Cloudflare to proxy


I currently use Cloudflare on my domain , but until now I use MAIB box entry there to be “DNS Only” and not “proxied by cloudflare”. Everything works fine with this set up.

I want to explore if I can proxy the MAIB box as well through Cloudflare (only the A record of ) as I wanted to see the analytics data of that to be included in Cloudflare console as well.

Does anybody have this setup working ?

I cant seem to get my head round how this can be made to work (my default setting is to enforce SSL 1.3 in CF) . The route would be user -> CF -> MAIB , so I guess CF will need to import the MAIB’s Letsencrypt certficate. Is that correct / make sense ?
If it makes sense how do I export the MAIB certificate , can this be process be scripted ? Any pointers would be great as have never done this sort of thing .


I am not a CF user, but afaik, CF creates it’s own SSL certificate. So that part is not an issue.

I know that you absolutely cannot proxy the MX record, and in setup’s such as DirectAdmin and cPanel, you cannot proxy the SMTP/POP3/IMAP connection. What I do not know is if proxying the A record for will be problematic, or not.

I suppose that you’ll be our guinea pig. :slight_smile:

I don’t mind being my own guinea pig but would appreciate help in talking things over to be more informed guinea pig, hopefully.

yes CF only proxies A, AAA and CNAME records, and I don’t really want to proxy MX records.

CF has the following SSL options (which will kick in, once I proxy the A record for

So my question is if I want to stick to Full setting, then CF will have its own cert for the browser to CF part and will allow me to import my server cert into CF for CF to MAIB connection to work.

how do I export the MAIB certificate, and can this be process be scripted? … otherwise every few weeks when letsencrypt cert gets updated, the link would start to fail.

Has anyone does this before or can they suggest pointers on achieving it, if it’s a theoretical possibility?


Just thinking out loud … what if you select the flexible option?

I am guessing that the connection from the web browser to CF would be encrypted by CF, and then the connection from CF to your MiaB will be encrypted with the cert on the box.

Maybe looking at their docs will shed some light on that possibility?

I don’t currently use CF in front of my MIAB but am interest as to how.

That said I do use CF to a self hosted server, both using letsencrypt and CF allows full (strict) without a problem.

No exporting necessary if using LE.

Digging up an old thread – As another CF user, keen to understand if you managed to get this to work?

I have managed to get MiaB up and running with all DNS managed through CF (for multiple reasons) but now keen to enable CF proxying of just the A record.

Secondly, is it possible to enforce Authenticated Origin Pulls within the MiAB Nginx config?


Unfortunately, the OP never came back and advised us …

So, maybe YOU can be our guinea pig? :slight_smile:

Any changes made to the Nginx conf will be overwritten by MiaB. Though yes, it should in theory work, but won’t work forever.

This article explains more …

and this article tells how to configure it:

As always, this would be an unsupported modification, and you’ll be on your own.

You can look at where in the nginx configuration the include directive is used on a directory, and then place additional configuration files there.

However, these configurations will still be subject to other configurations in nginx, so you will need to figure out what and how to override those conflicts, as this is usually possible in nginx within a given virtual server or location.

So based on my limited testing - the answer is no. You can’t front MiaB with Cloudflare. I altered my A record for so that it was proxied through cloudflare which immediately broke mail delivery as my MX record is pointed to

I then created a secondary A record,, which allowed me to send email, but no receive as reverse DNS no longer worked!

Happy to hear any other suggestions if people have any!

You mail server URL has to resolve globally and Cloudflare does not proxy SMTP.