Skip to main content

ADR: Cloudflare CDN as Reverse Proxy for GitHub Pages

Summary

Use Cloudflare (free tier) as a CDN reverse proxy in front of GitHub Pages for chrisnewcomb.name rather than pointing DNS directly at GitHub's servers.

Status: Accepted Date: 2026-04-11

Context

The engineering journal is a static Docusaurus site hosted on GitHub Pages and deployed via GitHub Actions. The site is served at a custom domain (chrisnewcomb.name) registered through GoDaddy.

Without a CDN layer, the site is served directly from GitHub Pages with no edge caching, no DDoS protection, and no control over HTTPS enforcement or traffic routing.

Decision

Point DNS for chrisnewcomb.name to Cloudflare nameservers instead of directly to GitHub Pages IPs. Cloudflare sits in front as a reverse proxy — GitHub Pages continues to host the content, but all traffic flows through Cloudflare's edge network first.

Nameservers:

  • eoin.ns.cloudflare.com
  • emely.ns.cloudflare.com

DNS records managed in Cloudflare:

TypeNameValueProxied
A@185.199.108.153
A@185.199.109.153
A@185.199.110.153
A@185.199.111.153
CNAMEwwwnewcomb-labs.github.io

Additional configuration:

  • SSL/TLS mode: Full
  • HTTPS page rule: http://chrisnewcomb.name/* → Always Use HTTPS
  • Browser Cache TTL: 4 hours
  • Auto Minify: JS, CSS, HTML enabled
  • Brotli compression: enabled

Consequences

Benefits:

  • Content served from Cloudflare edge nodes globally — faster load times
  • Automatic DDoS protection
  • Cloudflare manages SSL cert — no expiry issues
  • Always Online serves cached version if GitHub Pages goes down
  • Basic traffic analytics without cookies or tracking scripts
  • HTTPS enforced at the edge via page rule
  • Free tier covers all requirements for a personal knowledge base

Trade-offs:

  • DNS is now managed in Cloudflare, not GoDaddy — an extra system to maintain
  • Cloudflare is a dependency in the request path — if Cloudflare goes down, the site goes down (mitigated by Always Online)
  • Custom domain must be set in GitHub Pages settings — can be cleared by deploy workflow if website/static/CNAME is not present in build output

Mitigations:

  • website/static/CNAME added to repo so Docusaurus includes it in every build artifact, preventing GitHub Pages from clearing the custom domain on deploy

Alternatives Considered

Direct GitHub Pages with custom domain (no CDN)

  • Simpler — fewer moving parts
  • No edge caching, no DDoS protection, no HTTPS enforcement control
  • Rejected in favour of Cloudflare's free tier benefits

Cloudflare Pages (direct hosting)

  • Would replace GitHub Pages entirely
  • More complexity — separate deployment pipeline
  • Not needed for a static personal KB
  • Rejected — GitHub Pages + Cloudflare proxy achieves the same result with less complexity