Skip to main content
You can use Cloudflare as a proxy in front of an Aptible Endpoint, but the DNS setup needs to preserve Aptible’s Managed TLS validation records and route traffic through a stable origin hostname. Use separate hostnames for the Aptible origin and the Cloudflare-facing URL:
  • Aptible origin: app.origin.example.com
  • Public Cloudflare URL: app.example.com
The origin hostname points to the Aptible Endpoint. The public hostname points to the origin hostname through Cloudflare.

Configuration Steps

1

Configure Managed TLS for the origin hostname

In Aptible, configure the Endpoint custom domain as the origin hostname, such as app.origin.example.com. Create the ACME validation records shown in the Endpoint’s Managed TLS configuration.
2

Create the origin CNAME in Cloudflare

Create a DNS-only CNAME record from the origin hostname to the Aptible Endpoint hostname:
app.origin.example.com -> elb-xxx.aptible.in
Leave Cloudflare proxying disabled for this origin record.
3

Create the public CNAME in Cloudflare

Create a proxied CNAME record from the public hostname to the origin hostname:
app.example.com -> app.origin.example.com
4

Restrict direct origin access

Enable IP filtering on the Aptible Endpoint and allow Cloudflare’s published IP ranges so traffic reaches the origin through Cloudflare.

Important Notes

Do not point the public hostname directly at Aptible’s ACME validation records. ACME records are used only for certificate validation, not for serving application traffic. Do not create DNS A records that point directly to Aptible Endpoint IP addresses. Endpoint IP addresses can change, which would make those records stale.
Cloudflare’s Universal SSL certificate typically covers one level of subdomains. If you use multiple subdomain levels, such as beta.staging.example.com, you may need an Advanced Certificate from Cloudflare.