Option to modify Cloudflare settings or completely disable Cloudflare
M
Michal Vašíček
I would like to see an option to modify Cloudflare behaviour or completely disable it for App Platform, since Cloudflare sometimes acts like a man-in-the-middle and modifies the sourcecode sent by the app, which means you can't really be sure that the client gets what you send from the app.
Simon Cam
+1 We'd like to be able to configure CloudFront WAF for one of our apps, in order to add captcha protection to certain routes. It does seem quite pointless to go through two CDNs, so we'd love to be able to go straight to the origin from CloudFront.
S
Sam Mason
Adding an additional use case here as well, where there isn't a good way to globally turn off CloudFlares email obfuscation script: https://www.digitalocean.com/community/questions/how-to-disable-email-address-obfuscation
V
Vasilis "Tzikis" Georgitzikis
I just found about this ticket after replying to this ticket: https://ideas.digitalocean.com/app-platform/p/disable-app-platforms-cloudflare-cdn-and-use-your-own-cdn
I'm copying my original reply here as well, since it seems to be more upvoted:
I was just trying to figure out how to do that yesterday, and decided to make a request about it, so interesting that more people are asking for it but it makes total sense.
For what it's worth, the reasons why I need this are many:
- App Platform's Cloudflare CDN doesn't honor the Cache-Control header's stale-while-revalidate value, even though the standard is 14 years old. We need this because we have a slow API endpoint and we want the CDN to serve the last value while waiting for the new one
- App Platform's Cloudflare CDN doesn't honor the Vary header. We need this because Django replies with an html or json response based on headers used, Cloudflare caches the first response regardless of the headers used. That means that, if the first request is for the html version, every subsequent request gets the html version, even if it's an ajax rest api request for the json version, which completely breaks functionality for our website until the cache is invalidated
- On our dev machines, we are whitelisting our IPs through env vars, in order to access the debug console. I'm sure there are other uses for that as well. Since the App Platform goes through Cloudflare's CDN:
a. We need to whitelist a bunch of different cloudflare IPs in order for this to work, depending on the proxies we end up going through
b. That means that we're also whitelisting every other user who goes through that same Cloudflare proxy
- Cloudflare adds its own cookie
- Related to 1, 2 & 4, we will probably end up using our own CDN, and we've tested Fastly. We had to go through some hoops to make it work cause of #4, but it seems to work. So we still have the same overhead that the OP mentioned. Even so, #3 is still a problem for us, and #2 is still a problem if someone (even just a web spider) somehow calls the publicly available API with the html version, directly on DO/Cloudflare's URL
rēgen 🌧️ *regnson (🌳,🍄)
There are some Cloudflare settings that are essential for hosting APIs on App Platform. For instance, the Cloudflare-branded pages when the app server returns a 502 or 504 status code interfere with clients that request "application/json". Cloudflare provides settings that can prevent such problems from occurring, but they aren't accessible within App Platform.
P
Paul Maxwell
Cloudflare also has a hard 100 second timeout for requests which can be inconvenient. Now I have to redesign part of my app, move it to a droplet, or move to a different hosting platform altogether.