Do you proxy to Netlify from another CDN?

:wave: I’m Jen. Maybe you’ve seen me around the forum. Maybe I’ve advised you not to proxy to Netlify before! But we know that people do proxy to us from other CDNs and we want to learn more about why and how. In exchange for sharing, we’ll thank you profusely :pray: and take your feedback seriously :face_with_monocle: We may even follow up with you for more information.

How to participate

  1. First, fill out the poll in question 1. Note that you can only vote once, but you may change your vote if you accidentally choose the wrong option.

  2. Then, copy/paste questions 2-4 into a comment and add your responses. If you’d prefer to share your feedback over DM, please note that in a comment or send me a message and I’ll get back to you. Without further ado:

The survey

  1. Who do you proxy to us through?
  • Amazon CloudFront
  • NGINX
  • Akamai
  • Fastly
  • Other (if other, please let us know which one in the comments)

0 voters

  1. What goals do you have that proxying to Netlify helps you accomplish?
  2. Are you accomplishing what you set out to with this configuration?
  3. Did you have to configure anything at your other CDN provider in order for proxying to Netlify to work for you?

We look forward to your responses!

4 Likes

Really cool of you to gather this feedback and take on board! :smiley:

Cloudflare

  1. What goals do you have that proxying to Netlify helps you accomplish?

Proxying:

  • Email Address Obfuscation
  • Reduce bandwidth on Netlify, especially in case of unexpected traffic spikes or bot activity. As a student hosting a personal site, I can’t afford surprise extra bandwidth charges from Netlify, and Cloudflare helps reduce this, for free, with no bandwidth limit of its own. Also have a friend using a video background on his Netlify site, so reducing Netlify bandwidth usage is even more important with high bandwidth items like these. In the case of images, while Netlify does offer lossless compression, I often want to offer at least an option for an original version to my visitors, too, again using bandwidth.

Hosting external DNS (even without proxying):

  • DNSSEC
  • Point root domain somewhere other than www
  • Avoiding wildcard certificates being issued
  1. Are you accomplishing what you set out to with this configuration?

Haven’t finished setting up yet, but looking good so far.

  1. Did you have to configure anything at your other CDN provider in order for proxying to Netlify to work for you?

As Netlify doesn’t provision the Let’s Encrypt cert when proxied to, I need to set a Cloudflare Origin Certificate as my custom certificate on Netlify, as I want to stick with using the Full (Strict) HTTPS mode on Cloudflare for maximum security.

1 Like

Great feedback, @jtc. These are all great points and worthy of good thought.

I used to finagle with CloudFlare and WP in the past, not sure if this will help you, but I think if you just bypass CloudFlare services while initially creating the Let’s Encrypt cert, you can enable them again and it’ll be able to renew those certs without issue. Had the same thing going on with those old WP servers behind CF too. Hope that maybe helps. CF CA Certs are great too, but managing the updates can be annoying IIRC :smiley:


Jon

2 Likes

Adding another config we learned about, for apexes only, in order to make use of Terraform for DNS :

We use CloudFront for domain apexes only. Why? We use Terraform for infrastructure as code, and AWS Route 53 for DNS. Route 53’s alias type doesn’t provide the needed “CNAME-style domain resolution for apex domains” cited here: https://docs.netlify.com/domains-https/custom-domains/configure-external-dns/#configure-an-apex-domain

I wasn’t able to find another / new DNS service with a Terraform provider, who did provide the “CNAME flattening, ANAME records” behavior. NS1 does provide this functionality with Terraform, but they simply stopped writing me back when I told them about our low query load, and costs would have been over 30x more than we’re paying w/ Route53.

That left us with configuring apexes using Netlify’s load balancer. Using Netlify’s load balancer seems to cause all redirects to the www record go though the US West Coast, so slightly less performant than Route 53 which has points of presence worldwide. Using Netlify’s load balancer (at least as we had it configured) seemed to cause three redirects to arrive at the www host, rather than two with CloudFront.

The costs for us using CloudFront w/ SSL is less than $1 per year, and deploying it with a Terraform module took less than three and a half minutes this morning.

  1. Who do you proxy to us through?

Cloudflare

  1. What goals do you have that proxying to Netlify helps you accomplish?
  • Only one place to manage my DNS (I have only one site on netlify and others elsewhere)
  • Monitoring (metrics on usage, bandwidth, security, browsers timing, etc.) which is not fully available on Netlify and not available in the free tier
  • Reducing used bandwidth to stay on the Netlify free tier (cache usage > 60%)
  • DNSSEC is not supported yet on Netlify DNSSEC on Netlify
  • I use Cloudflare Workers. I don’t know if you support similar features and I don’t think I want to spend time migrating the code + CI.
  1. Are you accomplishing what you set out to with this configuration?

Yep, it works. I had to use a A entry in the DNS. Using a CNAME didn’t work for the apex domain.

  1. Did you have to configure anything at your other CDN provider in order for proxying to Netlify to work for you?

The TLS certificate must be generated and set manually. Netlify could use Let’s Encrypt in this case to generate the certificate.

1 Like