Cloudflare and other reverse proxies provide benefits like DDoS protection, caching, and improved performance for websites. However, certain cPanel service subdomains should not be proxied through Cloudflare because doing so can interfere with authentication, encryption, and direct server communication.
Subdomains That Should Not Be Proxied
The following cPanel service subdomains should be set to DNS-only ("grey cloud") in Cloudflare or excluded from other reverse proxies:
- cpanel.yourdomain.tld – Access to the cPanel control panel
- whm.yourdomain.tld – Access to WHM (Web Host Manager) for reseller and server management
- webmail.yourdomain.tld – Access to Webmail for checking emails online
- ftp.yourdomain.tld – Used for FTP connections (File Transfer Protocol)
- webdisk.yourdomain.tld – Used for Web Disk (WebDAV) file management
- autodiscover.yourdomain.tld – Used for automatic email client configuration
- autoconfig.yourdomain.tld – Also used for email client configuration
- cpcalendars.yourdomain.tld – Used for calendar synchronization
- cpcontacts.yourdomain.tld – Used for contact synchronization
In general, Cloudflare should be enabled only for domains and sub-domains on which websites are hosted. All service sub-domains should not be put behind a reverse proxy.
Why These Subdomains Should Not Be Proxied
1. Authentication Issues
- Many of these services require direct authentication with cPanel. A reverse proxy can block login attempts or cause authentication failures.
2. SSL/TLS Conflicts
- cPanel services use their own SSL certificates, which may not match Cloudflare's proxying setup, leading to SSL errors.
3. Connectivity Problems
- Proxied connections can interfere with protocols like FTP, Web Disk (WebDAV), and AutoDiscovery for email clients, causing them to fail.
4. Performance & Functionality Issues
- Services like Webmail and WHM require direct server connections. Cloudflare’s proxy may add latency or disrupt expected functionality.
Exposure of Server IP Address
Please note: Disabling Cloudflare proxying (setting subdomains to DNS-only) allows others to discover your server's IP address. If this is a concern, consider removing these service subdomains entirely and using the server hostname (e.g., server.hostname.tld) instead to access cPanel, WHM, Webmail, and other services.
How to Check and Disable Cloudflare Proxy for These Subdomains
If your cPanel service subdomains are already using Cloudflare, follow these steps to disable proxying:
Step 1: Log into Cloudflare
- Go to Cloudflare Dashboard and log in.
Step 2: Select Your Domain
- Click on the domain where the subdomains are configured.
Step 3: Open the DNS Settings
- Navigate to the DNS section.
Step 4: Identify cPanel Service Subdomains
- Look for the subdomains listed above (e.g.,
cpanel,webmail,ftp, etc.).
Step 5: Disable Proxying
- If the subdomain has an orange cloud (proxied), click on it to switch to a grey cloud (DNS-only).
Step 6: Save Changes
- Wait a few minutes for DNS changes to propagate.
For further details on managing Cloudflare DNS settings, you can refer to Cloudflare's official guide: Managing DNS Records in Cloudflare.
Conclusion
To ensure that cPanel services function correctly, always set service subdomains to DNS-only in Cloudflare. This prevents authentication failures, SSL conflicts, and connectivity issues. However, note that this will expose your server's IP address. If this is a concern, consider removing service subdomains and using the server hostname instead. If you encounter problems after making changes, try clearing your DNS cache or waiting for DNS propagation to complete.
Updated by SP on 04/02/2025
