Cloudflare: DNS, Proxy and SSL

Cloudflare is one of the most used services alongside a VPS: it manages DNS, acts as a CDN and proxy, protects against DDoS, and offers free SSL.

• Create an account at cloudflare.com
• Click Add a Site and enter your domain
• Choose the Free plan (sufficient for almost everything)
• Cloudflare automatically imports your current DNS records
• Go to your registrar and change the nameservers with Cloudflare's (e.g., lena.ns.cloudflare.com)
• Wait for propagation (15 minutes – 24 hours)

Once your domain is on Cloudflare, manage all DNS records from there.

A Records for the VPS

Mail server records (MX, SMTP) must be set to DNS only (gray cloud), not proxied. Cloudflare doesn't proxy email traffic.

Use Proxied for websites. Use DNS only for SSH, email, and services that require direct connection.

Cloudflare offers free SSL between the visitor and Cloudflare servers. Go to SSL/TLS in the panel:

Recommended configuration: use Full (Strict) with Certbot installed on your server. See: SSL with Certbot

Always Force HTTPS

In SSL/TLS → Edge Certificates enable:

• Always Use HTTPS: on
• Automatic HTTPS Rewrites: on
• HSTS: evaluate based on your needs

Cloudflare provides automatic DDoS protection even on the free plan. You can add rules in Security → WAF:

Block a Specific Country

Block Specific IPs

Go to Security → Tools → IP Access Rules and add the IPs to block.

Challenge Suspicious Visitors

In Security → Settings set Security Level to Medium or High to enable CAPTCHA on visitors with low reputation.

In Caching → Configuration:

To force a refresh of Cloudflare's cache after a site update:

Go to Caching → Configuration → Purge Cache → Purge Everything

• Caching Level: Standard
• Browser Cache TTL: 4 hours (or more for static sites)

When traffic passes through Cloudflare, the real visitor's IP is passed in the CF-Connecting-IP header. To see the real IP in Nginx logs:

nano /etc/nginx/conf.d/cloudflare-real-ip.conf

# Cloudflare IP range (update periodically)
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;

nginx -t && systemctl reload nginx

If you want visitors to only access through Cloudflare (not directly to your IP):

# Block in Nginx everything except Cloudflare IPs
# (update the list from https://www.cloudflare.com/ips/)
location / {
    allow 103.21.244.0/22;
    allow 103.22.200.0/22;
    # ... all Cloudflare IPs ...
    deny all;
}