Use an External CDN in Front of an App Platform App

Validated on 12 Feb 2026 • Last edited on 12 Feb 2026

App Platform is a fully managed Platform-as-a-Service (PaaS) that deploys applications from Git repositories or container images. It automatically builds, deploys, and scales components while handling all underlying infrastructure.

App Platform includes a built-in CDN powered by Cloudflare. For most apps, this built-in CDN is sufficient and does not require any additional configuration. By default, App Platform also manages custom domains and TLS certificates for your app.

If you need advanced customization, such as custom rate limiting, bot filtering, or geographic traffic controls, you can route traffic to your app through an external (third-party) CDN.

When you use an external CDN in front of App Platform:

  • Your custom domain is configured on the CDN, not in App Platform.
  • The CDN forwards traffic to your app using App Platform’s default ingress (<app-name>.ondigitalocean.app).
  • TLS termination happens at the CDN.
  • App Platform does not manage certificates for your custom domain.

Requests to App Platform must use the default ingress hostname. Forwarding a custom Host header or adding the custom domain to App Platform can cause certificate validation and renewal failures.

Configure an External CDN

Step 1: Point Your Custom Domain to the CDN

Create a DNS record (typically a CNAME record) for your custom domain with your DNS provider that points to the hostname provided by your CDN.

If you use DigitalOcean DNS to manage your domain, see How to Create, Edit, and Delete DNS Records for more information.

Warning

Do not add your custom domain in App Platform or point it directly to App Platform.

If the custom domain is added to App Platform:

  • App Platform attempts to validate DNS records for the domain.
  • Validation fails because the domain points to the CDN.
  • Certificate renewal fails.
  • Certificates can expire and cause traffic outages.

Step 2: Configure the CDN Origin

Configure your CDN to forward traffic to your App Platform app using the app’s default ingress. The following settings are required:

  • Origin hostname: <app-name>.ondigitalocean.app
  • Protocol: HTTPS
  • Port: 443
Warning

Your CDN must not forward the original Host header of your custom domain to App Platform.

App Platform expects requests to use the default ingress hostname. Forwarding a custom Host header can cause TLS certificate validation to fail and can prevent certificate renewal, resulting in traffic failures.

Step 3: Configure TLS on the CDN

Configure your CDN to issue and manage certificates for your custom domain. When you use an external CDN in front of App Platform, the CDN is responsible for TLS, and App Platform’s managed certificates are not used. Ensure the CDN trusts the certificate presented by App Platform’s default ingress (*.ondigitalocean.app).

CDN-Specific Configuration Settings

The following sections highlight settings that must be configured correctly for popular CDNs. Refer to your CDN provider’s documentation for exact configuration steps.

Cloudflare

  • Set the origin hostname to your App Platform default ingress.
  • Delete or disable host header overrides in your Origin Rules.
  • Use Full or Full (strict) TLS mode.
  • Ensure that your custom domain’s DNS record is proxied (orange-clouded), so that Origin Rules and TLS settings apply.

For more information, see the Cloudflare article Origin Rules.

Fastly

  • Configure the backend host as the App Platform default ingress.
  • Do not override the Host header in VCL or in the backend configuration. Fastly’s override host option rewrites the Host header sent to the origin.

For more information, see the Fastly article Specifying an override host.

Amazon CloudFront

  • Set the origin domain name to the App Platform default ingress.
  • Do not configure custom origin headers for Host. CloudFront does not allow Host as a custom origin header in its configuration UI or API, and it defaults to using the value of the origin domain name.
  • If you need CloudFront to forward headers (for example, for caching based on headers), you must set up Origin Request Policies, but do not override Host.

For more information, see the Amazon CloudFront article Add custom headers to origin requests.

Akamai

  • Configure the origin hostname as the App Platform default ingress.
  • Configure Akamai’s origin behavior so that the Host header sent to origin is the same as the origin hostname (instead of the client’s custom domain). In Property Manager terms, this means setting forwardHostHeader to ORIGIN_HOSTNAME.
  • Ensure the original Host header is not forwarded.

For more information, see the Akamai reference article origin.

KeyCDN

  • Set the Origin URL to the App Platform default ingress.
  • Disable Forward Host Header in KeyCDN’s pull zone settings so that KeyCDN uses the origin hostname for requests to App Platform.

For more information, see the KeyCDN article Pull Zone Settings.

Bunny CDN

  • Set the origin hostname to the App Platform default ingress.
  • Do not set a custom Host header in the pull zone configuration, as it overrides the origin hostname (the App Platform default ingress).

For more information, see the Bunny CDN article Quickstart.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.