How can I monitor the origin server?

If your site sits behind Cloudflare or another reverse proxy, a normal uptime check only tells you whether the proxy is reachable, not whether your origin is actually serving fresh content. The proxy can happily return a cached page while your backend is on fire.

To catch that, monitor both layers: the proxy (how visitors reach your site) and the origin directly.

Here are two ways to set that up.

Option 1: a direct hostname for the origin

Works well when your origin has a static IP or a dedicated hostname.

1. Add a DNS A/AAAA record like origin.example.com pointing directly at the origin, with proxying disabled (grey cloud in Cloudflare).
2. Restrict access to that hostname at the firewall level so only Oh Dear's IPs can reach it.
3. Add a new monitor in Oh Dear using origin.example.com.
4. Optional: add a custom header (for example X-OhDear: 1) to make Oh Dear traffic easy to identify in your logs.

Now you have two monitors: the public example.com (through Cloudflare) and origin.example.com (direct). If the first says "up" and the second says "down", you know Cloudflare is serving stale cache while the origin is struggling.

Option 2: a private uptime endpoint

Works well when you can't easily expose a direct hostname.

Expose an endpoint like /oh-dear-uptime on your origin that:

• Requires authentication (HTTP Basic auth or a bearer token)
• Is locked down to Oh Dear's IP addresses at the firewall level
• Bypasses your CDN cache (use a page rule or a Cache-Control: no-store response header)

Then configure the Oh Dear uptime check with the path /oh-dear-uptime and whatever credentials you chose. Custom headers are the clean way to pass auth and identify Oh Dear traffic at the same time.

A note on security

Whichever option you pick, lock the origin path down. An unauthenticated, proxy-bypassing endpoint is exactly the kind of thing attackers look for. Our IP list plus a shared secret header gives you a simple, robust layer of defense.