How do I use a Cloudflare domain with Vercel?

Using Cloudflare with custom domains on Vercel requires some minor steps to work correctly, this depends on whether the domain is being used with or without a proxy.

Without Proxy (DNS only)

Representation of a domain without the Cloudflare proxy enabled. Requests are served from the closest Vercel edge.

In this method, you need to insert a CNAME record with the value cname.vercel-dns.com. Alternatively, you can use the A record 76.76.21.21. The cloud image should be grayed out with the "Proxy status" set to "DNS only".

A Cloudflare CNAME record that is not using a proxy.

Following the instructions above will guarantee the speed and reliability of your domain since the DNS resolution will go directly to Vercel without an intermediary.

With Proxy

A Cloudflare proxy works as an intermediary between your domain and Vercel, which is the hosting provider. We don't recommend that you enable the Cloudflare proxy unless you have specific constraints for your project since it will introduce a minor performance penalty to your website due to the additional hop. You need to insert a CNAME record with the value cname.vercel-dns.comor an A record with the value 76.76.21.21.

Representation of a domain with the Cloudflare proxy enabled. Requests are served from the Cloudflare edge network, which will attempt to retrieve content from the Vercel edge.

If your domain does require the Cloudflare's proxy to be turned on by default, only one requirement is needed:

  • The domain must allow HTTP requests (without HTTPS) to the path /.well-known/*.

A Cloudflare CNAME record that is using a proxy.

To verify if that is possible with your domain, you can run the following command (notice the http:// part in the URL):

curl http://example.com/.well-known/acme-challenge -I

A configuration that does allow Vercel to run smoothly would return the following:

curl http://example.com/.well-known/acme-challenge -I
HTTP/1.1 404 Not Found

If you run the curl command and receive a 3XX redirect instead, Cloudflare is preventing this route from being accessed, and Vercel will mark the domain as not configured:

curl http://example.com/.well-known/acme-challenge -I
HTTP/1.1 404 Moved Permanently

You need to explore the following configuration in the Cloudflare dashboard:

  • Page Rules — You can disable HTTPS for the path /.well-known/**.
  • Always use HTTPS — This configuration is under the "SSL/TLS" tab and it may affect your page rules.
  • Other Configurations — Cloudflare can offer multiple settings and this will directly affect Vercel's ability to generate certificates.
Note:

Vercel cannot offer Cloudflare-specific support. If you are facing difficulties with your Cloudflare managed domain, please reach out to their support at https://support.cloudflare.com.

Updated October 19th 2020