Setting up Cloudflare with Aptible Endpoints
Last updated: June 18, 2025
When using Cloudflare as a proxy with Aptible endpoints, you'll need to follow specific DNS configuration steps to ensure proper SSL certificate validation and traffic routing. Here's how to set it up correctly:
Domain Structure
Use separate subdomains to differentiate between your Aptible origin servers and public-facing Cloudflare URLs. For example:
Aptible endpoints:
subdomain.origin.yourdomain.comCloudflare public URLs:
subdomain.yourdomain.com
Configuration Steps
Set up the ACME records provided in Aptible's ACME Configure tab for your origin domain (
subdomain.origin.yourdomain.com)Create a DNS-only (proxy disabled) CNAME record pointing an origin subdomain to your Aptible endpoint:
subdomain.origin.yourdomain.com → elb-[endpoint-id].aptible.inCreate a proxied CNAME record for your public-facing domain pointing to the origin subdomain:
subdomain.yourdomain.com → subdomain.origin.yourdomain.comEnable IP filtering on your Aptible endpoint and add Cloudflare's IP ranges to ensure traffic only comes through Cloudflare
Important Notes
Note: Cloudflare's universal SSL certificate only covers one level of subdomains. If you're using multiple subdomain levels (like beta.staging.yourdomain.com), you'll need to order an Advanced Certificate from Cloudflare.
Do not create CNAME records from your public subdomains directly to the ACME validation records. ACME records are only used for certificate validation, not for DNS resolution.