Cloudflare Domain Configuration

Learn how to point your domain to a Pantheon site using Cloudflare

Discuss in our Forum Discuss in Slack

You can use Cloudflare for DNS only or stack it as a CDN on top of Pantheon's Global CDN. We recommend using Cloudflare for DNS only. If you have a paid Cloudflare plan to use features like their WAF or have custom Cloudflare configurations (e.g. many page rules) you'd like to keep, however, then ensure you follow the guide below to enforce HTTPS to prevent any issues.

Before You Begin

Be sure that you have a:

Locate Pantheon's DNS Values

  1. Navigate to the Site Dashboard and select the target environment (typically Live) then click Domains / HTTPS.
  2. Click the DNS Recommendations button next to the www domain and copy the A and AAAA values (e.g., 2620:12a:8000::2).
  3. Login to your Cloudflare account in a new tab before you continue.

Configure DNS Records on Cloudflare

This configuration routes traffic to Pantheon's Global CDN exclusively. Unless you're paying for advanced Cloudflare features or if you have custom configurations (e.g. many page rules) you'd like to keep, turn off Cloudflare's CDN so that only DNS hosting services are used:

Example DNS only

  1. Click on DNS from the Cloudflare menu bar.

  2. Click + Add record.

  3. Select A from the Type drop-down menu.

  4. Enter www in the Name field and paste the IP address value provided by Pantheon (e.g. in the IPv4 field.

  5. Select a desired Time to Live (TTL).

  6. Disable Cloudflare's CDN by clicking the cloud icon (should be gray, not orange).

  7. Click on Save.

  8. Cloudflare Page Rules will not work when Cloudflare is used for DNS only. Instead, redirects are handled by adding redirect logic to the WordPress wp-config.php file or the Drupal settings.php file. See Configure Redirects for more information.

Repeat the steps above to create an A record for the bare domain, using @ as the Name and the same IP address, then repeat again for the AAAA records.

Option 2: Use Cloudflare's CDN stacked on top of Pantheon's Global CDN

You can configure Cloudflare's CDN as an additional layer on Pantheon's Global CDN service:

  1. Select SSL/TLS from the Cloudflare menu bar and set SSL mode to Full (Strict).

    Enable SSL

  2. Navigate to the Edge Certificates page on the sub-menu and enable Always Use HTTPS

    Cloudflare Always HTTPS

  3. Scroll down and enable Automatic HTTPS Rewrites

  4. Remove existing redirects configured via PHP in settings.php or wp-config.php that you no longer need, and update any still required to point to the domain managed by Cloudflare. You can also set the Primary Domain from the Site Dashboard.

  5. Proceed with DNS configuration as described in Option 1, but make sure the cloud is toggled orange, not gray:

    Example DNS only

CAA Records (Optional)

A CAA Record specifies which certificate authority (CA) can issue HTTPS certificates for a domain.

  1. Click on DNS from the Cloudflare menu bar.

  2. Click + Add record.

  3. Select CAA from the Type drop-down menu.

  4. Enter the bare domain ( in the Name field.

  5. Keep the Only allow specific hostnames tag selected. If you are not stacking Cloudflare's CDN with the Pantheon Global CDN, enter as the value:

    If you are using Cloudflare's CDN, they will automatically add CAA records for their CA providers when Universal SSL is enabled. Do not add a record for in this case.

  6. Select desired Time to Live (TTL).

  7. Click Add Record. Your record should look similar to the following once it has been created:

    CAA record

  8. Repeat this process for the www subdomain.

Restrict Content Based on Geographic Location

If you're using Cloudflare's IP Geolocation feature, you will need to read the CF-IPCountry header and set Vary: CF-IPCountry on all responses.

Next Steps