> ## Documentation Index
> Fetch the complete documentation index at: https://www.aptible.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Up Cloudflare with Aptible Endpoints

> Configure Cloudflare in front of Aptible Endpoints while preserving TLS validation and traffic routing.

You can use Cloudflare as a proxy in front of an Aptible [Endpoint](/core-concepts/apps/connecting-to-apps/app-endpoints/overview), but the DNS setup needs to preserve Aptible's [Managed TLS](/core-concepts/apps/connecting-to-apps/app-endpoints/managed-tls) validation records and route traffic through a stable origin hostname.

## Recommended Domain Structure

Use separate hostnames for the Aptible origin and the Cloudflare-facing URL:

* Aptible origin: `app.origin.example.com`
* Public Cloudflare URL: `app.example.com`

The origin hostname points to the Aptible Endpoint. The public hostname points to the origin hostname through Cloudflare.

## Configuration Steps

<Steps>
  <Step title="Configure Managed TLS for the origin hostname">
    In Aptible, configure the Endpoint custom domain as the origin hostname, such as `app.origin.example.com`. Create the [ACME validation records](/how-to-guides/app-guides/expose-web-app-to-internet#validation-records) shown in the Endpoint's Managed TLS configuration.
  </Step>

  <Step title="Create the origin CNAME in Cloudflare">
    Create a DNS-only CNAME record from the origin hostname to the Aptible Endpoint hostname:

    ```text theme={null}
    app.origin.example.com -> elb-xxx.aptible.in
    ```

    Leave Cloudflare proxying disabled for this origin record.
  </Step>

  <Step title="Create the public CNAME in Cloudflare">
    Create a proxied CNAME record from the public hostname to the origin hostname:

    ```text theme={null}
    app.example.com -> app.origin.example.com
    ```
  </Step>

  <Step title="Restrict direct origin access">
    Enable [IP filtering](/core-concepts/apps/connecting-to-apps/app-endpoints/ip-filtering) on the Aptible Endpoint and allow Cloudflare's published IP ranges so traffic reaches the origin through Cloudflare.
  </Step>
</Steps>

## Important Notes

Do not point the public hostname directly at Aptible's ACME validation records. ACME records are used only for certificate validation, not for serving application traffic.

Do not create DNS `A` records that point directly to Aptible Endpoint IP addresses. Endpoint IP addresses can change, which would make those records stale.

<Info>
  Cloudflare's Universal SSL certificate typically covers one level of subdomains. If you use multiple subdomain levels, such as `beta.staging.example.com`, you may need an Advanced Certificate from Cloudflare.
</Info>

## Related Documentation

* [Custom Domain](/core-concepts/apps/connecting-to-apps/app-endpoints/custom-domain)
* [Managed TLS](/core-concepts/apps/connecting-to-apps/app-endpoints/managed-tls)
* [IP Filtering](/core-concepts/apps/connecting-to-apps/app-endpoints/ip-filtering)