Set up your Cloudflare CDN
On this page
You can use a CDN to deliver your site’s content to users more quickly.
- An up-and-running Platform.sh project
- A Cloudflare CDN subscription
To avoid stale content that can’t be cleared, avoid using Cloudflare with HTTP caching.
For routes where Cloudflare is used, disable HTTP caching using the following configuration:
To properly configure your Cloudflare CDN, see the Cloudflare official documentation on how to get started. Then set up a custom domain. To get the DNS challenge to succeed, have your CDN point to your project’s target URL.
To start routing client traffic through Cloudflare,
you need to create
CNAME records for your domain names
through your DNS provider.
CNAME records can’t point to apex domains.
As a workaround, Cloudflare offers
Like all networks exposed to the internet, your origin server may become the target of security attacks. The best way to protect your site from threats like on-path attacks, spoofing attacks, or credential stuffing, is to configure mutual TLS (mTLS).
mTLS not only has both parties in a connection authenticate each other through the TLS protocol. It also ensures that requests can’t be sent directly to the origin server (Platform.sh). Instead, requests must transit through Cloudflare first.
mTLS is only compatible with environments where you have attached domains you own, meaning:
- Your production environment
- Each preview environment where you have attached a custom domain
Therefore, mTLS is not compatible with preview environments created by a source code integration.
If you can’t use mTLS, you can still take the following measures to protect your site from on-path attacks:
Enable full strict SSL/TLS encryption. Any communication between a client and Cloudflare or between Cloudflare and your Platform.sh server is then encrypted through HTTPS. In addition, Cloudflare checks that your Platform.sh server’s TLS certificate was issued by a trusted certificate authority. This confirms the client is truly communicating with your Platform.sh server.
Enable HTTP strict transport security (HSTS). This ensures that your HTTPS connections can’t be downgraded to HTTP.