Deno Deploy Behind Cloudflare Proxy Setup

This guide will walk you through on how to setup your application on Deno Deploy so it is protected by Cloudflare. The only prerequisite is that you have setup your own domain on Cloudflare already. I am going to use https://redabacha.com for my example. I am also going to use the hello world example project (using the JSX playground template). This project is deployed here: https://weak-pheasant-74.deno.dev.

1. Edit your project settings on Deno Deploy and add the domain (or valid subdomain) name present on Cloudflare. Once it has been added, proceed to validate the domain by adding the DNS records to Cloudflare as requested by Deno Deploy.

Deno Deploy project settings page, add your registered domain here

the DNS records that need to be added to Cloudflare

the same DNS records correctly added to Cloudflare. DO NOT ENABLE THE PROXY for the acme challenge!

2. With the DNS records added to Cloudflare, navigate back to your project settings page on Deno Deploy and click validate. It should only take a second or two to validate the domain. If the validation fails, verify you’ve set the DNS records correctly then wait a few minutes and try it again. Assuming the domain was successfully verified by Deno Deploy, we can now modify certificates. You can either let Deno Deploy generate the TLS certificates for you via LetsEncrypt or better yet, use Cloudflare’s origin certificates as these by default last for 15 years! Either way, in this step, you MUST enable the Full or Full (strict) encryption mode in the SSL/TLS overview page on Cloudflare — the default mode (Flexible) WILL NOT WORK (your website will be stuck in an infinite redirect loop)!

Full or Full (strict) must be enabled here!

To let Cloudflare provision the origin certificate, navigate to the Origin Server page and follow the steps shown in the Cloudflare dashboard.

click the lovely blue button. Deno Deploy is the origin in our setup

here I’m using the default certificate expiry of 15 years

Once you see the certificate and private key generated, copy and paste it over to Deno Deploy by clicking the Upload your own certificates button (make sure the key format is PEM on Cloudflare).

this is the origin certificate and private key generated by Cloudflare which needs copying over to Deno Deploy

notice we have two options to manage certificates. to copy/paste over our generated origin certificate and private key from Cloudflare, use the Upload your own certificates button.

after copying/pasting the certificate and private key, click upload

3. You should now have a successfully deployed application on Deno Deploy that you are able to access via your registered domain on Cloudflare! To verify the proxy is working, you should see Cloudflare related headers when you load your website.

notice the server header is set to cloudflare along with cf-ray and cf-cache-status also being set

Optionally, you can simplify the DNS record configuration on Cloudflare by using the undocumented .cname.deno.dev domain with a CNAME record. The prefix for this domain is the same prefix as what was used for the acme challenge domain, e.g. if your current CNAME record content on Cloudflare is abcd1234._acme.deno.dev, the correct domain to use for the new CNAME record would be abcd1234.cname.deno.dev.

simplified DNS record configuration by using the undocumented .cname.deno.dev domain suffix

With this setup you should hopefully have a super reliable and incredibly performant (all around the world) solution by leveraging the power of both Cloudflare and Deno Deploy!

ttfb for the hello world example (uncached) proxied through cloudflare around different places in the world using https://tools.keycdn.com/performance