Is Render using Cloudflare?

Hey,

Just a quick question, but is Render starting to use Cloudflare internally somewhere since a hour or two ago? I’m seeing some issues at our side which may be related, but first want to be sure whether Render is actually (partially) using Cloudflare before I jump to conclusions.

Also having issues:

Error 1000

Ray ID: 66f8282cdeb318d0 • 2021-07-16 03:31:19 UTC

DNS points to prohibited IP

What happened?

You’ve requested a page on a website (frontwork.dev) that is on the Cloudflare network. Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare’s system.

What can I do?

If you are the owner of this website:
you should login to Cloudflare and change the DNS A records for frontwork.dev to resolve to a different IP address.

Yeah this is indeed the issue that I am encountering when I am using Render’s 216.24.57.1 as proxied A records on my projects.
My guess is that Render is now making use of Cloudflare’s Spectrum or something similar to combat DDOS attacks, but this prevents me now from enabling Cloudflare’s proxy on my own domain and enabling Cloudflare’s WAF, which is needed to secure projects.

I also started having Cloudflare issues on July 13, though different than what you discuss here. TLS traffic in the CF dashboard dropped to zero and the Firewall Rules stopped working. Server logs indicate no drop in traffic, but now all the spam traffic that was getting blocked by CF is hitting the server.

same, just on the www record for our domain

We are currently evaluating using Cloudflare as a proxy for Render traffic. If you DM me the affected domains, I can remove them from Cloudflare on our end for now while we work with them to prevent disruptions for existing Cloudflare users.

1 Like

Could you share the details of how your site is set up on Cloudflare? We are working on reproducing the issue and understanding what specifically triggers the error. Feel free to DM if you’d prefer.

What you’re seeing here is the classic “Orange to Orange” problem with Cloudflare. You can’t proxy traffic that’s already being proxied by Cloudflare, or else you’ll get that specific “resolving to an IP address that is creating a conflict within Cloudflare’s system” error.

More about it can be read here:

In my case I’m already making use of Cloudflare because I’m using several features that Cloudflare has to offer like Access, Custom error pages (which we unfortunately have to use quite a lot because of outages with Render), WAF, custom ssl certificates and some more features.

What I have done right now as a workaround to still be able to use my own Cloudflare settings is changing from the default anycast Render ip to the one of the Frankfurt proxy.

@arunesh90 and others using Cloudflare for DNS: can you try removing the DNS A record pointing to 216.24.57.1 and use Cloudflare’s CNAME flattening instead?

It looks like customers using Cloudflare WAF were affected by this. Could you share your WAF config over DM? Were any of you not using WAF rules?

We got a bunch of certificate transparency notifications last night for our sites hosted on Render, about new Cloudflare-issued certificates with 1 year validity. These used to be issued by LetsEncrypt (with a shorter lifetime). I’m assuming this is due to the evaluation you mentioned.
Some sort of heads-up in advance would have been nice… but then I did find this thread reasonably quickly, so it’s all good :wink:

I’m not using WAF.

Removing the A record and switching to CNAME flattening changes the error from 1000 to 1016.

Hi folks, I also started seeing this behaviour on the 13th of July. I have my Render static hosting behind Cloudflare, and on that day all of my static assets started responding with cf-cache: dynamic. Bandwidth served, cache rate, etc. all dropped on that day. I’m mainly concerned that I’ll now be billed for more expensive bandwidth for these static assets via Render. I’ve put a message into support to hopefully get an exclusion for my domain.

A couple days ago it seems like Render had overtaken one of my Cloudflare custom hostnames that I had set for a Render project. This meant that my own Cloudflare settings, firewall, etc did no longer apply.

Is this related to Render now also using custom hostnames?
If so, can I expect that Render will also try to overtake/move the rest of the custom hostnames I have set for other Render projects?


Cloudflare sends traffic to the zone that most recently added the custom hostname. Since we are stealing your traffic right now, you should be able to safely delete your custom hostname and re-add it so that it takes priority. We have already added all of the custom hostnames for our zone, so we don’t anticipate that you will see the same behavior for the remainder of your services.

What origins are your custom hostnames pointing to? Is it an A record to 216.24.57.1 or a CNAME to your onrender subdomain?