While Vercel offers native support for using a reverse proxy through rewrites, you can also use an external proxy or load balancer to route requests to a Vercel Deployment.
This guide describes possible alternatives, downsides you need to be aware of, and general configuration.
Using a Proxy
Using a third party proxy (such as Cloudflare, Cloudfront, Akamai or Fastly) with Vercel is not recommended and may cause unexpected downtime. Please proceed with caution. If you decide to deploy your own proxy solution, it is critical that you are aware of the following complications and details.
Global Distribution
Vercel implements multiple technologies as part of our Edge Network to guarantee the performance and reachability of all hosted apps. It is important to understand that using your own proxy will affect the performance of your Deployment by introducing additional latency, especially if your proxy is not globally available.
Vercel also ensures that when global Internet infrastructure problems occur, for example, a fiber cable is cut, we can deploy mitigation strategies automatically. An example is traffic re-routing: If a region is experiencing problems, we can redirect traffic to another location without action needed from your team.
Reliability
Using your own proxy can decrease the level of reliability since you are introducing a piece of infrastructure that Vercel does not manage. If a problem happens in your proxy that causes downtime, Vercel cannot deploy any mitigations and intervention by your team may be required.
Cache Behavior
A third party proxy, when used with Vercel, can introduce two caching layers: one at the third party and one at Vercel. This can result in incorrect data being sent to visitors.
When you push a new Deployment to Vercel, our platform will purge the existing cache across all of our edge regions automatically. You will need to ensure that your proxy is also respecting this behaviour, and purging its own proxy cache after each deployment. Otherwise, your users may experience stale content, data chunking, mixed assets and other unexpected behaviour.
Firewall and DoS Protection
Vercel offers to all our customers a basic level of DDoS mitigation. If we detect an anomaly in requests coming from a single source, the IP can get banned for a period of time ranging from a few minutes to days.
You must ensure that any traffic mitigation measures, such as DDoS protection, rate limiting or throttling are implemented within your third party proxy, to prevent this traffic from being subsequently routed to Vercel, resulting in your proxy IP address(es) being blocked from accessing Vercel.
For Enterprise customers, we may be able to tailor our solution and rulesets for you. If you are not yet an Enterprise customer but may benefit from this, please contact sales.
Request Headers/Geolocation
Vercel allows for custom routing based on user’s geolocation and IP addresses. Using a proxy will send all traffic via the proxy. This will result in incorrect geolocation data being presented and the public IP address of your proxy being sent. We only support the x-forwarded-for header for Enterprise teams, so Hobby and Pro customers will not be able to read this information correctly.
Domain Verification and Certificate Provisioning
Vercel automatically provisions SSL certificates and checks to make sure that any custom domain are configured correctly. Using a proxy can impact this traffic. This may result in incorrect domain configuration alerts and prevent our Let’s Encrypt SSL certificates from being provisioned.
To allow this traffic to pass correctly, you must ensure your proxy does not block or automatically redirect traffic on the following HTTP wildcard path:
http://<YOUR_DOMAIN>/.well-known/acme-challenge/*
You must also ensure that the HOST header is correctly forwarded, otherwise the request will also fail. Certain proxy providers such as Cloudflare automatically configure these rules for you, but creating additional rules may block this. Learn how to configure Cloudflare with Vercel.
Support
Using a proxy introduces complications to your project or deployment that are unrelated to the Vercel platform and therefore we cannot recommend or provide support for issues when using a proxy. All Vercel projects get assigned a vercel.app domain which should be used for troubleshooting to identify and rule out any proxy related problems.
Per our Support Terms, it may be necessary for the team to require you to disable or reconfigure your proxy before we can assist further.
Conclusion
Using a proxy with Vercel can cause unexpected issues for your website and every effort should be made to avoid using a proxy with Vercel.
Implementing solutions such as Edge Functions, custom rate limiting and defining your cache control headers can achieve similar levels of performance and security when using Vercel.