> ## Documentation Index
> Fetch the complete documentation index at: https://docs.porter.run/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Cloudflare DNS with Porter

> Configure Cloudflare DNS in proxy or non-proxy mode with Porter, including SSL settings, CNAME records, and TLS certificate handling

Porter supports the use of Cloudflare DNS out-of-the-box in both proxy, and non-proxy mode.

Before continuing any further, ensure that you have followed our guide for [deploying applications on your custom domain](/applications/configure/custom-domains#deploying-on-the-custom-domain)

When using non-Cloudflare services such as AWS WAFv2, AWS Cloudfront, or most other DDoS prevention services, it is recommended to use non-proxy mode with your Cloudflare DNS.
This ensures that Cloudflare acts only as a Trusted Authority for DNS, and delegates all other security to other providers.
Porter handles the creation and renewal of your TLS/HTTPS certificates, and therefore recommends using non-proxy mode.

Most Cloudflare services will require Cloudflare DNS Proxy mode. If you require one of these services, follow the steps below for ensuring that your applications are compatible.

Before continuing, you will need to copy the address of your Porter-managed loadbalancer.
To find your loadbalancer address, visit one of your apps in its Overview tab and access one of its Web services Networking tab.
You should see the address for your loadbalancer.
This address may be a DNS address, on an IP address depending on your cloud provider.
This is important later.

# Creating a DNS record

If you have already created a wildcard DNS record (recommended), you may skip this section.

* From the Cloudflare dashboard, select `Websites`, then your chosen domain name.
  <img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/sidebar-websites.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=9344e51796e04e64c4ddf17e7b97898a" alt="Websites" width="522" height="790" data-path="images/security-and-compliance/cloudflare/sidebar-websites.png" />

* In the sidebar, select `DNS` > `Records`
  <img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/sidebar-dns-records.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=246108d3d7e803ec951543210d000d89" alt="DNS Records" width="522" height="642" data-path="images/security-and-compliance/cloudflare/sidebar-dns-records.png" />

* Click `Add Record`
  <img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/add-record.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=04741b0de529ca353d70d343b2e4ca5b" alt="Add DNS Record" width="2268" height="436" data-path="images/security-and-compliance/cloudflare/add-record.png" />

<Tabs>
  <Tab title="CNAME Record">
    If your loadbalancer address is a DNS name address, you will need to create a CNAME Record

    Set `Type` to `CNAME` (CNAME Record)

    Set `Name` to the DNS name that your application should be available at

    Set `Target` to the Porter Loadbalancer DNS address from before

    <img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/record-cname.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=cc06764ca0e5ccf418621b4d8ca440a6" alt="CNAME Record" width="1294" height="200" data-path="images/security-and-compliance/cloudflare/record-cname.png" />
  </Tab>

  <Tab title="A Record">
    If your loadbalancer address is an IP address, you will need to create an A Record

    Set `Type` to `A` (A Record)

    Set `Name` to the DNS name that your application should be available at

    Set `IPv4 Address` to the Porter Loadbalancer address from before

    <img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/record-a.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=92e05cb0eb7da43919d5beae04661775" alt="CNAME Record" width="1314" height="180" data-path="images/security-and-compliance/cloudflare/record-a.png" />
  </Tab>
</Tabs>

# Non-Proxy DNS

Ensure that `Proxy Status` is disabled. This will show as `DNS only`.

<img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/dns-non-proxy.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=247daf0fbdd0be2796fb2c5f789e7741" alt="DNS Only" width="640" height="164" data-path="images/security-and-compliance/cloudflare/dns-non-proxy.png" />

Done! You should now be able to visit your custom domain, with Porter managing your HTTPS!

# Proxy DNS

Ensure that `Proxy Status` is enabled. This will show as `Proxied`.

<img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/dns-proxy.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=456052d8b7b9c7d4903e06ed73b77cdb" alt="Proxied DNS" width="546" height="166" data-path="images/security-and-compliance/cloudflare/dns-proxy.png" />

## Allowing Acme-Challenges

To ensure that Porter can still create certificates on your behalf, we must allow LetsEncrypt traffic to not be proxied by Cloudflare, as they must be made over http, or unverified https.

From the sidebar, select `Rules` > `Page Rules`

<img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/sidebar-page-rules.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=35f1b42aebbaf73cd8aa617e6d89e002" alt="Page Rules" width="524" height="446" data-path="images/security-and-compliance/cloudflare/sidebar-page-rules.png" />

Select `Create rule`

Give the rule a name. This can be any name you choose.

Assuming the domain in question is `example.com`, add a new Page rule for `*example.com/.well-known/acme-challenge/*`, with the following settings:

1. `SSL: Off`
2. `Cache Level: Bypass`

Done! You will now be able to avail of any Cloudflare services through Porter. If you are still seeing errors, remove the custom domain from your application in Porter, deploy, then add the domain back and your certificate should be validated after a few seconds.

## Too Many Redirects

This step is not necessary for most customers. Only proceed if you are seeing a `too many redirects` error.
If you visit your custom domain, you may now get a `too many redirects` error from Cloudflare.
To fix this issue, we must create a Cloudflare Configuration Rule.

From the sidebar, select `Rules` > `Overview`

<img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/sidebar-overview.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=930ee9dd967bf36141af42dbace30fe3" alt="Rules Overview" width="520" height="424" data-path="images/security-and-compliance/cloudflare/sidebar-overview.png" />

Click `Create rule`, then select `Configuration Rules`

<img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/configuration-rules.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=6687bef813287e816050942896b677f2" alt="Configuration Rules" width="748" height="820" data-path="images/security-and-compliance/cloudflare/configuration-rules.png" />

Give the rule a name. This can be any name you choose.

For this guide, we will assume that you want to enable proxied TLS on all subdomains for this website. As such, select `All incoming requests`

<img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/rules-all-incoming.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=4547b69f9a2ae41afcd5608bdf02c6e1" alt="All Incoming Requests" width="634" height="338" data-path="images/security-and-compliance/cloudflare/rules-all-incoming.png" />

Scroll down to `SSL (Optional)`

Click `Add` and choose `Full` from the drop down.

<img src="https://mintcdn.com/porter/bja7Zm50xP-m5T8X/images/security-and-compliance/cloudflare/rules-ssl-full.png?fit=max&auto=format&n=bja7Zm50xP-m5T8X&q=85&s=f3a17b155fee2ea6f7cc05ed8141c143" alt="SSL Full" width="886" height="340" data-path="images/security-and-compliance/cloudflare/rules-ssl-full.png" />

After a few moments, your custom domain will be ready behind Cloudflare Proxy