Cloudflare Domain Configuration

Learn how to point your domain to a Pantheon site using Cloudflare


You can use Cloudflare for DNS only or stack it as a CDN on top of Pantheon's Global CDN. We recommend using Cloudflare for DNS only. If you have a paid Cloudflare plan to use features like their WAF or have custom Cloudflare configurations (e.g. many page rules) you'd like to keep, however, then ensure you follow the guide below to enforce HTTPS to prevent any issues.

Before You Begin

Be sure that you have a:

Locate Pantheon's DNS Values

  1. Navigate to the Site Dashboard and select the target environment (typically Live) then click Domains / HTTPS.
  2. Click the DNS Recommendations button next to the www domain and copy the CNAME value (e.g. live-example.pantheonsite.io).
  3. Login to your Cloudflare account in a new tab before you continue.

Configure DNS Records on Cloudflare

This configuration routes traffic to Pantheon's Global CDN exclusively. Unless you're paying for advanced Cloudflare features or if you have custom configurations (e.g. many page rules) you'd like to keep, turn off Cloudflare's CDN so that only DNS hosting services are used:

Example DNS only

  1. Select DNS from the Cloudflare menu bar.
  2. Select CNAME from the dropdown menu.
  3. Enter www in the Name field and paste the CNAME record value provided by Pantheon (e.g. live-example.pantheonsite.io) in the Domain name field.
  4. Create a CNAME record for the bare domain (e.g. example.com) using the value from the previous step (e.g. live-example.pantheonsite.io).
  5. Select desired Time to Live (TTL).

    Time to Live (TTL)

    The TTL dictates the lifespan of a DNS record; a shorter time means less time to wait until the changes go into effect. TTLs are always set in seconds with a few common ones being 86400 (24 hours), 43200 (12 hours), and 3600 (1 hour).

    When you make a change to the TTL of an existing record, you need to wait for the old TTL time to pass - that is, if it had been set to 86400, you would need to wait a full 24 hours for the new setting to begin propagating everywhere.

  6. Disable Cloudflare's CDN by clicking the cloud icon (should be gray, not orange).

  7. Click Add Record.
  8. Cloudflare Page Rules will not work when Cloudflare is used for DNS only. Instead, redirects are handled by adding redirect logic to the WordPress wp-config.php file or the Drupal settings.php file. See Configure Redirects for more information.

Option 2: Use Cloudflare's CDN stacked on top of Pantheon's Global CDN

You can configure Cloudflare's CDN as an additional layer on Pantheon's Global CDN service:

  1. Select Crypto from the Cloudflare menu bar and set SSL mode to Full (or potentially Full, Strict), but not Flexible. Enable SSL
  2. Scroll down and enable Always use HTTPS Cloudflare Always HTTPS
  3. Scroll down and enable Automatic HTTPS Rewrites
  4. Remove existing redirects configured via PHP in settings.php or wp-config.php.
  5. Proceed with DNS configuration as describe in Option 1, but make sure the cloud is toggled orange, not gray:

    Example DNS only

CAA Records (Optional)

A CAA Record specifies which certificate authority (CA) can issue HTTPS certificates for a domain.

  1. Select DNS from the Cloudflare menu bar.
  2. Select CAA from the dropdown menu.
  3. Enter the bare domain (example.com) in the Name field then click to configure the record value:

    caa click to configure

  4. Select Allow wildcards and specific hostnames for the record's tag and enter letsencrypt.org in the value:

    caa configure

  5. Select desired Time to Live (TTL).

    Time to Live (TTL)

    The TTL dictates the lifespan of a DNS record; a shorter time means less time to wait until the changes go into effect. TTLs are always set in seconds with a few common ones being 86400 (24 hours), 43200 (12 hours), and 3600 (1 hour).

    When you make a change to the TTL of an existing record, you need to wait for the old TTL time to pass - that is, if it had been set to 86400, you would need to wait a full 24 hours for the new setting to be in place everywhere.

  6. Click Add Record. Your record should look similar to the following once it has been created:

    caa record

  7. Repeat this process for the www subdomain.

Restrict Content Based on Geographic Location

If you're using Cloudflare's IP Geolocation feature, you will need to read the CF-IPCountry header and set Vary: CF-IPCountry on all responses.

Next Steps