Platform.sh User Documentation

Set up your Cloudflare CDN

Upsun Beta

Access our newest offering - Upsun!

Get your free trial by clicking the link below.

Get your Upsun free trial

You can use a CDN to deliver your site’s content to users more quickly.

Before you begin Anchor to this heading

You need:

  • An up-and-running Platform.sh project
  • A Cloudflare CDN subscription

1. Avoid double-caching Anchor to this heading

To avoid stale content that can’t be cleared, avoid using Cloudflare with HTTP caching.

For routes where Cloudflare is used, disable HTTP caching using the following configuration:

.platform/routes.yaml
https://{default}/:
    type: upstream
    ...
    cache:
        enabled: false

2. Set up your Cloudflare CDN Anchor to this heading

To properly configure your Cloudflare CDN, see the Cloudflare official documentation on how to get started. Then set up a custom domain. To get the DNS challenge to succeed, have your CDN point to your project’s target URL.

3. Handle apex domains Anchor to this heading

To start routing client traffic through Cloudflare, you need to create CNAME records for your domain names through your DNS provider.

But CNAME records can’t point to apex domains. As a workaround, Cloudflare offers CNAME flattening.

4. Mitigate security risks Anchor to this heading

Like all networks exposed to the internet, your origin server may become the target of security attacks. The best way to protect your site from threats like on-path attacks, spoofing attacks, or credential stuffing, is to configure mutual TLS (mTLS).

mTLS not only has both parties in a connection authenticate each other through the TLS protocol. It also ensures that requests can’t be sent directly to the origin server (Platform.sh). Instead, requests must transit through Cloudflare first.

If you can’t use mTLS, you can still take the following measures to protect your site from on-path attacks:

  1. Enable full strict SSL/TLS encryption.
    Any communication between a client and Cloudflare or between Cloudflare and your Platform.sh server is then encrypted through HTTPS. In addition, Cloudflare checks that your Platform.sh server’s TLS certificate was issued by a trusted certificate authority. This confirms the client is truly communicating with your Platform.sh server.

  2. Enable HTTP strict transport security (HSTS).
    This ensures that your HTTPS connections can’t be downgraded to HTTP.

Is this page helpful?