# How can I monitor the origin server?

If your site sits behind Cloudflare or another reverse proxy, a normal uptime check only tells you whether the proxy is reachable, not whether your origin is actually serving fresh content. The proxy can happily return a cached page while your backend is on fire.

To catch that, monitor both layers: the proxy (how visitors reach your site) **and** the origin directly.

Here are two ways to set that up.

## Option 1: a direct hostname for the origin

Works well when your origin has a static IP or a dedicated hostname.

1. Add a DNS `A`/`AAAA` record like `origin.example.com` pointing directly at the origin, with **proxying disabled** (grey cloud in Cloudflare).
2. Restrict access to that hostname at the firewall level so only [Oh Dear's IPs](/docs/faq/what-ips-does-oh-dear-monitor-from) can reach it.
3. Add a new monitor in Oh Dear using `origin.example.com`.
4. Optional: add a custom header (for example `X-OhDear: 1`) to make Oh Dear traffic easy to identify in your logs.

Now you have two monitors: the public `example.com` (through Cloudflare) and `origin.example.com` (direct). If the first says "up" and the second says "down", you know Cloudflare is serving stale cache while the origin is struggling.

## Option 2: a private uptime endpoint

Works well when you can't easily expose a direct hostname.

Expose an endpoint like `/oh-dear-uptime` on your origin that:

- Requires authentication (HTTP Basic auth or a bearer token)
- Is locked down to [Oh Dear's IP addresses](/docs/faq/what-ips-does-oh-dear-monitor-from) at the firewall level
- Bypasses your CDN cache (use a page rule or a `Cache-Control: no-store` response header)

Then configure the Oh Dear uptime check with the path `/oh-dear-uptime` and whatever credentials you chose. [Custom headers](/docs/features/configure-your-oh-dear-settings-per-monitor#custom-http-headers) are the clean way to pass auth and identify Oh Dear traffic at the same time.

## A note on security

Whichever option you pick, lock the origin path down. An unauthenticated, proxy-bypassing endpoint is exactly the kind of thing attackers look for. [Our IP list](/docs/faq/what-ips-does-oh-dear-monitor-from) plus a shared secret header gives you a simple, robust layer of defense.