Cloudflare cdn on alternate file domain breaks the styling of the page on phabricator


#1

I have a primary domain. In order to configure phabricator, I set up a subdomain for it.

Everything worked fine. I was able to use phabricator as expected. But, there was a setup warning that asked me to configure an alternate file domain and recommended using a completely different domain name than the primary domain name for security reasons.

Thus, I bought a new domain by the name of After that I signed up for cloudflare and added this new domain. The domain status on cloudflare shows active.

From my phabricator install, I set up alternate file domain as :
bin/config set security.alternate-file-domain https://primarydomaincdn.net

The command ran successfully. However, after setting this up, when i access my <phabricator.primarydomain.com>, all the styling of the page is lost. It only loads plain html page with no css.
When inspecting via chrome developer console, the error says - it cannot load core.pkg.css file.

Is there a step missing here or do i need to wait? Its less than an hour since i signed up in cloudflare.

Thanks.


#2

This to me seems like a server configuration or website issue. Have you tried loading the direct link outside of the webpage?


#3

Hmm. I was able to access the page before setting up the alternate file domain, so should not be website issue? I am not sure what you mean by loading direct link outside of the webpage.

Also, I removed the alternate file domain just to see if it reverts back to as before, and the style is there.
so,
/bin/config delete security.alternate-file-domain
/bin/phd restart

This brings my subdomain back to normal.

I do not have the server configuration for the new domain that I added to cloudflare as its only supposed to act as an alternate file domain. The server configuration for my primary domain should be fine.
Also, I assumed when i added my domain name to cloudflare, It automatically adds the SSL certificate, so when setting up the file domain, I used https://mynewcdndomain.com which should be the right thing?


#4

Can you share the domain name?

It does mean that, it’s extremely rare the issue is with Cloudflare.

Yeah, but not every server automatically supports HTTPS from Cloudflare, you should have a valid certificate on the server to be completely safe.

Open a link that doesn’t work in a tab directly.


#5

sure, its phabricator.galacticcoders.com.

I see. I am using Nginx server on Digital Ocean and based on the discussion here (https://www.digitalocean.com/community/questions/how-to-setup-ssl-certificate-via-cloudflare-on-digitalocean-wordpress-platform), it says, if I pick flexible SSL on cloud flare, there is no need to set up SSL on the server.


#6

Split the problem in two parts.

  1. regarding the original issue it’s not related to Cloudflare at all, as predicted. If you open for example a link that return a 404 (resource not found) in a browser tab it will result in an error returned directly by the origin, showing that it’s a configuration issue. Are you sure those files are in the directory assigned to the domain in the DO VPS? That the virtual server was setup correctly? That the server is accepting that domain? Also: why the need for a different domain, one may ask (I know it was prompted by phabricator)?
    link used: https://galacticcdn.net/res/defaultX/phabricator/e3c1a8f2/core.pkg.css
  2. regarding SSL of course it says that, it’s the whole point of Flexible SSL, the problem is hat the connection from Cloudflare’s Edge and your server (which can be extremely long since it’s a single server) is vulnerable to MITM attacks, etc.
    read more: Why we recommend you don't use flexible!

#7

So @matteo is asking the right questions. But in general I reject the idea you need a separate subdomain for any reason (let alone for security) with a subdomain through Cloudflare. We act as a transparent proxy which is different from many CDNs and so “standard” guidance is “N/A” when it comes to our design/architecture