* CNAME records cannot be Proxied in the DNS tab

Hey guys!

I have a * entry in Cloudflare as a CNAME record. I’d like to take advantage of the Cloudflare SSL certificates, so I would like to actively proxy this entry. According to the UI, right now Cloudflare is is doing DNS only on this path.

The confusing part is that based on my logs, it looks like the traffic would be actively proxied:

  • the x-forwarded-for http header returns an IP that belongs to Cloudflare
  • the cf-connecting-ip http header is populated and I see my computer’s IP there
  • I see my separate subdomains in Caching/Performance Summary/Hosts
  • When I inspect my SSL certificate in the browser, I see Cloudflare as the issuing authority

So, my question is:
Is my traffic actively proxied through Cloudflare? It looks like it, but the UI tells me that’s not the case. Or There is a UI bug in Cloudflare that shows me that this route is DNS only, when it’s actually actively proxied?

CNAME in general seems to support active proxying in general, but then Why does this route only prevent me from doing that?. I couldn’t find any official docs for * CNAME records.

:blush: Couldn’t decide if this question should be a support ticket or posted on the community forum, so I decided for the more public instance in this case.

Why do I need a * CNAME record?

Reading my post, it feels like this would be the first question on your mind, so I’ll go ahead and answer it.

The webapp is hosted on Vercel. The * allows me to setup any subdomain for my domain in Vercel, without having to keep track of the subdomains in both places. My setup is the recommended Vercel way of using Cloudflare: https://vercel.com/knowledge/using-cloudflare-with-vercel

When I inspect my SSL certificate in the browser, I see Cloudflare as the issuing authority

Also attaching a screenshot of the SSL certificate I see:

The reason why this is a separate comment is because new members are limited to 1 uploaded media item per post.

Wildcards cannot be proxied on Cloudflare, unless you are on the Enterprise plan.

You either sign up for an Enterprise plan, add individual records, or have an unproxied wildcard.

And no, even with proxied records you cannot “take advantage of a Cloudflare certificate” as you still need a valid certificate on your server anyhow.

1 Like