Kinsta
Cloudflare partners with Kinsta to provide Kinsta customers’ websites with Cloudflare’s performance and security benefits.
If you use Kinsta and also have a Cloudflare plan, you can use your own Cloudflare zone to proxy web traffic to your zone first, then Kinsta's (the SaaS Provider) zone second. This configuration option is called Orange-to-Orange (O2O).
O2O's benefits include applying your own Cloudflare zone's services and settings — such as WAF, Bot Management, Waiting Room, and more — on the traffic destined for your Kinsta environment.
For additional detail about how traffic routes when O2O is enabled, refer to How O2O works.
Kinsta customers can enable O2O on any Cloudflare zone plan.
To enable O2O for a specific hostname within a Cloudflare zone, create a Proxied CNAME DNS record with your Kinsta site name as the target. Kinsta’s domain addition setup will walk you through other validation steps.
| Type | Name | Target | Proxy status |
|---|---|---|---|
CNAME | <YOUR_HOSTNAME> | sitename.hosting.kinsta.cloud | Proxied |
When a hostname within your Cloudflare zone has O2O enabled, you assume additional responsibility for the traffic on that hostname because you can now configure various Cloudflare products to affect that traffic. Some of the Cloudflare products compatible with O2O are:
For a full list of compatible products and potential limitations, refer to Product compatibility.
If your own Cloudflare zone is on the Enterprise plan, you have access to the zone hold feature, which is a toggle that prevents your domain name from being created as a zone in a different Cloudflare account. Additionally, if the zone hold is enabled, it prevents the activation of custom hostnames onboarded to Kinsta. Kinsta would receive the following error message for your custom hostname: The hostname is associated with a held zone. Please contact the owner of this domain to have the hold removed.
To successfully activate the custom hostname on Kinsta, the owner of the zone needs to temporarily release the hold. If you are only onboarding a subdomain as a custom hostname to Kinsta, only the subfeature titled Also prevent Subdomains needs to be temporarily disabled.
Once the zone hold is temporarily disabled, follow Kinsta's instructions to refresh the custom hostname and it should activate.
If you are a Kinsta customer and have set up your own Cloudflare zone with O2O enabled on specific hostnames, contact your Cloudflare Account Team or Cloudflare Support for help resolving issues in your own zone.
Cloudflare will consult Kinsta if there are technical issues that Cloudflare cannot resolve.
If you encounter SSL errors when attempting to activate a Cloudflare Managed Certificate, verify if you have a CAA record on your domain name with command dig +short example.com CAA.
If you do have a CAA record, verify that it permits SSL certificates to be issued by the certificate authorities supported by Cloudflare.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark