Sites hosted internally, can I make it so I can leverage CF but not the round trip?

We host most of our services internally and make them available externally via CF. However this has caused a slow down in response times due to having to leave the network and come back in to access a local resource. Is there a way to protect our sites with CloudFlare but not have to leave the network? Like an internal EDGE server type deal?

Not a chance. Your only hope would be to not use Cloudflare for internal connections (local DNS with local IP addresses) while the rest of the world uses Cloudflare DNS for those hostnames. Not an optimal solution.

How much of a slowdown are you seeing?

Well for my personal nextcloud server when pictures and video sync from my phone I only get AT BEST 10 Mbps upload to a local server because of the loop. At work it’s not so bad as we have a 25 Mbps symmetrical fiber but I can see it potentially being an issue
in the future.

@sdayman repsonse RE split DNS is the only real solution (and what I use at home) but there are ways to make it a bit more palatable than it being just Cloudflare-proxied or not - you just need to give it a bit of thought and decide whether it’s worth the effort.

e.g. you could have service.example.com which is your ‘normal’ Cloudflare-proxied record; then also have a dc-service.example.com which is direct-connection IP with no proxying; finally dyn-service.example.com which acts as a ‘dynamic’ service of sorts - ie it is proxied at Cloudflare but your internal DNS resolves to the non-proxied IP address locally.

Between those three hostnames you have flexibility to configure most applications to either use Cloudflare, bypass it, or bypass it only when on your internal LAN.

It’s kind of hacky - well not really hacky but it’s certainly involved but allows you to pretty much always get the desired behaviour.

The only other thing I’ve toyed with myself is using DNAT rules on the network’s edge to reflect normally Cloudflare-proxied traffic back to the internal IP but then you need to have control of your source IPs etc and maintain firewall rules.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.