I recently set up a partial (CNAME) setup, to route a subdomain. I added the CNAME record to my authoritative DNS. Now my apex domain is routing to cloudflare, which at no point was enabled in my authoritative DNS record. This is causing a 403 forbidden cloudflare error screen for all visitors to www.toplinepro.com
What feature, service or problem is this related to?
@cscharff Thank you, I’ll look into that, but I’m confused why Cloudflare is sending traffic at all for the site, we are using partial CNAME configuration for a subdomain. Why are subdomains I have not specified, and the apex domain all being routed by Cloudflare?
Cloudflare is not your authoritative DNS provider, but the subdomains you have specified can be proxied through Cloudflare via a CNAME record at your authoritative DNS provider. Check your authoritative DNS provider to find out which records are resolving to Cloudflare.
What cname are you referring to? The root domain toplinepro.com isn’t resolving to Cloudflare. It’s resolving to the IP address in my snippet above. That server is redirecting the root domain to www.
www.topline pro resolves to
www.toplinepro.com. 60 IN CNAME proxy-ssl.webflow.com.
proxy-ssl.webflow.com. 60 IN CNAME proxy-ssl-geo-2.webflow.com.
proxy-ssl-geo-2.webflow.com. 60 IN A 18.211.166.153
proxy-ssl-geo-2.webflow.com. 60 IN A 54.243.86.28
proxy-ssl-geo-2.webflow.com. 60 IN A 34.202.203.47
So that connection is going through proxy-ssl.webflow.com … how / why / what that proxy does isn’t somethign I am familiar with. You’d need to speak with them.
Sorry - I am limited by the links I can post. Only subdomain dev. app. toplinepro. com should be routing to Cloudflare via the partial CNAME configuration.
This worked for about 24 hours after setup. toplinepro.com was routing correctly (not through cloudflare), and dev. app. toplinepro. com was routing to cloudflare
Then this afternoon, with no configuration changes, toplinepro.com traffic started routing through cloudflare. We could see traffic in our cloudflare analytics dashboard, and we see a 403 Forbidden cloudflare error when navigating to toplinepro.com
I posted a report of what DNS is resolving to for the domain in DNS. Traffic for www is going to the DNS entry specified. The results may contain Cloudflare but that’s because whatever the DNS proxy spefified to to is routing traffic there internal to that system.
The IP I connected to is owned by Amazon and presumably managed by webflow based on the name in the DNS resolution. What it’s doing and why but it’s apparently a proxy of some kind based on its name so how that proxy is configured and where, isn’t something I can answer.
Sorry not trying to be dismissive. I know it’s frustrating, but DNS is resolving to a host not under Cloudflare control so how the error is coming from Cloudflare and how traffic is routing to Cloudflare is controlled by the host (proxy) I’m connecting to (which isn’t Cloudflare so I can’t guess as to what it’s doing or why).
Thank you again for your attention to this issue - its very much appreciated. Putting the origin on hold for a moment (we’ll also open a ticket with webflow as well), do you have any thoughts on how we can see www.toplinepro.com traffic in cloudflare when we aren’t intending to route any www.toplinepro.com traffic through cloudflare?
I agree we would need to change something with webflow based on its responses to the cloudflare edge, but the goal was to not have the cloudflare edge involved. But now we are getting a cloudflare error page and seeing the traffic in cloudflare. The goal would just be from our authoritative DNS straight to webflow proxy.
Well that’s the thing…the DNS resolves to webflow. The traffic is going to webflow. Webflow is proxying that traffic to Cloudflare’s edge. There’s not anything you can really do about that. I mean you could add a www record in Cloudflare pointing somewhere .. but if it’s to where your authoritative DNS is currently pointing.. that won’t solve the issue.
In Cloudflare create a CNAME record for www that points to httpbin.org (visit https://httpbin.org/ to see what I’m suggesting you point it to). You’ll likely find that once you make the change a visit to www will return the same page I just suggested you change www to. That will show Cloudflare can route the traffic correctly when configured to do so. But the traffic shouldn’t be coming to Cloudflare based on your response so how/why .. that’s webflow proxy configuration related.
Wow - I think that might be it. Thank you all for helping. We have been on Webflow for a long time, but just signed up for Cloudflare for this dev proxy. The goal was never to have www.toplinepro.com on cloudflare, but in a way it was via Webflow, and there is a conflict somewhere. I’m wondering if that rules out Cloudflare as a solution for this dev proxy.
I’ve tested with a few newer Webflow sites, and they all seem to use a more modern option to connect Cloudflare.
I don’t know how much effort it would be, but I’d try to remove your domain from Webflow and add it again, which hopefully would change it to custom hostnames, which your partial setup should not interfere with.
@Laudian
We did close that domain entirely on cloudflare to try to get our www.toplinepro.com website up and running, which is giving us the Cloudflare DNS error Cloudflare Ray ID: 927bed600a945ae1
Any experience with how long that will take to resolve back to how it was?
We did attempt to remove and add back our domain from webflow, but it didn’t give custom hostnames, it was the same setup as previous.
I have no idea, but I somehow doubt it will fix itself by just waiting.
Using partial setups to provide custom hostnames is very legacy and error prone, which is probably why Cloudflare introduced a specific custom hostname functionality.
These legacy setups usually have a “zone hold” to prevent you from adding your domain to Cloudflare directly and accidentally taking your website down, but that’s not mandatory.
Also, keep in mind that this is still only a guess. An educated guess I’d say, but still a guess.
but it’s apparently a proxy of some kind based on its name so how that proxy is configured and where, isn’t something I can answer.