The issues that can arise can generally be summed up as “Is it working?"
There are lots of ways you can check that it's working, however they’re often overly complicated or not suitable for somebody who isn’t familiar with inspecting http requests, or who is using a mobile device.
- Typically the errors of trouble occur around
- Have the DNS changes propagated to my ISP?
- Is my network caching the previous DNS?
- Is my computer caching the previous DNS??
- Is my browser caching the previous DNS!??!?
- You hostfile the IP to force DNS, but is the caching working?
- Are the assets actually getting served via their proxy?
When you're sitting there needing to launch the website and waiting for this before you go home, it can be a pain!
As part of our R&D (research and development) activity at Selesti, we’ve developed a simple 3-step system that helps you identify if your Cloudflare is working. You can see it in action below with this 20 second clip! (or screenshot if you're using AMP)
(note: we've since redesigned this tool, so it might look a little different!)
Behind the scenes
So how does it work, I hear you ask? It pretty much does exactly what the Cloudflare support documents tell you to do, but we do this for you - we’re nice like that!
When you submit the search form we perform a cURL request (it basically pretends to be you) passing on your user agent/browser information, and then inspect the server response headers. These will almost always contain a “cf-ray” header - this is your unique request ID (Cloudflare can use this to debug) and it also includes the datacenter ID that delivered you the page. This lets us know that Cloudflare has delivered that page to you. We also check for a couple of other things just to make sure, like cloudflare-nginx and cf-cache-status. But unless your server is faking these headers, they should be pretty accurate!
So, if the above request returns back with those Cloudflare headers, we instantly know that the requests are proxying through Cloudflare.
Assuming the first step worked (i.e. didn’t time out) we then start DNS lookups. This is because some people only use Cloudflare for their DNS, rather than the awful one provided by their domain registrar!
To start with we request the SOA record for the hostname (the bit without the http and /page.html) that was provided - this could be www.website.co.uk or assets.website.co.uk or even a.thumbs.staticassets.eu3.website.co.uk - because, some people use these cookie-less CDNs. So we need to know who the Start of Authority is (the SOA) - this will return the root domain e.g website.co.uk (because you cannot check the name servers of a subdomain).
We then perform a NS (name server) lookup for the root domain, if we detect something like becky.ns.cloudflare.com then we can clearly see the domains name servers are pointing directly to Cloudflare, which means the DNS is controlled by Cloudflare. In fact we actually check the name servers from about 8 different servers across the globe to see how well the DNS changes have propagated. You get a little preview of this when you use the tool.
One thing to be aware of though, is that Cloudflare enables you to 2 things that could skew the results of the previous check:
- Setup CDN/Proxy under CNAME setups
- Protect root domains but ignore subdomains
We try to handle the 2 above scenarios by checking the SOA records (remember those from earlier?). If you are using any of the above 2 setups, the SOA record will return all the authoritative servers who can supply DNS records for that domain. This will look something like this if you’re using Cloudflare: ns1.selesti.com ns2.selesti.com becky.ns.cloudflare.com dns.cloudflare.com, so we can tell that the DNS is using Cloudflare, meaning that we can try detect Cloudflare even on CNAME setups.
SSL Checks, as many of you will know Cloudflare supplies you with the ability to add a free SSL certificate to your website. They have about 3 configurations, by default the free SSL protects the end user between their browser and the Cloudflare’s servers (Cloudflare will connect to your website behind the scenes without SSL). It will also allow you to add your own custom SSL certificate.
But as we’re checking for the usage of a Cloudflare shared SSL we can simply create socket stream in PHP to ssl://www.website.com:443 which will pass the SSL certificate information over to us. Once again, we do a simple check to see if that SSL certificate is issued by Cloudflare or not.
So by combining these 3 steps together we gain a simple re-usable method for checking your Cloudflare setup, or even to check other sites. Although all the information we’re accessing is publicly available, it's just a much nicer experience to get a simple all-in-one application to do the leg work for you.
We hope you enjoy using the free service and find it a useful part of your tool kit!
You can use the tool on https://checkforcloudflare.selesti.com/.