How do I use a Cloudflare domain with Vercel?

If your domain is using Cloudflare's Nameservers and you plan to use it as a custom domains on your project, you may need some minor steps to ensure the domain will work correctly.

Without Proxy (DNS only)

Representation of a domain without the Cloudflare proxy enabled. Requests are served from the closest Vercel edge.

In this method, you need to insert a CNAME record with the value cname.vercel-dns.com. Alternatively, you can use the A record 76.76.21.21. The cloud image should be grayed out with the "Proxy status" set to "DNS only".

A Cloudflare CNAME record that is not using a proxy.

Following the instructions above will guarantee the speed and reliability of your domain since the DNS resolution will go directly to Vercel without an intermediary.

With Proxy

A Cloudflare proxy works as an intermediary between your domain and Vercel, which is the hosting provider. We don't recommend that you enable the Cloudflare proxy unless you have specific constraints for your project since it will introduce a minor performance penalty to your website due to the additional hop. You need to insert a CNAME record with the value cname.vercel-dns.comor an A record with the value 76.76.21.21.

It is highly recommended that you don't use the Cloudflare CDN with Vercel. When new deployments are created, the Vercel platform is unable to purge the content cached on Cloudflare. If your visitors load a cached /index.html requiring /static/script-abc.js, but this file is missing both in the new deployment and the Cloudflare CDN, the website will break. Therefore, turning off the Cloudflare CDN for pages is recommended to avoid any breakage. Please refer to the Cloudflare documentation for further information.

Representation of a domain with the Cloudflare proxy enabled. Requests are served from the Cloudflare edge network, which will attempt to retrieve content from the Vercel edge.

If your domain does require the Cloudflare's proxy to be turned on by default, only one requirement is needed:

  • The domain must allow HTTP requests (without HTTPS) to the path /.well-known/*.

A Cloudflare CNAME record that is using a proxy.

To verify if that is possible with your domain, you can run the following command (notice the http:// part in the URL):

curl http://example.com/.well-known/acme-challenge -I

A configuration that does allow Vercel to run smoothly would return the following:

curl http://example.com/.well-known/acme-challenge -I
HTTP/1.1 404 Not Found

If you run the curl command and receive a 3XX redirect instead, Cloudflare is preventing this route from being accessed, and Vercel will mark the domain as not configured:

curl http://example.com/.well-known/acme-challenge -I
HTTP/1.1 308 Moved Permanently

You need to explore the following configuration in the Cloudflare dashboard:

  • Page Rules — You can disable HTTPS for the path /.well-known/*.
  • Always use HTTPS — This configuration is under the "SSL/TLS" tab and it may affect your page rules.
  • Other Configurations — Cloudflare can offer multiple settings and this will directly affect Vercel's ability to generate certificates.
Note:

Vercel cannot offer Cloudflare-specific support. If you are facing difficulties with your Cloudflare managed domain, please reach out to their support at https://support.cloudflare.com.

Updated July 19th 2021