Announcing our new API documentation!
Check it out here
Knowledge Base
/
Using SiteDetour behind Cloudflare

Using SiteDetour behind Cloudflare or another reverse proxy

Configure SiteDetour to work correctly when traffic passes through Cloudflare or another reverse proxy first.

On this page:

Overview

SiteDetour works fine behind Cloudflare or any compliant reverse proxy (AWS CloudFront, Fastly, Akamai, Bunny). This article lays out the settings that need to match to avoid broken geo analytics, double redirects, or broken SSL.

DNS

Add the SiteDetour DNS records as usual at your provider — A records for apex, or CNAME for subdomain.

In Cloudflare specifically: keep the record Proxied (orange cloud) if you want Cloudflare in the traffic path. If you set it to DNS-only (grey cloud), Cloudflare is bypassed and SiteDetour serves the domain directly.

Enable Reverse Proxy Support

On the redirect (Advanced Settings) or on the custom link domain configuration, toggle Enable Reverse Proxy Support. This tells SiteDetour to read the visitor IP from the X-Forwarded-For or CF-Connecting-IP headers instead of the TCP connection's source address.

Without this toggle, every visitor appears to come from Cloudflare's infrastructure. Geo analytics collapse to a handful of datacenter regions, and audience rules like Visitor's Country and Geographic Area on Map fire incorrectly.

SSL mode (Cloudflare-specific)

In Cloudflare SSL/TLS settings:

  • Use Full (Strict). Cloudflare and SiteDetour both have real certificates, and Cloudflare validates the origin cert.
  • Full also works — same as Full (Strict) but without origin cert validation. Slightly less secure.
  • Do not use Flexible. It terminates TLS at Cloudflare and speaks HTTP to SiteDetour, which breaks redirect protocol detection and SSL renewals.

Avoid double redirect upgrades

Both Cloudflare and SiteDetour can force HTTP to HTTPS:

  • Cloudflare's Always Use HTTPS rule.
  • SiteDetour's Upgrade HTTP Requests toggle.

Enabling both produces an extra hop (HTTP → Cloudflare 301 to HTTPS → SiteDetour 302 to target). Pick one. Cloudflare's upgrade is free and happens before any request reaches SiteDetour; SiteDetour's upgrade happens inline with the redirect response. Recommended: enable Cloudflare's Always Use HTTPS and leave SiteDetour's Upgrade HTTP Requests off for cleaner redirect chains.

Cache rules

Cloudflare aggressively caches HTTP responses. For SiteDetour redirect hostnames, do not set a catch-all Cache Everything page rule — it can cache 301/302 responses and freeze redirects even after you update the target URL, and it can interfere with automatic SSL renewal.

Origin IP allowlist (optional)

If you want to ensure traffic only reaches SiteDetour through Cloudflare, ask Cloudflare for their public IP ranges and restrict SiteDetour's origin (contact support) to allow only those. This closes the direct-traffic bypass where an attacker could hit SiteDetour's IP directly.

Next steps

SiteDetour Logo
Join our newsletter to stay updated on features and releases.
By subscribing, you agree to our Privacy Policy and consent to receive updates from our company.
Thank you! Please check your inbox for a confirmation email.
Oops! Something went wrong while submitting the form.
Product
Support
Documentation
Find us
© All rights reserved. Sitedetour.com
Terms of ServicePrivacy Policy