Cloudflare Setup
The following screenshots illustrate how to configure to deliver content. Essential settings are marked with a red circle.
This setup can be completely done in the browser by using the Cloudflare Dashboard only. If you are already familiar with , & GitHub and not afraid of entering commands in a terminal window you might want to follow the instructions for Cloudflare with wrangler instead.
Create a Cloudflare site
If you already have a Cloudflare site and DNS set up you can skip forward to the Setup push invalidation section.
Enter the domain:
Select a plan:
Note that surgical push invalidations are only supported on the Enterprise plan. On all other plans the entire cache of the site will be purged every time an author publishes a content change.
For this walk-through we鈥檒l use the .
Setup push invalidation for Cloudflare
Push invalidation automatically purges content on the customer鈥檚 production CDN (e.g. www.yourdomain.com), whenever an author publishes content changes.
Content is purged by url and by cache tag/key.
Push invalidation is enabled by adding specific properties to the project鈥檚 configuration (an Excel workbook named .helix/config.xlsx in Sharepoint or a Google Sheet named .helix/config in Google Drive).
Configuration properties:
To create an API Token,
- go to
- click on 鈥淐reate Token鈥,
- go to 鈥淐reate Custom Token鈥 at the bottom and click on 鈥淕et started鈥
- enter a token name (e.g.
"Production Site Purge Token"), - Permissions: 鈥淶one鈥, 鈥淐ache Purge鈥, 鈥淧urge鈥
- Zone Resources: 鈥淚nclude鈥, 鈥淪pecific zone鈥, 鈥<your production zone>鈥
- click on 鈥淐ontinue to summary鈥
- click on 鈥淐reate Token鈥,
- copy the generated token value.
Note that only sites on the enterprise plan will be surgically purged by url and cache key. A Purge All will be performed instead on non-enterprise sites every time an author publishes a content change.
You can validate the credentials with this .
DNS Setup
For a new site, we鈥檒l start with a simple DNS setup.
- Create a new
CNAMErecord. If your zone ismysite.comand you want to serve traffic onwww.mysite.com, then the name should bewww - If you want to serve traffic on example.com (without a www) then the name should be
@ - And if you want to serve traffic on all subdomains, then the name should be
* - As we are using workers to serve the content, the value of the Content field does not matter. It鈥檚 easiest to use your
ref--repo--owner.aem.livehost name here. This is a hostname, not a URL, so leave out the leadinghttps://
Make sure the CNAME record is :
SSL/TLS Setup
Select SSL/TLS from the left pane and Edge Certificates in the dropdown list. On the right side, scroll down to Always Use HTTPS and enable the setting:
Configure Caching
Navigate to Caching 鈫 Configuration and adjust following settings:
- Caching Level: Standard
- Browser Cache TTL: Respect Existing Headers
Create Cache Rules
Next browse to Caching 鈫 Cache Rules and create a new cache rule
Note: Enable Origin Cache Control option is only available for enterprise accounts. Free, Pro, and Business customers have this option enabled by default and cannot disable it.
Following settings should apply:
- When incoming requests match: hostname contains
mydomain.com - Then: Eligible for cache
Under Browser TTL, click 鈥渁dd setting鈥, then apply 鈥淩espect Origin TTL鈥
Create Worker
Return to the Cloudflare Dashboard homepage, then navigate the sidebar: Workers & Pages 鈫 Overview. Click 鈥渃reate鈥 to create a new worker.
On the next screen, click 鈥渃reate worker鈥, because that鈥檚 what you want to achieve.
Enter a name for the worker (e.g. aem-worker) and click on 鈥淒eploy鈥:
On the next screen, click 鈥淓dit code鈥
Edit worker code
- Copy the content of .
- In the left pane, replace the existing content with the copied content.
- Click on 鈥淒eploy鈥
- Confirm with 鈥淪ave and Deploy鈥
Return to your worker (by clicking the back arrow in the top right corner), then click on Settings 鈫 Variables and 鈥淎dd variable鈥:
Add a variable ORIGIN_HOSTNAME and set the value to the hostname of your origin (e.g. main--mysite--aemsites.aem.live):
If you have enabled push invalidation, add a second environment variable PUSH_INVALIDATION = enabled.
Apply the changes by clicking 鈥淒eploy鈥.
Next, click on Triggers an select 鈥淎dd route鈥:
Enter your domain route (e.g. www.mydomain.com/*), select your zone and confirm with 鈥淎dd route鈥:
Depending on the setup chosen in DNS Setup, you would select routes www.mydomain.com/* or mydomain.com/*
Warning: if you select *.mydomain.com/* as Cloudflare suggests in the field default, your site will be available under multiple subdomains. This will invite attackers trying to open webmail.mydomain.com and similar sites, and lead to duplicate content, potentially depressing your search engine rankings.
After completing all steps you should be all set.
Optional: Authenticate Origin Requests
When using token-based Site Authentication, add the following to enable authenticated requests from Cloudflare to AEM.
- Return to Workers 鈫 <your worker> 鈫 Settings 鈫 Variables
- Create a new environment variable
ORIGIN_AUTHENTICATION - Paste the site token value from token-based Site Authentication (it starts with
hlx_) - Confirm by clicking 鈥淒eploy鈥
Expanding the AEM footprint on your website
In case you start with having only a portion of the website being routed to your .live origin and have routed a specific folder (eg. /blog/*) you can subsequently add more routes whenever you are ready to expose new sections of the site by simply adding more routes and repeat the last 鈥渁dd route鈥 steps as needed, without changing your worker configuration.
Watch out for duplicate content
Search engines often penalize sites for duplicate content, so it鈥檚 important to make sure your content is not available on the web elsewhere. Cloudflare, unfortunately, has a default setting that will . In paid Cloudflare plans you can . This is a recommended setting for production sites.