ControlShift uses Cloudflare to accelerate content delivery and protect customer sites from DDoS and other types of malicious activity.
For organizations using Cloudflare for their DNS provider, certain custom settings are required when setting up ControlShift.
Setting up ControlShift on subdomains
When setting up CNAMEs for subdomains (e.g. pointing action.yourorg.org to platform.controlshift.app), it's important that the record be unproxied, showing the gray cloud and "DNS only" (). ControlShift will use Cloudflare's proxying service within our Cloudflare zone, so it's important that the traffic isn't double proxied.
All organizations should have at least one CNAME record pointing a subdomain to platform.controlshift.app.
Setting up ControlShift on apex domains
CNAME records are generally not allowed on the apex/root domain (e.g. yourorg.org) and instead must be tied to subdomains (e.g. www.yourorg.org or action.yourorg.org, etc.). Cloudflare, however, does allow CNAMEs to be created on the apex domain using "CNAME flattening". While this type of record will appear to work in your Cloudflare dashboard, it is not a recommended best practice.
If you want visitors to your apex domain (yourorg.org) to be able to see ControlShift, you'll need to set up a redirect from the apex domain (yourorg.org) to an already-configured subdomain (www.yourorg.org, action.yourorg.org, etc.).
Once you've created the subdomain's CNAME record, confirm that traffic is flowing appropriately and that your ControlShift site is visible from that subdomain. Next, create a CNAME record from your apex domain (yourorg.org) to platform.controlshift.app. Unlike for subdomains, ensure that this apex domain's CNAME record is proxied (orange cloud). Your apex domain's CNAME record should look like:
Next, you'll need to create a Page Rule, which will redirect visitors attempting to view your apex domain (yourorg.org) to the ControlShift site's subdomain (www.yourorg.org, action.yourorg.org, etc.). Go to Cloudflare's Rules > Page Rules, and click to Create Page Rule. On this page:
- URL(required) is your apex domain followed by
/*, e.g. yourorg.org/*
/*ensures that someone attempting to go directly to a specific page, like a petition signature page or the local organizing map, will also be redirected appropriately.)
- Pick a Setting (required) is Forwarding URL
- Select status code (required) is 302 - Temporary Redirect
- Enter destination URL (required) is the subdomain that you've previously configured for ControlShift starting with
https://, followed with
/$1, e.g. https://www.yourorg.org/$1 or https://action.yourorg.org/$1.
Once you've entered your information, click to Save and Deploy Page Rule. After saving, confirm that the page rule is working by going to your apex domain. If you're automatically redirected to the subdomain that you've previously configured for ControlShift, then all is working.
Please note: unlike subdomains, apex domains do not need to be added to your ControlShift's Settings > Basics > Hostnames. The settings configured above mean that users typing your apex domain into their address bar will be redirected by your Cloudflare account to the subdomain before they see ControlShift. Therefore, the URL does not need to be added to ControlShift.
Email Deliverability Settings
Email deliverability settings require adding three CNAME records to your DNS manager. These records tell email service providers that ControlShift is allowed to send emails on your behalf. When adding these CNAME records to your Cloudflare account, please ensure that the CNAME records are unproxied, showing the gray cloud and "DNS only" ().
Other Cloudflare Settings
When enabling Cloudflare for your ControlShift site, other settings will also become available. Please note that some of these settings may prevent the normal operation of the platform. In particular, please ensure that Cloudflare's Rocket Loader is disabled for ControlShift. Please ensure that Cloudflare's Mirage is also disabled on admin pages (any pages that have
/org in their URL). If these settings are needed for other domains managed in Cloudflare, you should be able to limit their usage on ControlShift via page rules.
Please sign in to leave a comment.