Just a quick question, but is Render starting to use Cloudflare internally somewhere since a hour or two ago? I’m seeing some issues at our side which may be related, but first want to be sure whether Render is actually (partially) using Cloudflare before I jump to conclusions.
Yeah this is indeed the issue that I am encountering when I am using Render’s 126.96.36.199 as proxied A records on my projects.
My guess is that Render is now making use of Cloudflare’s Spectrum or something similar to combat DDOS attacks, but this prevents me now from enabling Cloudflare’s proxy on my own domain and enabling Cloudflare’s WAF, which is needed to secure projects.
I also started having Cloudflare issues on July 13, though different than what you discuss here. TLS traffic in the CF dashboard dropped to zero and the Firewall Rules stopped working. Server logs indicate no drop in traffic, but now all the spam traffic that was getting blocked by CF is hitting the server.
We are currently evaluating using Cloudflare as a proxy for Render traffic. If you DM me the affected domains, I can remove them from Cloudflare on our end for now while we work with them to prevent disruptions for existing Cloudflare users.
What you’re seeing here is the classic “Orange to Orange” problem with Cloudflare. You can’t proxy traffic that’s already being proxied by Cloudflare, or else you’ll get that specific “resolving to an IP address that is creating a conflict within Cloudflare’s system” error.
More about it can be read here:
In my case I’m already making use of Cloudflare because I’m using several features that Cloudflare has to offer like Access, Custom error pages (which we unfortunately have to use quite a lot because of outages with Render), WAF, custom ssl certificates and some more features.
What I have done right now as a workaround to still be able to use my own Cloudflare settings is changing from the default anycast Render ip to the one of the Frankfurt proxy.
We got a bunch of certificate transparency notifications last night for our sites hosted on Render, about new Cloudflare-issued certificates with 1 year validity. These used to be issued by LetsEncrypt (with a shorter lifetime). I’m assuming this is due to the evaluation you mentioned.
Some sort of heads-up in advance would have been nice… but then I did find this thread reasonably quickly, so it’s all good
Hi folks, I also started seeing this behaviour on the 13th of July. I have my Render static hosting behind Cloudflare, and on that day all of my static assets started responding with cf-cache: dynamic. Bandwidth served, cache rate, etc. all dropped on that day. I’m mainly concerned that I’ll now be billed for more expensive bandwidth for these static assets via Render. I’ve put a message into support to hopefully get an exclusion for my domain.
A couple days ago it seems like Render had overtaken one of my Cloudflare custom hostnames that I had set for a Render project. This meant that my own Cloudflare settings, firewall, etc did no longer apply.
Is this related to Render now also using custom hostnames?
If so, can I expect that Render will also try to overtake/move the rest of the custom hostnames I have set for other Render projects?
Cloudflare sends traffic to the zone that most recently added the custom hostname. Since we are stealing your traffic right now, you should be able to safely delete your custom hostname and re-add it so that it takes priority. We have already added all of the custom hostnames for our zone, so we don’t anticipate that you will see the same behavior for the remainder of your services.
What origins are your custom hostnames pointing to? Is it an A record to 188.8.131.52 or a CNAME to your onrender subdomain?