Origin rules can replace nginx?

Hey guys!

With Origin Rules and Transform Rules is possible to avoid using Nginx in the origin considering in a VPC the firewall only allows incoming traffic from Cloudflare?

That’s not a straight forward yes/no. Nginx has more feature than you would get with origin and transform rules.

Completely agree, but suppose the Nginx is used as a “simple” proxy of a web server and the main role is to protect and forward HTTP requests?

So, we can assume with the origin and transform rules allow us to do the “same” of this Nginx conf?

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    upstream websocket {
    server {
        listen 8020;
        location / {
            proxy_pass http://websocket;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $host;

I would say it is likely but I’ve never done it myself so not 100% certain.

@michael do you have any suggestions from Cloudflare? I think Cloudflare has powerful tools to replace basic-medium inverse proxy requirements when the origin is behind the orange cloud :smile: However, it’s better to listen to the experts.

Over the last few months, I’ve been thinking about the real role of Nginx on our servers behind Cloudflare and VPC WAF.

Given that my question is oriented towards the average suggested Nginx setup for http/wss traffic and always behind WAF with CF allowlist IPs.