Not able to cache static assets in cloudflare CDN

I’ve registered a new domain on Cloudflare which I’ve connected to a remix app hosted on render.com. But no files are beeing caches in the Cloudflare CDN and I can’t figure out why. Any tips on how to debug it? I’ve been struggeling a long time with this, reading docs and trying differnet settings, so any help would be usefull :slight_smile:

The domain I’ve registered is tekkendocs.com. The javascript files have set Cache-Control: public, max-age=31536000, immutable, but the header Cf-Cache-Status gets the value DYNAMIC.
I also tried to add a rule to cache everything. Have set this to:

tekkendocs.com/*
Cache Level: Cache Everything

I’m currently on the Free plan.

I saw from another thread that I could be helpfull to run a curl command. The result is as following :
$ curl "https://tekkendocs.com/build/_assets/global-2OGRYG6G.css" -svo /dev/null --ipv4 --connect-to ::x.x.x.x

* Connecting to hostname: x.x.x.x
*   Trying x.x.x.x:443...
* Connected to (nil) (x.x.x.x) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
*  CApath: none
} [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4207 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=tekkendocs.com
*  start date: Sep 10 20:35:21 2023 GMT
*  expire date: Dec  9 20:35:20 2023 GMT
*  subjectAltName: host "tekkendocs.com" matched cert's "tekkendocs.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* h2h3 [:method: GET]
* h2h3 [:path: /build/_assets/global-2OGRYG6G.css]
* h2h3 [:scheme: https]
* h2h3 [:authority: tekkendocs.com]
* h2h3 [user-agent: curl/7.87.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x26099741e30)
} [5 bytes data]
> GET /build/_assets/global-2OGRYG6G.css HTTP/2
> Host: tekkendocs.com
> user-agent: curl/7.87.0
> accept: */*
>
{ [5 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 200
< date: Mon, 11 Sep 2023 21:49:53 GMT
< content-type: text/css; charset=UTF-8
< cf-ray: 80531f881d101bfa-OSL
< cf-cache-status: DYNAMIC
< cache-control: public, max-age=31536000, immutable
< etag: W/"206-18a7ab9af40"
< last-modified: Sat, 09 Sep 2023 16:15:04 GMT
< vary: Accept-Encoding
< x-render-origin-server: Render
< server: cloudflare
< alt-svc: h3=":443"; ma=86400
<
{ [5 bytes data]
* Connection #0 to host (nil) left intact

Hi @pbruvoll
Since the site is hosted on render.com, and they are also a Cloudflare customer, this is a SSL for SaaS setup where their settings override yours, and you will need to reach out to them to modify caching for your Custom Hostname you have with them.
Alternatively, you could also use o2o which allows you to modify settings on your zone but still use a SSL for SaaS provider:
How Orange-to-Orange (O2O) works · Cloudflare for Platforms docs
As you can read here (Status of Shopify O2O for non-Enterprise Cloudflare users - #12 by mike114), the o2o feature is not yet generally available for PayGo customers, but you can send an email to smarsh@ to enable this for you manually.

Thx, I’ll send a mail to smarsh

I did send an email to smarsh, but havnen’t seen any reply. I there someway you can help me with this?
The caching is currently a showstopper for going public with app.
I have also talked to render about this. The feature to cache based on Cache-Control headers is on their backlog, but there is no time estimate for it, so it might take a while before it is enabled.

That hostname is not proxied by your account. It points straight to Render, which is already using Cloudflare.

If you proxy your “A” record for tekkendocs.com, do any of your rules start working?

1 Like

I have now enabled proxy again for my A record :
(top of screenshot)

I have also tried to create a cache rule to respect the cache-control origin like shown in the bottom of screenshot

But when I load the app in the browser, it still says that the files are Dynamic :

Request URL: https://tekkendocs.com/build/_shared/chunk-63XCAGJ4.js
Cache-Control: public, max-age=31536000, immutable
Cf-Cache-Status: DYNAMIC

Is this the correct setup, or am I doing something wrong here?

Now that I have read through the entire thread, I see Jochen already pointed out what’s going on.

At this time, O2O isn’t available for non-Enterprise customers, so it’s unlikely Render will make special configuration changes for your site. They’d have to follow through with their plan to permit CDN Cache Control headers at their end.