Cloudflare Proxy Mode not working

Hi everyone,

I have a Rails app that I just migrated over to Fly. I use Cloudflare, but have been running into trouble enabling Proxy Mode now that I’m in Fly.

Currently, I have a CNAME record in Cloudflare pointing to myapp.fly.dev, with Proxy mode disabled. When I enable Proxy mode, I seem to start getting redirected to an older CNAME record value (perhaps this is some sort of fallback occurring?)

I’ve got certificates setup in Fly for both *.myapp.com and myapp.com. Both were issued successfully.

I followed this guide when setting this up: Caching Fly.io Apps with Cloudflare | Micah Engle-Eshleman. The author also uses a subdomain, so I’m not sure if there is something I’m missing if I want to use Cloudflare Proxy mode on my root domain?

Would appreciate any help! Happy to provide more details if necessary

1 Like

Hi,

You can use Cloudflare’s proxy with Fly. Though I’d generally recommend only doing that if you need to (like you need its WAF, geo-headers, or other bonus things). Else it adds another variable to debug when there are issues (like with network connections).

Assuming you do need to use it, it’s strange you get a random redirect :thinking:. I guess the question is where does it redirect to? Like, is it one of your domains? A Fly app? all I can think is maybe you have some page rule set and so that would only kick in when proxy mode is enabled (since of course you can’t use a page rule if not). See https://support.cloudflare.com/hc/en-us/articles/218411427-Understanding-and-configuring-Cloudflare-Page-Rules-Page-Rules-Tutorial- . Could be worth looking around their dashboard to see. Since if that redirect was being done by Fly, well I’d assume it would happen regardless of what you had in front. Unless it is some http->https protocol redirect.

Using a CNAME for your DNS should also work. However sometimes you get better results using an A/AAAA record if using a root domain. You will also need to consider that when your Fly-issued certificate comes up for renewal (every 90 days), if you just have a proxied CNAME (and no other acme TXT record), Fly won’t be able to verify your DNS and will fail to renew it. Since they’ll see a Cloudflare IP, not a Fly one. There are whole threads in this forum about Cloudflare and getting SSL to work so that’s a whole other story! But one thing at a time.

1 Like