Cert to cover subdomain to deep, wildcard universals only cover first level. You could do
*.env.mydomain.com or directly staff.env.mydomain.com
staff.prod.externaldomain.com (CNAME - not in Cloudflare) -> prod.mydomain.com (CNAME) -> resourceName.mydomain.comNeed Cf For SaaS (ssl/tls -> custom hostnames, first 100 free, then it's $0.10 per custom hostname over the 100 you get for free) https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/
In testing scenario #1, I enable "Proxied" feature on the resourceName.mydomain.com (A) record, however I don't see traffic in Cloudflare Analytics, and my test IP block rule doesn't fire. Is this is a supported configuration?Sounds like DNS Cache
If I set staff.env.mydomain.com (CNAME) to "Proxied" directly, then I get a warning about "Advanced Certificate Manager being necessary, which I haven't got to testing yet; and this wouldn't be possible in my scenario #2 where the actual hostname is external to me as it is.CF for SaaS takes care of issuing the external certificate. Adv. certs takes care of internal cert. One big disclaimer though:
resourceName.mydomain.com will see the original hostnames of staff.env.mydomain.com and staff.prod.externaldomain.com and needs to be able to handle traffic for those hostnames.
Additionally, if this was a Pages Project or R2 Custom Domain, CF for SaaS is already used internally so you can't layer it twice
You could also just do staff-env.mydomain.com instead of staff.env.mydomain.com and not need to pay for adv cert manager. When you're pointing CNAMEs in the same account, CF cheats and jumps to the target of the destination record since it knows it. You can't point external domain CNAMEs to CF accounts without CF For SaaS/Custom HostnamesCloudflare Docs
Configuring Cloudflare for SaaS · Cloudflare for Platforms docs
Get started with Cloudflare for SaaS
Thanks for the response Chaika, I appreciate it. From your response the scenario #1 test I gave with Proxied "resource A record" should work (?) but it definitely doesn't, and it isn't a DNS cache issue.
I've read up on the docs of Cloudflare for SaaS but it sounds like the limitations of a single "Fallback origin" will be too restrictive unless I look at an Enterprise plan; this is because the scenario is for multiple different types of
staff.prod.externaldomain.com which need to be routed to different origins. This is why I was questioning the use of Partial CNAME configuration instead.Hello!
I having the same trouble with the cloudflare.
I created a list of blocked IPs, i can't block test IPs outside of our enviroment.