Setting Up SSL-Enabled Custom Domains Using CloudFlare

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

Page last updated:

Note: SSL (HTTPS) does not work with custom domains without the use of third-party SSL termination. Pivotal recommends using CloudFlare for this service.

This topic explains how to set up an SSL-enabled custom domain using CloudFlare, a content distribution network. Pivotal recommendeds using CloudFlare if you want to use SSL with a custom domain. Using this configuration, traffic to and from your app running on Cloud Foundry is routed through CloudFlare.

Browser < — SSL — > CloudFlare proxy < — SSL — > Cloud Foundry

To enable this, you configure CloudFlare’s Full SSL option for the domain. You can use either a CloudFlare-generated SSL certificate between the browser and the CloudFlare server or configure CloudFlare to use a certificate that you provide. A Cloud Foundry generated SSL certificate is used between the CloudFlare proxy and the app on Cloud Foundry.

What is CloudFlare?

CloudFlare is a caching and security-as-a-service provider that protects and accelerates online websites. Web traffic is routed through CloudFlare’s global network. This accelerates delivery of static and dynamic content, while blocking threats and limiting abusive bots and crawlers from wasting your bandwidth and server resources.

CloudFlare’s SSL termination proxy decrypts incoming SSL traffic and can pass on unencrypted or fully encrypted requests to the app server. Adding your website requires changes to your domain’s DNS settings. SSL termination is available with any of the CloudFlare plans, including the Free plan.


Before setting up your custom domains to be SSL-Enabled using CloudFlare, you must do the following:

  • Your domain must be registered with a DNS registrar. To complete this procedure, you must have access to the DNS registrar for the domain.

    Note: You do not need to change DNS registrars. The only change you make with your registrar is to point the authoritative nameservers to CloudFlare’s nameservers.

  • You must have a CloudFlare account. If you do not have one, you can sign up for one at

  • (Optional) Download the zone file for the domain from your DNS provider. You need this if you do step 2 in Configure DNS Records.

Add Domain to CloudFlare

  1. On the Add your site page, enter the name of your custom domain and click Add Site. CloudFlare queries authoritative DNS servers for the DNS record registered for the domain.

    Add website

  2. After you add your site, the following page is shown:

    Scan complete

    Click Next.

  3. Select a plan for your domain:

    • Choose Free or Pro to have CloudFlare generate an SSL certificate for communications between browsers and the CloudFlare proxy.
    • Choose Business if you want to provide your own SSL certificate.

    Domain plans

Configure DNS Records

The DNS query results page lists the records obtained from the authoritative DNS servers for your domain.

  1. Verify that in the row containing your domain name the cloud icon in the Status column is orange:

    Configure dns

  2. (Optional) To ensure your DNS records are correct and complete, upload your zone file from your DNS provider to CloudFlare using the Upload a DNS File link under the Advanced dropdown.

  3. Use the Add Record button to define additional records such as CNAME if necessary.

    For more information on using custom domains with PWS hosted apps, see Using Custom Domain Names With Pivotal Web Services in the Pivotal Support knowledge base.

  4. Click Continue.

Update Nameservers

The Change your Nameservers page lists your current nameservers and the CloudFlare nameservers to replace them with.

  1. Use the provided URLs to update the nameserver settings for your domain with the authoritative server for your domain, such as your ISP.

    Update name

  2. Click Continue.

Verify Crypto Settings

  1. Select the Crypto tab from the top navigation bar:

    Nav crypto

  2. Verify that Full SSL is selected as your SSL setting:

    Choose ssl

    Note: Off and Flexible are not secure, and Full SSL (Strict) does not work with PWS, so you must use Full SSL.

  3. Scroll down and verify that Always Use HTTPS is set to On:

    Use https

    Note: Because DNS settings are cached in various points throughout the Internet, including on your browser, changes to these SSL settings may take some time to propagate through the system and start functioning as you would expect.

Review Pending Changes

After your initial domain setup is complete, review any pending changes required by CloudFlare. To review pending changes, do the following:

  1. Click the Overview tab at the top navigation bar.

  2. Review any pending actions required, such as completing your nameserver setup:

    Overview complete setup

After all pending actions are completed, the status of your Domain changes from Pending to Active, for example:

Domain overview dropdown

After your registrar has processed your nameserver changes, and your site becomes active on Cloudflare, you receive analytics on your traffic:

Domain overview