Set up a self-managed reverse proxy in Webflow

Updated

Learn how to serve your Webflow content using a reverse proxy.

Reverse proxies let you serve Webflow content under your own domain or a subdirectory. Note that Webflow does not configure or support third‑party proxies and isn’t responsible for processing that occurs upstream of your Webflow origin. For Cloudflare users, Orange‑to‑Orange (O2O) is the recommended traffic routing configuration.

Learn more about using Cloudflare with Webflow.

Before you begin

  • Add a paid Site plan to your Webflow site and connect your domain

  • If you’re in the Cloudflare hosting migration, only change DNS when your Dashboard prompts you. Use the exact DNS values shown in Site settings > Publishing > Production.

  • Create a dedicated Webflow origin subdomain for proxying, e.g., wf.example.com. You’ll point your proxy to this host, not to *.webflow.io.

  • Set the origin subdomain as your default domain in Webflow to avoid unwanted redirects.

    • Setting the origin subdomain as your default domain means it will appear in your auto-generated sitemap. To work around this, add the domain to which your proxy resolves (e.g., example.com) as a custom domain in Webflow before adding the origin subdomain, and do not set a default domain. The first domain added is used in the auto-generated sitemap. Note that this workaround may not behave consistently — we're aware of the issue and working to give customers more control over sitemap domain selection.

Important

Do not reverse proxy *.webflow.io staging subdomains.

Support policy

Our Support team is unable to provide direct help with setup or troubleshooting third-party reverse proxies. If you are on an Enterprise plan and want to set up a third-party reverse proxy, please reach out to our Sales team.

We can help you confirm your Webflow origin responds correctly and share best practices as needed.

How to set up a reverse proxy

To set up a reverse proxy, you’ll first publish your site to a Webflow origin subdomain (e.g., wf.example.com). Your proxy or CDN forwards requests to that origin, preserves the Host header for that origin, and forwards query strings so search and filters work. Avoid proxying the staging domain (*.webflow.io).

Step 1: Create and publish your Webflow origin

  1. Go to Site settings > Publishing > Production

  2. Add wf.example.com as a custom domain

  3. Set wf.example.com as the default domain

  4. Publish and confirm <https://wf.example.com/...> serves your site

Choose a proxy path

Option A: Cloudflare Orange‑to‑Orange (recommended)

O2O lets Cloudflare sit in front of Webflow so you can use Cloudflare features without breaking Webflow hosting. Learn more about using O2O with Webflow.

Note

Cloudflare’s O2O is not a full reverse proxy. It proxies traffic to your Webflow-hosted site at the DNS layer. If you want to reverse proxy to a separate origin subdomain (e.g., wf.example.com) from a different domain/path (e.g., example.com/blog), you may still need to use Cloudflare Workers or another edge function to rewrite paths and forward requests.

You'll need to migrate to cdn.webflow.com and enable O2O:

  1. In Webflow, follow the Dashboard prompt to migrate DNS to Cloudflare by updating the CNAME record(s) (e.g., “www” → “cdn.webflow.com”). Do not change DNS early.

  2. In Cloudflare DNS, switch the records to DNS only to connect and validate SSL first

  3. Wait until Webflow shows SSL: Active for your domain(s)

  4. Re‑enable the Cloudflare proxy and configure O2O with Full (Strict) SSL. No Enterprise or custom certs required.

Key requirements

  • Origin host = your Webflow origin subdomain (e.g., wf.example.com)

  • Preserve query strings and avoid HTML rewriting that changes internal links

  • If you use page rules, Workers, or transforms, ensure they pass the full path and query string to the origin

Option B: NGINX (self‑managed)

Use when you control your own edge. Minimal config when Webflow serves robots and sitemap:

server {
  server_name example.com;
  set $backend "wf.example.com";              # Webflow origin subdomain
  resolver 8.8.8.8 valid=60s;                 # Obey DNS TTLs
  location / {
    proxy_set_header Host $backend;           # Preserve origin Host
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_ssl_server_name on;                 # REQUIRED: send SNI (avoids Cloudflare domain-fronting block)
    proxy_pass https://$backend$request_uri;  # Forwards path + query
    proxy_ignore_headers Cache-Control Expires;
  }
}

If you host robots.txt and sitemap.xml yourself:

location = /robots.txt  { proxy_pass https://app.example.com; }
location = /sitemap.xml { proxy_pass https://app.example.com; }

Do not include a trailing slash in your proxy_pass destination — e.g., use proxy_pass https://$backend$request_uri; instead of https://$backend/

If you set your Webflow origin subdomain as the default domain, the auto-generated robots.txt and sitemap.xml will point to that subdomain. To avoid SEO and crawling issues, you’ll want to host your own robots.txt and sitemap.xml. This is better practice, as you can then use Webflow settings to set a disallow directive for crawling the origin subdomain.

Option C: AWS CloudFront

Use when your edge is on AWS.

Core settings

  • Origin domain: wf.example.com (HTTPS)

  • Cache policy (OLD): include query strings if your site uses search or filters. Not disabling caching on CloudFront will result in a double cache problem –– a Webflow publish purges the Cloudflare cache but not the CloudFront cache, so visitors will continue getting stale content from CloudFront. So it's recommended to disable it.

  • Cache policy (UPDATED): Disable caching on CloudFront. If caching is left enabled, you'll hit a double cache problem. Set the cache behavior to forward all requests (TTL 0) and let Cloudflare handle caching. If your site uses query strings for search or filters, make sure those are forwarded to the origin as well.

  • Origin request policy: forward required headers and query strings to the origin. Add Host if your architecture needs it. Learn more about controlling origin requests with a policy.

Optional

  • Use Lambda@Edge only for advanced routing or header transforms. Start without it.

Note

If you're on an Enterprise plan and using a CDN product (e.g., CloudFront, Fastly) as your reverse proxy, make sure you confirm caching is disabled on that layer or that you have a purge strategy that covers both caches. Check with our Support team for patterns other Enterprise customers use.

Step 3: Subdirectory setups (example.com/blog)

When proxying a path, ensure internal links resolve:

  • Use the Href prefix in Webflow if needed to keep internal links working under /blog

  • Avoid using a <base> tag unless absolutely necessary. It rewrites all relative URLs and will break legacy Webflow Editor login, which requires loading from the Webflow-connected subdomain. Test the legacy Editor and login flows before launch if you're adding the <base> tag.

Step 4: SEO and canonical rules

  • Set a global canonical toward your public site URL to avoid duplicate content during multi‑host or migration periods. Override per‑page if needed.

  • If you briefly publish to multiple hosts, ensure a single canonical target

Step 5: Test and launch checklist

After set up, make sure that:

  • wf.example.com loads and is the default domain in Webflow

  • Proxy returns 200 on root, deep paths, CMS items, and static assets

  • Query strings reach Webflow. Also confirm site search and filtered collections work. For CloudFront, enable query string forwarding.

  • There are no 301/302 loops between proxy and origin

  • The public domain’s SSL certificate is managed at your proxy/CDN. Webflow manages SSL only for hosts pointed to Webflow (your origin subdomain). Follow Cloudflare migration prompts for cdn.webflow.com.

Troubleshooting

Why am I getting infinite redirects?

Usually the Webflow default domain isn’t the origin, or the proxy overwrites Host. Set the Webflow origin subdomain as the default and pass Host: wf.example.com.

Why are there 404s at the origin domain?

You have a Host header mismatch or the site wasn’t published to the origin domain.

My search or filter pages are broken.

Your query strings aren’t being forwarded. Enable query string forwarding in your proxy/CDN policies.

Why does a badge appear when proxying *.webflow.io?

Don’t proxy the staging domain. Publish to a custom subdomain on a paid Site plan instead.

I haven’t migrated to Cloudflare on Webflow yet.

Don’t change DNS until your Webflow Dashboard instructs you. Move to cdn.webflow.com, then enable O2O.

FAQs

Can I proxy *.webflow.io?

No. Reverse proxying your webflow.io staging domain is not supported and violates our Terms of Service.

Many Webflow features only work on custom domains and will not function when traffic is routed through a staging domain. To ensure full compatibility with current and future platform capabilities, always proxy through your custom domain.

Is O2O supported?

Yes. O2O is the supported way to run Cloudflare features in front of Webflow.

Do I need an Enterprise plan to use SSL?

No, not for O2O. Point DNS to cdn.webflow.com when prompted, validate SSL, then turn the Cloudflare proxy back on.

Do I need an Enterprise plan to use AWS CloudFront?

No. Use your Webflow origin subdomain as the origin. Forward query strings and needed headers with cache and origin request policies. Use Lambda@Edge only if required.

Who supports what?

You manage your proxy. We can verify your Webflow origin and share best practices as needed.

Related articles