CNAME external CDN subdomain

What is the correct/best way to combine Cloudflare and an external CDN (e.g., MaxCDN in my case) for caching static files?

I am attempting to configure both, but am experiencing low cache rates on both services. While some files can be found in both the CDN and Cloudflare caches (and some just in CF), often larger jpegs show:
x-cache: MISS
cf-cache-status: MISS
headers… which sends the user hopping from CF edge to CDN to origin. Not good.

BTW, the domain is https://www.rockbrookcamp.com/

There is this advice about making both services cooperate: How to Use MaxCDN With CloudFlare – MaxCDN
But even with the recommended settings, the issue remains.

I use the wp-rocket WordPress plugin to re-write the urls of static assets, from www.rockbrookcamp.com to static.rockbrookcamp.com. And then a CNAME to pass static.rockbrookcamp.com to the CDN domain.

Here is a screen showing the DNS settings I have in Cloudflare. I am guessing that this issue might be improved or eliminated by adjusting the site’s DNS. In other words, I am not confident the site’s DNS settings are optimal. For example, should the CNAME for the CDN’s subdomain be “DNS only?” And if so, how would this affect the coordination of both services?

Thank you for taking a look. I’ll appreciate some advice.

Don’t proxy it (your ‘static’ subdomain). It kind of defeats the purpose of a dedicated CDN.

Ah yes. Switching to “DNS only” on that subdomain. It has broken many things on the site, but perhaps that is a change that will take time to propagate. I’ll clear caches, but is there something I’m missing?

Perhaps an SSL issue? I have a hunch that with files not being Proxied on CloudFlare, the CF dedicated edge certificate employed by the dedicated CDN is now not complete.

And if so, what is the best course of action to secure the subdomain that is serving the CDN files not proxied through CloudFlare?

The CDN you’re using isn’t secure?

My hunch is that the certificate is complete if traffic moves through the cloudflare proxy, but when I switched to "DNS only” for the CDN subdomain, it broke the SSL chain.

The CDN allows uploading of an SSL certificate, but since I am using the cloudflare dedicated edge certificate, I don’t think it includes a “full chain” to secure files served by the CDN alone.

So now I’m a bit stuck. I can keep the CDN traffic proxied through cloudflare (where the CF SSL certificate works, but has the conflicting caching problem… the issue that created this ticket), or switch the CDN subdomain to “DNS only” and figure out an independent SSL solution for those files.

Does that seem correct?

Confirmed! The limitations of the cloudflare SSL certificate, which works fine when traffic is proxied through CF, was the culprit. I was using that Cloudflare certificate to secure traffic through the CDN, but it was not complete when I switched the CNAME for its subdomain in CF to “DNS only.”

The solution was to utilize a separate (full chain) SSL certificate to secure the CDN subdomain independent from CF. I will continue to use the Cloudflare SSL certificate for proxied traffic, while at the same time using this separate certificate to handle the CDN traffic.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.