Skip to content
2 min read

Vercel and Cloudflare Integration

Integrate your Vercel project with your Cloudflare domain.

Vercel integrates with Cloudflare in two ways:

While Vercel does offer DNS, you may already have a domain registered with Cloudflare. If so, Cloudflare manages DNS for your domain.

To use Cloudflare as your DNS provider, follow the steps below:

In your Cloudflare dashboard, create a CNAME record pointing your domain to cname.vercel-dns.com.

Set the Proxy status to DNS only. This ensures DNS queries result in Vercel serving the request instead of Cloudflare.

Vercel offers a native reverse proxy with redirects to proxy requests to other services. However, if you want to use Cloudflare as a reverse proxy, you can do so by following the steps below:

In your Cloudflare dashboard, create a CNAME record pointing your domain to cname.vercel-dns.com.

Enable the Cloudflare proxy to send traffic through Cloudflare first.

Set Cloudflare SSL mode to Full to encrypt traffic between Cloudflare and Vercel.

If you are using wildcard domains like *.acme.com, you can use Vercel DNS to issue and automatically renew TLS certificates for your domains.

Vercel requires wildcard domains to use Vercel nameservers for issuing and automatically renew TLS certificates. If you can't change the apex domain nameservers, you can instead:

Create NS records for the _acme-challenge subdomain pointing to ns1.vercel-dns.com and ns2.vercel-dns.com. For example:

Record Type
Name
Value
NS
_acme-challenge
ns1.vercel-dns.com
NS
_acme-challenge
ns2.vercel-dns.com

Similarly, if you add *.foo.acme.com, you can add NS records for _acme-challenge.foo subdomain.

Enable Vercel DNS in your Vercel dashboard for your apex domain. This delegates the _acme-challenge subdomain to Vercel for wildcard certificate issuance.

Select the Enable Vercel DNS option in the Domains section of your project settings.

Both Cloudflare and Vercel utilize the ACME protocol—with SSL providers like Let’s Encrypt—to issue certificates. To validate domain ownership, the protocol sends an HTTP (not HTTPS) request to /.well-known/acme-challenge/<id> on your server.

Cloudflare has a variety of services that, depending on their configuration, could block the ACME protocol verification checks, resulting in Vercel failing to issue TLS certificates properly:

  • Page Rules
  • Access
  • Bot Fight Mode

To avoid disruption, the following path:

  • http://<YOUR_DOMAIN>/.well-known/acme-challenge/*

Must be excluded from page rules, bot protection, or bypassed inside Access.

Last updated on September 25, 2023