Skip to main content

Cloudflare as a proxy

You can put Cloudflare in front of your Quave ONE application environments to take advantage of Cloudflare's WAF, CDN, caching, bot management, and DDoS protection while traffic still terminates securely at Quave ONE.

To keep HTTPS end-to-end when proxying through Cloudflare, the origin (Quave ONE) must serve a certificate that Cloudflare trusts. The simplest way is to issue a Cloudflare Origin CA certificate and upload it to your host as a custom certificate.

Requirements

  • Your domain is already on Cloudflare with the nameservers pointing to Cloudflare.
  • You have permission to create Origin CA certificates and edit DNS records in Cloudflare.
  • You have an app env with the host you want to proxy (see Hosts).

Step 1 — Generate an Origin CA certificate in Cloudflare

Follow the Cloudflare guide at Origin CA certificates to create a new Origin CA certificate.

When creating it:

  • Include every hostname you will serve through Quave ONE (e.g. app.example.com or *.example.com).
  • Pick a certificate validity compatible with your rotation policy.
  • Copy both the Origin Certificate and the Private Key. The private key is shown only once.

Step 2 — Add the host in Quave ONE with the custom certificate

  1. Open the app env and go to the Hosts tab.
  2. Add a new host (or edit an existing one) using the same hostname included in the Origin CA certificate.
  3. Enable the Use custom certificate option.
  4. Paste the Origin Certificate and the Private Key from Cloudflare.
  5. Save.

See Use custom certificate for details on this form.

Step 3 — Point Cloudflare DNS to the Quave ONE ingress

In Cloudflare DNS, create a CNAME record for your hostname pointing to the ingress shown at the top of the Hosts tab, and enable the Proxied (orange cloud) option.

Step 4 — Configure Cloudflare SSL/TLS mode

In Cloudflare, set SSL/TLS → Overview → Encryption mode to Full (strict). This makes Cloudflare validate the Origin CA certificate served by Quave ONE and rejects misconfigured origins.

How Quave ONE validates a proxied host

DNS reachability and certificate health are tracked as two independent signals.

  • DNS routing. When a host is proxied (orange cloud), Cloudflare publishes its own A/AAAA records instead of exposing your CNAME to the Quave ONE ingress. Quave ONE treats Cloudflare IPs as unverified until cloud validation confirms requests for that hostname land on the expected app env. If DNS genuinely points somewhere else, the host is marked DNS misrouted, and only after that persists is ingress paused.
  • Certificate health. The certificate served at the origin is checked on its own. A certificate problem (expired, wrong hostname, or otherwise invalid) is always surfaced in the Hosts tab, but it never turns off ingress on its own — traffic keeps flowing while you fix the certificate.

Renewal

Cloudflare Origin CA certificates do not renew automatically. Before the certificate expires, generate a new one in Cloudflare and update the host in Quave ONE with the new certificate and private key.

Quave ONE warns account admins by email as a custom certificate nears expiry (14, 7, and 1 day before notAfter) and again once it has expired. Because Quave ONE cannot renew a custom certificate for you, these warnings always fire for hosts using a custom certificate.