Cloudflare acts as a reverse proxy between your visitors and your server, providing CDN caching, DDoS protection, and SSL termination. The free tier is remarkably capable and should be configured for every public-facing server.
Initial Setup
- Create a Cloudflare account at cloudflare.com
- Add your domain and select the Free plan
- Cloudflare scans your existing DNS records
- Update your domain nameservers at your registrar to the ones Cloudflare provides
- Wait for nameserver propagation (usually 1-24 hours)
DNS Configuration
# Key Cloudflare DNS concepts:
# Orange cloud (Proxied) — Traffic goes through Cloudflare (CDN, DDoS, SSL)
# Gray cloud (DNS only) — Direct connection to your server
# Recommended settings:
# A record (yourdomain.com) — Proxied (orange)
# A record (www) — Proxied (orange)
# A record (mail) — DNS only (gray) — email should not be proxied
# MX record — Cannot be proxied (always DNS only)
# CNAME (subdomains) — Proxied for web, DNS only for non-HTTP servicesSSL/TLS Configuration
# SSL/TLS mode options:
# Off — No HTTPS (never use this)
# Flexible — HTTPS to Cloudflare, HTTP to your server (avoid if possible)
# Full — HTTPS to Cloudflare, HTTPS to your server (self-signed OK)
# Full (Strict) — HTTPS end-to-end with valid certificate (recommended)
# For Full (Strict):
# 1. Install a Let's Encrypt certificate on your server
# 2. Or use a Cloudflare Origin Certificate (free, 15-year validity)
# 3. Set SSL/TLS mode to "Full (strict)" in Cloudflare dashboardSecurity Settings
# Recommended security settings:
# Security Level: Medium (or High for sensitive sites)
# Challenge Passage: 30 minutes
# Browser Integrity Check: On
# Always Use HTTPS: On
# Minimum TLS Version: TLS 1.2
# Automatic HTTPS Rewrites: On
# HSTS: Enable with includeSubDomains
# Under Attack Mode:
# Enable temporarily during active DDoS attacks
# Shows a JavaScript challenge page to all visitorsCaching Configuration
# Page Rules for caching (3 free rules):
# 1. Cache static assets aggressively
# URL: yourdomain.com/static/*
# Cache Level: Cache Everything
# Edge Cache TTL: 1 month
# 2. Bypass cache for admin areas
# URL: yourdomain.com/admin/*
# Cache Level: Bypass
# 3. Bypass cache for API endpoints
# URL: yourdomain.com/api/*
# Cache Level: BypassGetting Real Visitor IPs
# When proxied through Cloudflare, your server sees Cloudflare IPs
# The real visitor IP is in the CF-Connecting-IP header
# Nginx: restore real IP
# /etc/nginx/conf.d/cloudflare.conf
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;Firewall: Allow Only Cloudflare
# If using Cloudflare, restrict direct access to your server
# Only allow Cloudflare IP ranges to reach ports 80/443
# Get current ranges: https://www.cloudflare.com/ips/
# UFW example:
sudo ufw default deny incoming
sudo ufw allow from 103.21.244.0/22 to any port 80,443 proto tcp
sudo ufw allow from 103.22.200.0/22 to any port 80,443 proto tcp
# ... (add all Cloudflare ranges)
sudo ufw allow ssh
sudo ufw enable