Skip to main content

Cloudflare as a proxy

You can put Cloudflare in front of your Quave ONE application environments to take advantage of Cloudflare's WAF, CDN, caching, bot management, and DDoS protection while traffic still terminates securely at Quave ONE.

To keep HTTPS end-to-end when proxying through Cloudflare, the origin (Quave ONE) must serve a certificate that Cloudflare trusts. The simplest way is to issue a Cloudflare Origin CA certificate and upload it to your host as a custom certificate.

Requirements

  • Your domain is already on Cloudflare with the nameservers pointing to Cloudflare.
  • You have permission to create Origin CA certificates and edit DNS records in Cloudflare.
  • You have an app env with the host you want to proxy (see Hosts).

Step 1 — Generate an Origin CA certificate in Cloudflare

Follow the Cloudflare guide at Origin CA certificates to create a new Origin CA certificate.

When creating it:

  • Include every hostname you will serve through Quave ONE (e.g. app.example.com or *.example.com).
  • Pick a certificate validity compatible with your rotation policy.
  • Copy both the Origin Certificate and the Private Key. The private key is shown only once.

Step 2 — Add the host in Quave ONE with the custom certificate

  1. Open the app env and go to the Hosts tab.
  2. Add a new host (or edit an existing one) using the same hostname included in the Origin CA certificate.
  3. Enable the Use custom certificate option.
  4. Paste the Origin Certificate and the Private Key from Cloudflare.
  5. Save.

See Use custom certificate for details on this form.

Step 3 — Point Cloudflare DNS to the Quave ONE ingress

In Cloudflare DNS, create a CNAME record for your hostname pointing to the ingress shown at the top of the Hosts tab, and enable the Proxied (orange cloud) option.

Step 4 — Configure Cloudflare SSL/TLS mode

In Cloudflare, set SSL/TLS → Overview → Encryption mode to Full (strict). This makes Cloudflare validate the Origin CA certificate served by Quave ONE and rejects misconfigured origins.

Renewal

Cloudflare Origin CA certificates do not renew automatically. Before the certificate expires, generate a new one in Cloudflare and update the host in Quave ONE with the new certificate and private key.