Uses Salesforce as an IdP, WordPress redirects visitors there to authenticate on arrival via miniOrange SAML
Cloudflare in front as CDN
GoDaddy economy hosting (SLOW)
My issue is if I cache at the Edge Cloudflare renders the authenticated content to unauthenticated users. I need a way to in Cloudflare decide to render cache or send to origin based on if they are authenticated or whatever the best practice is. Unfortunately, I just havent been able to pinpoint the best approach for this situation being new to Cloudflare. Thank you in advance for your advice.
Thank you for responding, I DID have some Page Rules which I had to disable based on the behavior:
Cache Level: Cache Everything, Edge Cache TTL: 14 days
Essentially am trying to cache the static HTML so it renders instantly vs going to the origin server that is extremely slow. Issue is the SAML redirect is getting bypassed since the page is cached and being served to unauthenticated users
Cache everything would obviously do what you described.
If the site is really static, you could probably create 2 Cache Rules (not Page Rules) to achieve what you want. I assume you use a cookie to identify a logged in user:
A rule that tells Cloudflare when to bypass Caching. This should identify the cookie and some paths like the admin path. Identify whatever should not be cached here.
A rule to cache everything else with override edge TTL.
The order is important here.
For example something like this: (http.cookie contains "XXXXX") or (starts_with(http.request.uri.path, "/admin")) → Bypass Cache. (http.host contains "example.com") → Eligible for Cache, Edge TTL override Origin 2 hours.
Things then get more complicated if Query strings are getting involved etc.
Edit: Or you could use Cloudflare’s Wordpress Addon, which was developed to do all that basically.
Pages Rules probably have a similar mechanism that you can use.
Thank you for this Laudian, the challenge is really to serve just the authenticated users the cached pages. If we bypassed caching on the cookie of an authenticated user essentially the authenticated pages would be slow back and forth from our origin server. Are there any rules you are aware of to achieve something like that?
If you want to cache multiple versions of the same site (logged-in and logged-out), you need to use custom cache keys, which are available on the enterprise plan.
If you want to cache only authenticated requests and serve unauthenticated requests from the server instead, just use “cookie does not contain” instead of “contains” for the bypass rule.
Caching only for logged-in users is a very uncommon use case, and I don’t think you can achieve this with the free options. The default cache-key will always be the URI, so logged-out users would still see the logged-in page.
Got it, thanks for the help on this one. Before reaching out the only path (although not a great one) was setting a Page Rule with Browser Cache for 7days or so. That way authenticated users cached once they get in and have a faster render during the TTL period. The site only change a handful of times a year so the risk of them seeing a cached version instead of the live version is not too bad.