0

What is the best way do bypass single subdomain (we use their proxy for caching purposes but don't want it on specific subdomain to speed up some requests). Final server is hosted on Heroku.

We like CloudFlare because they take care about certificates (expiry etc). Heroku also does the same thing using ACM (Lets encrypt) but those two doesn't work together.

If I understand correctly I should buy a certificate from 3rd party and take care about updating certificate on my own. In this case I should use 'Full (Strict)' option in Crypto -> SSL section on Cloudflare. Than it should be fine to simply turn off HTTP proxy for specific domain. Is this It?

Since we have staging and production server we probably can not use add-ons? (e.g. expedited SSL or Fast Track SSL). If I buy wildcard certificate from 3rd party, can I use it on staging & production server?

What is the best way to do it?

knagode
  • 147
  • 1
  • 8
  • Click the orange cloud until it turns gray. Nothing else is relevant to CloudFlare. – Michael Hampton Aug 01 '18 at 15:02
  • But if I use `Full SSL` (not Strict), I have to upload certificate to Heroku which is not signed by authorised authority -> SSL will not work. Would `Full (Strict)` with 3rd party certificate (not free anymore!) solve this issue? – knagode Aug 01 '18 at 15:06
  • It doesn't matter if you don't send the traffic through CloudFlare. – Michael Hampton Aug 01 '18 at 15:07
  • Exactly. But I want that one subdomains goes trough CF proxy (caching purpose) but the other subdomain should bypass it (to speed up requests which should never be cached) .. Both subdomains are pointed to same Heroku instance .. That is why there is some `interference` :) – knagode Aug 01 '18 at 15:12
  • Full (Strict) works perfectly well with Let's Encrypt AFAIK. At least, it works on all my CloudFlare sites. – Michael Hampton Aug 01 '18 at 15:26
  • It works if CF HTTP proxy is turned off: https://help.heroku.com/6SLE3QMA/how-can-i-use-automated-certificate-management-with-cloudflare .. But we rely heavily on their proxy (we need a lot of caching) – knagode Aug 01 '18 at 15:43
  • Oh, OK, that's Heroku-specific. Because they're using the DNS challenge to get the certificates. You could always run certbot yourself using the http challenge, which will always work even through the CloudFlare HTTP proxy. How you get that cert into Heroku is an exercise for the reader... :) – Michael Hampton Aug 01 '18 at 15:48

0 Answers0