Identifying subdomains compatible with Cloudflare's proxy

Learn what subdomains are appropriate to proxy through Cloudflare via the orange and gray-cloud icons in the Cloudflare DNS app.


Overview

Beside most A, AAAA, and CNAME records in the Cloudflare DNS app are the following proxy options:

  •  An orange-cloud icon proxies traffic for the subdomain through Cloudflare. 
  •  A gray-cloud icon does not proxy traffic for the subdomain through Cloudflare.

Traffic proxied to Cloudflare utilizes various Cloudflare security and performance features.  Cloudflare only proxies traffic for A, AAAA, and CNAME records.  However, not all A, AAAA, and CNAME records are appropriate to proxy through Cloudflare.  To decide which records to proxy, identify the type of traffic for each of your subdomains. Enable Cloudflare for any subdomain that hosts web traffic on ports 80 or 443 unless you utilize Cloudflare Spectrum.

If using another CDN provider with Cloudflare, ensure the CNAME record for the CDN provider is added in your Cloudflare DNS app.  

You cannot proxy (orange-cloud) traffic from certain CDN providers without causing connectivity errors.  If you don't see a cloud icon beside the CDN provider’s CNAME record, then Cloudflare is purposefully preventing proxy of the CNAME.

By default, Cloudflare only proxies HTTP traffic. If you need to connect to your origin using another protocol (SSH, FTP, SMTP, etc.), do one of the following:

  • grey-cloud your DNS record, 
  • connect directly to the origin web server’s IP address, or 
  • use Cloudflare Spectrum.
Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate HTTP/1.1 specifications and are not compatible with any proxy, including Cloudflare’s. Alternatively, Cloudflare supports Basic and Digest authentication via Windows Active Directory.
To avoid issues with automated cron jobs, Cloudflare recommends either:
  • cron jobs directly connect to your origin server IP address, or
  • whitelist the cron job’s public IP in IP Access Rules of the Cloudflare Firewall app.

A list of typical records to gray-cloud includes:

autodiscover calendar chat cPanel cvs
e email exchange ftp game
gameserver git google imap irc
local localhost mail mobilemail mx
panel pda pop repo secure
sftp sites smtp ssh ssl
stream streaming svn vid video
vids vpn webmail webstats  

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk