Proxy protection on sub-domains managed through Netlify

Features
,
#1

Hi,

I have enabled some sub-domains through the Netlify DNS control panel that forward to an IP address of another server. When I ping the subdomain address, I see the actual IP address of the servers. If I was doing this through the Cloudflare DNS I would have the option of proxying these subdomains for protection. Is there a way to achieve this through the Netlify DNS management system?

I have read the article on why you don’t need Cloudflare (Why You Don't Need Cloudflare with Netlify | Netlify) but it doesn’t appear to be relevant to sub-domains.

#2

Hi, @maggie0002. If you were doing this with Netlify DNS, the solution to proxy to another service from our CDN would work like this:

  1. Create a site at Netlify.
  2. Add the domain names to the site under Site Name > Settings > Domain management > Custom domains.
  3. Write proxy redirect rules for the site for those domain names.

Note, using Netlify DNS isn’t required. You can also use third-party DNS (like Cloudflare’s DNS). If you do move to Cloudflare for DNS, you can still host the sites at Netlify using that domain but there are important considerations which are covered in the support guide below:

To summarize, you must either not proxy for the domains hosted at Netlify (but you could proxy for sites hosted outside of Netlify which were using subdomains of that domain) or bring your own SSL certificate if you decide to use their proxy feature.

If there are other questions about this, please let us know.

#3

To clarify:

This is the feature I am trying to achieve, as found on CloudFlare:

7. (Optional) Some record types such *A* , *AAAA* , and *CNAME* allow a customer to toggle the Cloudflare proxy on or off. For the **Cloudflare Proxy Toggle:**

* An *orange cloud icon* proxies traffic through Cloudflare for the DNS record **Name** .
* A *grey cloud icon* ensures traffic for the DNS record **Name** is not proxied to Cloudflare. Cloudflare still serves DNS for a grey clouded DNS record, but no other Cloudflare features such as SSL, page rules, caching, WAF, etc are applied.

Grey cloud icons for *A* , *AAAA* , or *CNAME records* will expose your origin IP address to attackers and allows them to attack your origin IP address directly even if you later proxy traffic to Cloudflare. Direct attacks to your origin IP are only mitigated by asking your hosting provider to change your origin IP address.

Source: https://support.cloudflare.com/hc/en-us/articles/360019093151-Managing-DNS-records-in-Cloudflare

And I can achieve this through redirects? I can’t see a reference to something that would allow this other than one about a single file redirect (https://docs.netlify.com/routing/redirects/rewrites-proxies/#proxy-to-another-service). Presumably this won’t work the same?

#5

hey @maggie0002 - as mentioned above already, if you’d like to have the feature you are describing, that won’t work on our services - but the information you need to make this happen via cloudflare is included in that guide :slight_smile: