Optimize DNS for Domains Managed by CloudFlare

CloudFlare is a web service that provides features such as DDOS protection and routing options, as well as the ability to configure SSL management for your domains with various levels of security. 

With their basic "SSL: Flexible" feature, all traffic generated on your branded links in HTTPS will be handled by CloudFlare's servers, which, in turn, will forward the data in HTTP to Rebrandly servers. 

Rebrandly is self-sufficient with regards to SSL encryption and can provide free SSL certificates to all branded domains in our users' accounts through the LetsEncrypt Certificate Authority. Unfortunately, you cannot have a Rebrandly SSL certificate and a CloudFlare proxy solution at the same time, as CloudFlare doesn't forward Rebrandly the necessary HTTP support for us to create the certificates in a safe way. 

There are cases, however, where you may need a higher level of security. For example, you may want to use CloudFlare's "SSL: Full" or  "SSL: Full (strict)" option. Rebrandly does not guarantee either of these two connection modes, as in a classic DNS scenario we recommend you configure your domain DNS records to point directly to our redirection IPs.

To provide a workaround for this issue, our engineering team prepared a custom balancing option to support the "SSL: Full" and/or  "SSL: Full (strict)" cases. This requires an extra configuration step at the DNS level on your end in order to work. 

The custom balancer answers to the long-term, https-ready address: https://proxies.rebrandlydomain.com

To adopt this solution, you're supposed to access your CloudFlare control panel in the DNS section and configure the DNS record corresponding to your domain name (in this example, "davide.link") in such a way that it is of type "CNAME" and points to "proxies.rebrandlydomain.com". 

You will see "is an alias of "proxies.rebrandlydomain.com" text when you save your changes, as shown below. 

image.png

Please test your HTTPS links and let us know if you face any issues after following the instructions contained within this guide. 

DISCLAIMER: We do not guarantee any long-term functionality of this proxy setup, as we have no control over changes CloudFlare service may apply to its terms and conditions, technologies, validation algorithms and security concerns over time. 

This Article is About: 

  • DNS Configuration
  • CloudFlare DNS Configuration
  • Rebrandly SSL Certificates

See Also:

Have more questions? Submit a request

6 Comments

  • 0
    Avatar
    heather

    Unfortunately, this did not work for me. However, I added in Cloudflare an A record for my subdomain pointing to 52.72.49.79 (as instructed on this page) and set the proxy status to "DNS only." It seems to be working now.

  • 0
    Avatar
    Dario

    Hi Heather,
    could I ask you to open a ticket on our support for managing your issue?
    We will assist you with any issue.
    You can do it into your dashboard or writing an e-mail to support [at] rebrandly [.]com

  • 0
    Avatar
    jonathan.jewell

    I have a couple of questions here...I could just ask directly on a ticket request, but might be useful for clarity overall:

    First, when you are putting 'davide.link' here, are you referring to 

    a subdomain of the subdoman, e.g. little.links.yourwebsite

    or

    - the chosen subdomain alone, e.g. links

    or

    - the chosen subdomain and site, e.g. links.yourwebsite.com

    or

    - the chosen domain, e.g. yourwebsite.com

    or...

    Thanks,

     

  • 0
    Avatar
    jonathan.jewell

    2) Is it correct that if you are setting this up on Cloudflare, which presumably you would be, that whether Cloudflare is your Registrar or otherwise, you must make sure that the DNS Proxy is turned off for that record?

    I notice that your site never sees the domain as verified until this is done.

    Secondly here, 

    a) do you have to do this at the Cloudflare domain record?

    b) do you have to do this at your own registrar's location, if you are using a different registrar and just using Cloudflare for your nameservers? 

    Just for further clarification on this, are things different if:

    i) if Cloudflare is your registrar, maybe that makes a difference?

    ii) if you pay for an upgraded certificate covering all local certificates (that seems to cause additional charges)?

  • 0
    Avatar
    jonathan.jewell

    3) Third question, and last one, re rhe CNAME record:

    if this is a record that is at the top level (depends on the answer to the question 1 above), then presumably you cannot do this, and would need to use a DNAME record? that presuambly would have all kinds of problems, and CloudFlare does not do it automatically. I suppose it could be done by importing the BIND9 record into Cloudflare, but that seems way too much.

    If it relates to the links (or whatever it is called) subdomain, then that seems to be impossible to do with the other setup arrangements you have, since you ask the user to set up the A records for those, which would be incompatible? 

    If you mean do this instead, then that would make more sense, but your programme then accepts verification of the site, but will also say that you have not set up the site, as it needs the A records too.

    If you mean a subdomain of that subdomain, or setting up a separate subdomain, then it is unclear what the purpose of this here is, unless that is a configuration approach I do not know about but also, it would be difficult to see how it could work to do the role without further configuration, unless this is something that you are doing your side - if so can you explain that bit?

    Edited by jonathan.jewell
  • 0
    Avatar
    jonathan.jewell

    Another thing, is it possible to use the basic set up and the faster redirects (expert option) thing in the same way, or does special additional configuration need to be done if this is to be done on CloudFlare? 

     

    thank you!

Please sign in to leave a comment.