Skip to content

Cloudflare

This is the standard setup. Anonymous visitors and authenticated editors both reach the site through one hostname (for example, example.com), and all of that traffic goes through Cloudflare. Editor traffic is kept out of the public cache by a Cloudflare rule that bypasses the cache for the users having authentication cookie.

This works well, but there is an alternative set up where editors accessing the website on a different domain to that is accessible to the public. See separate-domain setup for set up instructions.

1. Install the module

composer require drupal/cloudflare drupal/purge

Enable the modules, including Purge UI which could be disabled once configuration is finished.

Then enable the queuer for the purge method you want to use. Cache-tag purging is the most efficient and is broadly available on Cloudflare today; URL purging works everywhere and is the safe fallback. See Cloudflare's purge cache documentation for current availability:

  • Cache-tag-based purging: drush en purge_queuer_coretags --yes
  • URL-based purging: composer require drupal/purge_queuer_url drush en purge_queuer_url --yes

Rebuild caches:

drush cache:rebuild

2. Configure the module

  1. Go to /admin/config/services/cloudflare.
  2. Enter your Cloudflare API token ( Cloudflare's API tokens documentation for the required permissions — at minimum, Zone → Cache Purge → Purge).
  3. Enable Restore Client Ip Address so Drupal sees the real visitor IP instead of the Cloudflare edge address.
  4. Leave Host to Bypass Cloudflare empty — in this setup, no host bypasses Cloudflare.

3. Register the purger

  1. Go to /admin/config/development/performance/purge.
  2. Click Add purger and select Cloudflare.
  3. Click Add.

4. Set Drupal's page max-age high

Cloudflare honours the Cache-Control: s-maxage header (or max-age if s-maxage is not set) when deciding how long to cache a page at the edge. A long max-age means more cache hits; the module will purge specific URLs or tags when content changes, so a long lifetime is safe.

drush config:set system.performance cache.page.max_age 31536000

(31536000 seconds is one year.)

5. Add Cloudflare rules

Rule A — cache HTML

By default, Cloudflare will cache static resources (CSS, JavaScript, images), but not generated HTML. To cache HTML responses as well, add the rules below.

  • URL pattern: *example.com/* (replace with your domain)
  • Setting: Cache Level → Cache Everything
  • Optionally also set Edge Cache TTL to a value you are comfortable with (the module will purge on content changes regardless).

Rule B — exclude from cache

When editors and visitors share a domain and HTML is cached at the edge, the admin UI, login form, and page requiring authentication must bypass the cache.

The cleanest way to express this in Cloudflare is a single Cache Rule with multiple conditions:

  • *example.com/user* - for log in and password reset functions
  • request contains Drupal authentication cookie - (http.cookie contains "SSESS")

See Cloudflare's Page Rules, Cache Rules, and Cache Everything documentation for the current dashboard UI.

Cache Rules is replacing Page Rules on newer accounts.

6. Empty existing caches and verify

  1. Empty Drupal's caches: drush cache:rebuild.
  2. Purge everything in Cloudflare's dashboard for the zone.
  3. Load a page as an anonymous visitor and inspect the response headers. cf-cache-status: MISS on the first request and HIT on the second confirms HTML is being cached at the edge.
  4. Edit content in Drupal, then reload the affected URL. You should see cf-cache-status: MISS again, confirming the purger fired.