Upsun User Documentation
Edit page

Set up your Cloudflare CDN

Back to home

On this page

Try Upsun for 15 days
After that, enjoy the same, game-changing Upsun features for less with the First Project Incentive!ยน A monthly $19 perk!
ยนTerms and conditions apply
Activate your 15-day trial

You can use a CDN to deliver your site’s content to users more quickly.

Before you begin Anchor to this heading

You need:

  • An up-and-running Upsun project
  • A Cloudflare CDN subscription

1. Avoid double-caching Anchor to this heading

To avoid stale content that can’t be cleared, avoid using Cloudflare with HTTP caching.

For routes where Cloudflare is used, disable HTTP caching using the following configuration:

.upsun/config.yaml
https://{default}/:
    type: upstream
    ...
    cache:
        enabled: false

2. Set up your Cloudflare CDN Anchor to this heading

To properly configure your Cloudflare CDN, see the Cloudflare official documentation on how to get started. Then set up a custom domain. To get the DNS challenge to succeed, have your CDN point to your project’s target URL.

3. Handle apex domains Anchor to this heading

To start routing client traffic through Cloudflare, you need to create CNAME records for your domain names through your DNS provider.

But CNAME records can’t point to apex domains. As a workaround, Cloudflare offers HTTPS records and CNAME flattening.

4. Mitigate security risks Anchor to this heading

Like all networks exposed to the internet, your origin server may become the target of security attacks. The best way to protect your site from threats like on-path attacks, spoofing attacks, or credential stuffing, is to configure mutual TLS (mTLS).

mTLS not only has both parties in a connection authenticate each other through the TLS protocol. It also ensures that requests can’t be sent directly to the origin server (Upsun). Instead, requests must transit through Cloudflare first.

If you can’t use mTLS, you can still take the following measures to protect your site from on-path attacks:

  1. Enable full strict SSL/TLS encryption.
    Any communication between a client and Cloudflare or between Cloudflare and your Upsun server is then encrypted through HTTPS. In addition, Cloudflare checks that your Upsun server’s TLS certificate was issued by a trusted certificate authority. This confirms the client is truly communicating with your Upsun server.

  2. Enable HTTP strict transport security (HSTS).
    This ensures that your HTTPS connections can’t be downgraded to HTTP.

Is this page helpful?