Cloudflare Hijacked my Ghost(Pro) Domain

For those of you who don't know, Cloudflare is like a CDN on steroids. To use Cloudflare, you need to change your domain's nameservers (authoritative DNS servers). Ghost(Pro), on the other hand, is the SaaS version of Ghost, an open-source blogging platform.

Since the first day I setup this blog, I put it behind Cloudflare. This means that all the traffic going to blog.cdemi.io, instead of going directly to Ghost(Pro) will pass through Cloudflare instead. In a way, Cloudflare will be like a man-in-the-middle, except in this case it will be a good man-in-the-middle.

Traffic flow

Advantages

This gives me various advantages:

  • Caching of static content closer to the end-user
  • Rate Limiting
  • Adjusting Security Level
  • Custom SSL Certificates
  • Access Rules
  • Custom Apps like Google Analytics

All of these are really awesome features that are provided by Cloudflare and that I was making use of.

Ghost(Pro) moves to Cloudflare

Unfortunately for me, about 2 months ago, Ghost decided to move behind Cloudflare and this is when I received this email:

Email from Cloudflare

What?! So, my domain that is on my Cloudflare account, is now being given to Ghost(Pro)?! This sounded very bad, so naturally, I emailed Cloudflare to ask them not to do this, at least on my domain.

I explained to them that this change means that I will lose:

  • My custom security level settings
  • My custom SSL Certificate
  • My custom access rules
  • Google Analytics App

After 2 different support engineers blatantly denied the effect this would have, the third one finally confirmed that:

we [Cloudflare] don't provide any double clouding solutions for now

He also confirmed that since this is their issue, he will put my domain on hold and not enable this on my account, which I thought was a good resolution of this ticket.

Unfortunately for me, on October 2nd, my monitoring systems alerted me that I had lost all visibility of traffic flowing through my Cloudflare account for this blog. Sure enough, I login to Cloudflare and see that I no longer have management access to my own subdomain on my own Cloudflare account.

After contacting Cloudflare support, they confirmed to me that even though they had agreed to hold my domain from being transferred to Ghost(Pro) they still went ahead and delegated it to them.

Ghost(Pro) now owns my subdomain on my Cloudflare account

This means, that with the new change I cannot even turn on "Orange Cloud" since I was no longer in control of my own domain.

After a lot of back and forth with the Team Leader of the Cloudflare support, I was still unable to convince him that this situation doesn't make any sense for me.

Gaining back control

After realizing that Cloudflare isn't going to delegate management of my own domain back to me, it occured to me that bypassing this logic wouldn't be that difficult.

All I needed to do was create a temporary subdomain that points to my ghost domain. I knew Cloudflare would hijack this domain and delegate it to Ghost, so as you can see, I cannot turn on "Orange Cloud". After that, I pointed my actual blog domain to the temporary domain and turned on "Orange Cloud".

Temporary Domain pointing to Ghost, while actual domain pointing to temporary domain with Orange Cloud enabled

Conclusion

Cloudflare will gladly delegate any of your domains that are pointing to any SaaS provider hosted on their platform. Indeed I am on the free plan of their account, but I really doubt their response would have been different had I been a paying customer. Unfortunately, there isn't really an alternative to Cloudflare and they know that. I am one of Cloudflare's biggest advocates, I really believe in what they are doing for the internet and tech community in general. Let's hope that they don't end up like other companies who had the motto "do no evil".

I doubt this trick will keep on working for a long time. If it's really true that they don't support "double clouding" this setup for sure does it. When they close that, I would have to spin up my own VMs to do my reverse-proxying in order to keep my domain from being delegated.