Setting up Cloudflare with Blossom

Categories: cdn cloudflare security

3 min read

This guide walks you through setting up Cloudflare as a Content Delivery Network (CDN) in front of your Blossom application.

Prerequisites

A Blossom application
A custom domain (e.g., mysite.com)
A Cloudflare account

Configuration Steps

1. Cloudflare Setup

Add your domain to Cloudflare
Update your domain’s nameservers to use Cloudflare’s nameservers
Wait for DNS propagation (usually takes 24-48 hours)

2. DNS Configuration

Create DNS record in Cloudflare:

mysite.com -> [Your Blossom Load Balancer IP] (A record)

3. Cloudflare SSL/TLS Configuration

Configure SSL/TLS settings in Cloudflare:

Go to SSL/TLS settings in your Cloudflare dashboard
Choose one of these options:
- Full SSL: Encrypts traffic end-to-end. This is recommended. (Will use Blossom Custom Domain Self-signed SSL)
- Flexible SSL: Encrypts traffic between users and Cloudflare only (Will use Blossom Custom Domain HTTP Only)

4. Blossom Custom Domain

Configure a custom domain in your Blossom application:

mysite.com with the appropriate SSL mode:
- Self-signed SSL for Full SSL (Using CloudFlare Full SSL)
- HTTP Only for Flexible SSL (Using CloudFlare Flexible SSL)

The SSL mode in Blossom should match your Cloudflare SSL/TLS configuration. If you're using Flexible SSL in Cloudflare, use HTTP Only in Blossom. If you're using Full SSL in Cloudflare, use Self-signed SSL in Blossom for end-to-end encryption.

Important Notes

Cloudflare provides free SSL certificates for your domain
The orange cloud icon in Cloudflare DNS settings should be enabled (proxied) for your domain
Cloudflare automatically handles SSL certificate renewal
You can use Cloudflare’s Page Rules to enforce HTTPS

Rails CDN SSL Configuration

When using Rails with a CDN, you might need to configure SSL settings in your Rails application.

If you’re using a Blossom Custom Domain with HTTP Only then you need assume_ssl = true and force_ssl = true
If you’re using SSL at the origin servers though, then you want assume_ssl = false and force_ssl = true.

Here’s a clean way configuring this with an environment variable.

config/environments/production.rb

# When using a CDN, we assume all access to the app is happening through a SSL-terminating reverse proxy
config.assume_ssl = ENV["CDN"]
# Disable force_ssl since the CDN handles SSL termination
config.force_ssl = !ENV["CDN"]

This configuration is important because:

Rails by default enables force_ssl in production mode
This can cause redirect loops when behind a CDN
The redirects will show as coming from Caddy (your reverse proxy) rather than Rails
Setting assume_ssl = true tells Rails to behave as if it’s behind SSL while allowing HTTP connections
Instead, you should configure your CDN to perform the redirect of http to https

Debugging Tips

To test your setup, use:
```
curl -svo /dev/null http://mysite.com
```
Check Cloudflare’s SSL/TLS encryption mode matches your Blossom configuration
Verify DNS records are properly configured and proxied through Cloudflare

Troubleshooting

SSL Errors: Verify SSL/TLS mode matches between Cloudflare and Blossom
502 Bad Gateway: Check if your Blossom server is accessible and the SSL configuration is correct
DNS Issues: Ensure DNS records are properly configured and proxied through Cloudflare
Connection Issues:
- Verify your domain is using Cloudflare nameservers
- Check if the orange cloud (proxy) is enabled for your DNS records
- Confirm your Blossom server is accepting connections on the configured protocol (HTTP/HTTPS)

Content Delivery Networks Setting up AWS CloudFront with Blossom

Tip: Use ← → arrow keys to navigate between pages

On this page

Blossom Docs