Avoiding Vercel’s Reverse Proxy Warning When Using Cloudflare DNS
If you’ve linked your custom domain to Vercel and manage your DNS through Cloudflare, you might see a warning in Vercel’s domain settings that says:
"Your domain is behind a reverse proxy. This can limit Vercel's traffic visibility for security measures, introduce latency that degrades performance, and create cache management issues that may affect reliability."
This issue happens because Cloudflare is proxying your domain instead of just resolving it as a regular DNS provider. Below, we’ll go over why this happens, how to fix it, and key considerations when using Cloudflare with Vercel.
🔍 Why Does This Happen?
Vercel expects to have direct access to your domain’s traffic to properly manage security, caching, and performance. When Cloudflare’s proxy mode (orange cloud ☁️) is enabled, it introduces a layer between visitors and Vercel’s servers. This leads to several potential issues:
- Traffic visibility is reduced – Vercel may not see real client IPs, impacting security and analytics.
- Increased latency – Additional processing at Cloudflare before reaching Vercel.
- Caching conflicts – Cloudflare and Vercel both have their own caching systems, which can cause unpredictable behavior.
- Firewall and security settings – Cloudflare may block or rate-limit traffic that Vercel expects to receive.
To avoid these problems, you need to properly configure Cloudflare and Vercel to work together.
✅ How to Fix the Warning
The best way to fix this issue depends on whether you want Cloudflare to only handle DNS or also act as a proxy.
Option 1: Set Cloudflare DNS to “DNS-only” (Recommended)
This option removes Cloudflare as a proxy while keeping it as your DNS provider.
- Go to Cloudflare Dashboard → DNS Settings.
- Find your CNAME record pointing to Vercel (
cname.vercel-dns.com
). - Click the orange cloud ☁️ next to the record to turn it gray 🌑 (DNS-only).
- Save changes.
This will resolve the Vercel warning while still allowing you to manage your domain with Cloudflare.
Option 2: Keep Cloudflare Proxy but Adjust Settings
If you need Cloudflare’s proxy features (such as DDoS protection, WAF, or caching), you can try these adjustments:
- Enable “True-Client-IP” – This passes the real client’s IP to Vercel instead of Cloudflare’s IP.
- Set “Cache Level” to “Bypass” for Vercel – Prevents Cloudflare from caching responses incorrectly.
- Disable “Orange-to-Orange” Redirects – Prevents conflict between Cloudflare and Vercel’s own proxy system.
- Check Cloudflare Firewall Rules – Ensure Cloudflare isn’t blocking Vercel’s automated traffic.
- Use Cloudflare Workers for Advanced Configuration – If needed, you can write a Worker script to forward traffic more efficiently.
⚠️ Additional Considerations
- SSL Configuration: Vercel provides its own SSL certificates. If you keep Cloudflare proxy enabled, ensure the SSL mode is Full (Strict) to prevent security issues.
- Performance Impact: Adding Cloudflare as a proxy can slow down Vercel’s built-in optimizations, so test before deciding.
- Rate Limits & Security Rules: Cloudflare may flag Vercel’s traffic as suspicious if too many requests are coming in quickly, so adjust security settings if needed.
- Edge Functions & Middleware: If you’re using Vercel’s Edge Functions, Cloudflare’s additional layer may interfere with them.
🎯 Final Recommendation
If you are only using Cloudflare for DNS, switch your CNAME record to DNS-only (gray cloud 🌑). This will resolve the warning and ensure optimal performance with Vercel.
If you must use Cloudflare’s proxy features, make sure you properly configure your settings to avoid conflicts with Vercel’s own infrastructure.
By making these changes, you can ensure a smooth integration between Cloudflare and Vercel without impacting performance or reliability.
Comments ()