← Back to Networking

Cloudflare Setup Guide: DNS, SSL, CDN, and Security

5 min read
Beginner Cloudflare CDN DNS SSL Security

Prerequisites

  • A registered domain name
  • Access to your domain registrar's DNS settings

Quick Answer: Go to dash.cloudflare.com → Add Site → enter your domain → select Free plan → Cloudflare gives you two nameservers → change your domain's nameservers at your registrar → wait for propagation (5 min to 24 hours). Once active, set SSL/TLS to Full (Strict) and enable Always Use HTTPS.

Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).

Step 1: Add Your Domain

  1. Go to dash.cloudflare.com
  2. Click Add a site
  3. Enter your domain (e.g., example.com)
  4. Select the Free plan (sufficient for most sites)
  5. Cloudflare scans your existing DNS records

Step 2: Update Nameservers

Cloudflare gives you two nameservers like: 

ns1.cloudflare.com
ns2.cloudflare.com

Go to your domain registrar (GoDaddy, Namecheap, Squarespace Domains, etc.) and change the nameservers to the ones Cloudflare provided.

Propagation takes 5 minutes to 24 hours. Cloudflare sends you an email when it is active.

Step 3: DNS Records

Essential Records

Type Name Value Proxy
A @ Your server IP Orange cloud ON
A www Your server IP Orange cloud ON
AAAA @ IPv6 (if available) Orange cloud ON
MX @ Your mail server Grey cloud (DNS only)
TXT @ SPF record Grey cloud

Proxy Status (Orange vs Grey Cloud)

Orange Cloud (Proxied) Grey Cloud (DNS Only)
Traffic goes through Cloudflare CDN Directly to your server
Hides server IP Yes No
CDN caching Yes No
DDoS protection Yes No
Use for Web traffic (HTTP/HTTPS) Email (MX), SSH, FTP, non-HTTP

Rule: Orange cloud for web traffic, grey cloud for everything else.

Step 4: SSL/TLS Configuration

Navigate to SSL/TLS → Overview.

SSL Modes Explained

Mode What happens When to use
Off No encryption Never use this
Flexible HTTPS to user, HTTP to your server Only if your server has NO SSL cert
Full HTTPS to user, HTTPS to server (any cert) Self-signed cert on server
Full (Strict) HTTPS to user, HTTPS to server (valid cert) Let's Encrypt or CA cert on server

Use Full (Strict) whenever possible. It is the most secure.

Enable Always HTTPS

SSL/TLS → Edge Certificates → Always Use HTTPS → ON

This redirects all HTTP traffic to HTTPS automatically.

Enable HSTS

SSL/TLS → Edge Certificates → HTTP Strict Transport Security → Enable

Settings:

  • Max-Age: 6 months (15768000)
  • Include subdomains: Yes
  • Preload: Yes (if you want to submit to browser preload lists)

Minimum TLS Version

SSL/TLS → Edge Certificates → Minimum TLS Version → TLS 1.2

This blocks outdated and insecure TLS versions.

Step 5: Caching

Cache Settings

Caching → Configuration:

  • Browser Cache TTL: 4 hours (or longer for static sites)
  • Crawler Hints: ON
  • Always Online: ON (shows cached version if your server goes down)

Cache Rules

Create rules for static assets:

  1. Caching → Cache Rules → Create Rule
  2. Match: .jpg, .png, .css, .js, *.woff2
  3. Cache: Eligible for cache
  4. Edge TTL: 7 days
  5. Browser TTL: 1 day

Purge Cache

When you update your site:

Caching → Configuration → Purge Everything

Or purge specific URLs:

Caching → Configuration → Custom Purge → enter URLs

Step 6: Security

WAF (Web Application Firewall)

Security → WAF:

  • Managed Rules: ON (blocks known attack patterns)
  • Rate Limiting: Set up rules for API endpoints

Security Level

Security → Settings:

  • Security Level: Medium (or High if you get attacked)
  • Challenge Passage: 30 minutes
  • Browser Integrity Check: ON

Bot Protection

Security → Bots:

  • Bot Fight Mode: ON (free plan)
  • Blocks known bad bots while allowing good ones (Googlebot, Bingbot)

Block Countries (IP Access Rules)

Security → WAF → Tools → IP Access Rules:

Add rules to block or challenge traffic from specific countries.

Step 7: Performance

Speed Settings

Speed → Optimization:

  • Auto Minify: CSS, JavaScript, HTML → all ON
  • Brotli: ON (better compression than gzip)
  • Early Hints: ON
  • Rocket Loader: Try it ON — if your site breaks, turn it OFF

Image Optimization (Pro plan)

Speed → Optimization → Image:

  • Polish: Lossless or Lossy
  • WebP: ON (serves WebP to supported browsers)

Page Rules (Free Plan: 3 Rules)

Useful free page rules:

Force HTTPS on Everything

  • Match: http://example.com/
  • Setting: Always Use HTTPS

Cache Everything on Static Pages

  • Match: example.com/static/
  • Setting: Cache Level → Cache Everything, Edge TTL: 1 month

Bypass Cache for Admin

  • Match: example.com/admin/
  • Setting: Cache Level → Bypass

Cloudflare with a Proxy Server (3X-UI)

If you are running a proxy server (VLESS, VMess, etc.) behind Cloudflare:

CDN-Compatible Ports

Cloudflare only proxies these ports:

HTTP: 80, 8080, 8880, 2052, 2082, 2086, 2095

HTTPS: 443, 2053, 2083, 2087, 2096, 8443

Your proxy must listen on one of these ports.

SSL Mode for Proxy

  • Flexible — if your proxy has Security=None (HTTP ports)
  • Full — if your proxy has TLS configured (HTTPS ports)
  • Never use Full (Strict) with self-signed certs

WebSocket Support

Network → WebSockets → ON (required for WebSocket-based proxies)

Disable Problematic Features

For proxy traffic:

  • Security Level: Essentially Off
  • Browser Integrity Check: OFF
  • Rocket Loader: OFF

See our 3X-UI Panel Setup Guide for detailed CDN configuration.

Troubleshooting

Problem Fix
Site shows Cloudflare error 521 Your server is down or blocking Cloudflare IPs
Error 522 (connection timed out) Server too slow to respond. Check server health
Error 523 (origin unreachable) DNS A record points to wrong IP
Error 525 (SSL handshake failed) SSL mode mismatch. Use Full, not Full (Strict) with self-signed certs
Error 526 (invalid SSL cert) Your server cert expired or is invalid
Site loads but looks broken Purge cache. Check if Rocket Loader is breaking JS
Real IP not showing in logs Install mod_cloudflare or use CF-Connecting-IP header

Restore Real Visitor IP (Nginx)

# Add to nginx.conf http block
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;

See Also