Skip to content

Setup: editors on a separate domain that bypasses Cloudflare

The arrangement:

  • example.com — the public domain, behind Cloudflare. Anonymous traffic only.
  • edit.example.com — the editor domain, DNS-only (the gray cloud in Cloudflare's DNS UI). Authenticated traffic bypasses Cloudflare entirely.

Both names point at the same Drupal site. Drupal does not need to know about the split, but you will lock down /user on the public domain so nobody can log in through Cloudflare and accidentally cache an authenticated response.

This page focuses on the differences with the default set up.

1. Configure DNS

  1. In Cloudflare DNS, leave example.com proxied (orange cloud).
  2. Add edit.example.com as a DNS-only record (gray cloud) pointing at the same origin.

See Cloudflare's Proxy status documentation if you are unfamiliar with proxied vs. DNS-only records.

2. Block /user on the public domain

Add a security rule to Cloudflare to block access to *example.com/user/*. You might also want to block all /admin/* paths as well.

3. Add Cloudflare cache rules

You need two rules:

Rule A — cache HTML on the public domain

  • URL pattern: *example.com/*
  • Setting: Cache Level → Cache Everything
  • Optionally set Edge Cache TTL to a value you are comfortable with.

Rule B — bypass the edit domain

  • URL pattern: *edit.example.com/*
  • Setting: Cache Level → Bypass

Rule B is a belt-and-braces safety net. With edit.example.com set to DNS-only (step 1), Cloudflare never sees that traffic in the first place; the bypass rule covers the case where someone re-enables the proxy by mistake.

4. Configure the module

  1. Go to /admin/config/services/cloudflare.
  2. In Host to Bypass Cloudflare, enter edit.example.com. This tells the module that requests arriving on the editor domain are expected to skip Cloudflare and stops the watchdog warnings that would otherwise be logged for each one.

5. Empty existing caches and verify

  1. Empty Drupal's caches: drush cache:rebuild.
  2. Purge everything in Cloudflare's dashboard for the zone.
  3. As an anonymous visitor, load a page on example.com. Response headers should include cf-cache-status: MISS on the first request and HIT on the second.
  4. Log in via https://edit.example.com/user and confirm the response has no cf-cache-status header at all — that traffic is bypassing Cloudflare.
  5. Edit content, then reload the corresponding URL on example.com. You should see cf-cache-status: MISS again, confirming the purger fired.