Can I use a proxy on top of my Vercel Deployment?

General information about using an external proxy to serve a Vercel Deployment.
Last updated on July 11, 2024
Build, Deployment & Git

Vercel offers native support for using a reverse proxy through rewrites and our Edge Network is both a Content Delivery Network (CDN) and a globally distributed platform for running compute in regions around the globe.

While it is possible to stack an external proxy or load balancer in front of Vercel, this guide outlines some of the downsides and risks to be aware of.

You might consider placing another proxy in front of Vercel to theoretically allow for multiple layers of protection against malicious actors, or multiple layers of routing rules.

However, we do not recommend this approach. The biggest disadvantage is that Vercel no longer has full traffic visibility, which prevents the Vercel Firewall and our threat intelligence products from working to their full potential. This includes our ability to automatically challenge requests, prevent DDoS attacks, and more.

Adding another proxy in front of Vercel will also decrease the performance of your site. Traffic must be routed through two different networks. This means there's additional processing and connection overhead before going back to your origin.

Please proceed with caution. If you decide to deploy your own proxy solution, it is critical that you are aware of the following complications and details.

Vercel implements multiple technologies as part of our Edge Network to guarantee the performance and reachability of all hosted apps. It is important to understand that using your own proxy will affect the performance of your deployments by introducing additional latency, especially if your proxy is not globally available.

Vercel also ensures that when global Internet infrastructure problems occur, for example, a fiber cable is cut, we can deploy mitigation strategies automatically. An example is traffic re-routing: If a region is experiencing problems, we can redirect traffic to another location without action needed from your team.

Using your own proxy can decrease the level of reliability since you are introducing a piece of infrastructure that Vercel does not manage. If a problem happens in your proxy that causes downtime, Vercel cannot deploy any mitigations and intervention by your team may be required.

A third party proxy, when used with Vercel, can introduce two caching layers: one at the third party and one at Vercel. This can result in incorrect data being sent to visitors.

When you push a new deployment to Vercel, our platform will purge the existing cache across all of our regions automatically. You will need to ensure that your proxy is also respecting this behaviour, and purging its own proxy cache after each deployment.

You should also ensure the following path is never cached:

https://<YOUR_DOMAIN>/.well-known/vercel/*

Otherwise, your users may experience stale content, mixed assets, challenge mode issues and other unexpected behaviour.

Vercel provides DDoS mitigation to all customers. Most proxies use a single IP address to connect to our systems, so if we detect an anomaly in requests coming from a single source, the IP can get banned for a period of time ranging from a few minutes to days.

You must ensure that any traffic mitigation measures, such as DDoS protection, rate limiting or throttling are implemented within your third party proxy, to prevent this traffic from being subsequently routed to Vercel, resulting in your proxy IP address(es) being blocked from accessing Vercel.

For Enterprise customers, please contact us for advanced security needs.

Vercel allows for custom routing based on user’s geolocation and IP addresses.

Using a proxy will send all traffic through the proxy first, then to Vercel. This will result in incorrect geolocation data being presented and the public IP address of your proxy being sent.

Enterprise customers can purchase and enable Trusted Proxy to override this behavior. If you're interested, please contact us for more details.

Vercel automatically provisions SSL certificates and checks to make sure that any custom domain are configured correctly. Using a proxy can impact this traffic. This may result in incorrect domain configuration alerts and prevent our Let’s Encrypt SSL certificates from being provisioned.

To allow this traffic to pass correctly, you must ensure your proxy does not block or automatically redirect traffic on the following HTTP wildcard path:

http://<YOUR_DOMAIN>/.well-known/acme-challenge/*

You must also ensure that the HOST header is correctly forwarded, otherwise the request will also fail. Certain proxy providers such as Cloudflare automatically configure these rules for you, but creating additional rules may block this. Learn how to configure Cloudflare with Vercel.

Using a proxy introduces complications to your project or deployment that are unrelated to the Vercel platform and therefore we cannot recommend or provide support for issues when using a proxy. All Vercel projects get assigned a vercel.app domain which should be used for troubleshooting to identify and rule out any proxy related problems.

Per our Support Terms, it may be necessary for the team to require you to disable or reconfigure your proxy before we can assist further.

We do not recommend stacking proxies. Please proceed with caution if you are comfortable with the performance and reliability tradeoffs.

Couldn't find the guide you need?