Cloudlfare on top of a proxy that directs traffic to a different server


#1

Hello!

I first want to explain what is my current setup, to continue explaining why am I having questions on putting CloudFlare in the mix.

Currently I have many different domains that are set up to delegate traffic to a proxy. That proxy will (based on the original host name) do some changes in the request, make the request to another server and modify the response that comes back to finally deliver it to the client.

I want to be able to put Cloudflare right on top of the proxy so that I can take advantage of the caching and security offered by it. However, I want to make sure that this is a good approach and is something that Cloudflare can be helpful.

My concerns and questions are:

  1. Currently for a given domain, for example www.sellingpens.com, once I get to the proxy, I will be directing the traffic to www.myapp.com/sellingpens - I can do that because I have access to the host name and part of it (sellingpens), so I know what suffix to put in there. If I put CloudFlare as the name authoritative of the proxy app, will I still have acess to the original hostname?

  2. If I do a request to www.sellingpens.com which will ultimately get the response from www.myapp.com/sellingpens and cache it in Cloudflare (because it lives on top of the Proxy), if I do a request to www.sellingboots.com (which will ultimately get the response from www.myapp.com/sellingboots), will I be getting the cached response for sellingpens.com? If not, how does Cloudflare know how to differentiate between those two requests?

  3. Is Cloudflare ok with supporting requests that comes from different domains? Right now I can do www.sellingpens.com which is told to delegate to www.myapp.com, and also I can do www.sellingboots.com which is told to delegate to www.myapp.com. If I put Cloudflare as the authoritative of www.myapp.com, will it be ok handling requests that come from different domains (sellingboots.com and sellingpens.com)?

  4. Does this architecture make sense? I haven’t been able to find any question related to this, and I want to make sure that going from the flow of: domain -> proxy -> app to domain -> (cloudflare) -> proxy -> app, will still make sense.

Thanks


#2

I’m going to attempt to address your questions, but remember I don’t know your environment as well as you do, so you would definitely want to test/validate my assumptions and answers. Also, if you are doing this as a SaaS or MSP where you have a large number of 3rd party domains pointing to your eCommerce engine you may also want to take a look at our SSL for SaaS offering which provides a lot of useful automation in scenarios like you’re describing here which might be helpful.

In general? Yes. We do CNAME flattening for orange clouded records (records proxied by Cloudflare), so even if www.sellingpens.com was a CNAME to www.myapp.com we flatten the result returned to the IP of www.myapp.com and return that address. To do the opposite (pass a different host header) requires page rule (and an Enterprise or SSL for SaaS plan).

I think we have a bit of a definition problem with what “lives on top of the proxy” means. I am going to assume for the purposes of my answers that it means myapp.com is also on Cloudflare and we are orange clouding a record for www.myapp.com which continues to point to your existing proxy service. If that definition isn’t correct, we’ll need to reevaluate the answers…

Items are cached on a per zone/per URI basis. So even if image.jpg is the same across 5 of your zones www.foo.com/image.jpg does not equal www.bar.com/image.jpg. So if your proxy/ app is serving the content back as www.sellingpens.com/images/pen1.jpg and sellingpens.com is on Cloudflare and set to cache content the content will be cached. And a different copy would be retrieved from source/origin for every unique URI like that and cached based on it’s own settings/TTL.

If you are returning the images for the page www.sellingboots.com and sellingpens.com with a URI www.myapp.com/sellingpens/image.jpg and www.myapp.com/sellingboot/image.jpg then the images would be cached separately (different URI paths so they are considered different assets) but any domain which called that asset would retrieve it from the Cloudflare cache based on it’s UR and it would be stored based on the settings for myapp.com

Generally yes. Plenty of folks CNAME to other assets. If you need to pass through a different host header then the original request this can be an issue unless you are on the ENT plan, but given your description it doesn’t appear to be a limitation and in fact is the expected/desired behavior). Butto be clear if the URI returned is www.sellingboots.com/whatever/image.jpg we will only cache that asset if sellingboots.com is on Cloudflare (or if you’re using SSL for SaaS).

Hopefully that helps…


#3

Hey @cscharff, thanks for the answer, really useful information.

I should have clarified a couple of things, that I believe make my architecture more complicated. Firstly, from any of those third party domains, they have to go through that proxy, which happens to be an ElasticBeanStalk, which domain I don’t own so when I would try to configure Cloudflare to be on top of that proxy, I wouldn’t be able to change the DNS nameservers. How do you circumvent that?

Another thing that I forgot to mention is that on top of my app (www.myapp.com) I already have Cloudflare. So the proxy gets responses from Cloudflare, and people visiting www.myapp.com directly, instead of going through the third party domains, they also get the responses from Cloudflare.

So, my ideal scenario in order to get cached responses from the ElasticBean proxy, would be:

Third Party Domain -> Cloudflare -> Proxy -> Cloudflare -> MyApp

The responsibility of that proxy is to both change the request headers and once getting the response of MyApp change the response too. And to improve speed of serving the response to the third party domain, I would like to have a CDN on top of it.

I will be taking a look at the SSL for SaaS, and I hope the above explanations clarifies more what is my architecture.


#4

That helps clarify yes. I’m assuming then the URI paths returned for images are based on the 3rd party domain name then? www.sellingbooks.com/something/image.jpg? In that case I think SSL for SaaS is probably the right option for your application/ scenario.