Cloudflare Tutorial & Review
If you have already read my understand dns then you know that I use cloudflare on all of my sites. The reason that I like cloudflare so much is that they are so much more than a DNS provider. Not only do they provide a ton more value than typical DNS providers, they also have a free plan that includes about 95% of the features that you could ever want. Here is a list of functionality that I think makes Cloudflare a no brainer:
Valuable Cloudflare Features
- DNS Provider
- CDN (Content Delivery Network)
- DDOS Attack Protection
- IP Abstraction
- FREE SSL
Cloudflare approached solving the problem of slow websites from a whole different vantage point, and it was a stroke of genius. When content delivery networks first came out implementation was a huge PITA.
There were so many barriers to entry.
How did you get your latest content (images, code, etc) up to them, during your publishing process.
If you figured that out then how did you get your site to reference a different subdomain, where you would have to host your files?
Most of the time a relative path is used when it comes to images which will not work if you are trying to reference images hosted on a subdomain. Along comes Cloudflare and they decide to attack the problem at the DNS level... GENIUS!
- Saves you bandwidth from your hosting provider
- Keeps the user from wasting time waiting for your server to return content
Cloudflare has an intuitive user friendly process for setting up new sites. They will ask you to enter in your site's domain. Then they go out to scan existing DNS servers attempting to find your existing records. This makes migration from a different provider much easier.
If you are migrating though you need to make sure you double and then triple check the records that Cloudflare finds. There is no guarantee that they will find everything, and missing a record could cause you lot of potential problematic issues such as:
- Email no longer being delivered
- FTP access is lost
- Images hosted on a separate domain are no longer rendering
- Redirects you had in place from previous domains stop working
The list goes on, but I think you get the point. Migrating your DNS is typically a pretty simple process, but it does need to be thoroughly thought out, and not just performed all willy-nilly.
CDN | Content Delivery Network
Content delivery networks allow your content to be served to a visitor from the nearest location to where they are making the request. This means if I have my server located in the US in say San Francisco, and a user makes a request from Japan, if I don't have a CDN its just a matter of physics of how quickly my content will be able to be delivered to that user. Now if I have a CDN set up, and have one of their servers in japan as well, now they can receive my content from a server that is MUCH closer to them. Thus increasing the speed at which they can view it, making for a better user experience.
This also helps with bandwidth considerations at your hosting provider. If you have a limited amount of bandwidth or have to pay for the bandwidth you use this can potentially save you a significant amount of money.
DDOS Attack Prevention
If you aren't familiar with what a DDOS attack is you can read more about it here. DDOS stands for Distributed Denial of Service. In essence, a DDOS attack is just a very large volumne of request that are sent to your server in an attempt to overload it, preventing real traffic from getting to your site.
In this day and age, whether its a competitor trying to bring down your site, or a script kiddie just being a jerk, the opportunity for someone to conduct or just pay someone to perform a DDOS attack on your site is WAY too easy. For as little as $20 bucks, you can literally get someone to kick off one of these attacks for you. So don't get caught with your pants down. Make sure you use a service like Cloudflare to protect your sites!
IP Abstraction & Obfuscation
This feature is a by product of handling all incoming request. Since Cloudflare is going to potentially serve your visitors cached content, all requests that are made will go through one of their load balancers. To do this it needs to resolve to an IP that one of their load balancers is hosted on. Due to this, a Cloudflare IP will be returned instead of the hosts actual IP, when you have Cloudflare's content delivery service enabled. This is great for protecting the privacy of your servers IP address.
There are a few reasons you would want to hide your servers IP address:
- Protect it from hackers
- Obfuscate PBNs
- Hide Ownership of Site
Whatever your reason is, having your site behind Cloudflare load balancers and IP's provides great privacy and protection.
As I stated before if you are in the SEO space, then you are aware that if you are going to try and rank a money site, you should have it on https. Once again since Cloudflare gets in between the client request and your server, they are able to provide you with whats called a "flexible SSL". This means that the traffic is secure/encrypted between the visitor and Cloudflare's servers, but then they send the request to your server over http (port 80) which is insecure. While this doesn't guarantee 100% secure communication. The good thing is that most of the time the man in the middle type attack occurs by a hacker intercepting the data going to and from the client. Not data that is being transferred from server to server.
Here is a diagram of how flexible SSL works
*this is also why you don't want to set your sites location as https:// if you are using Cloudflare flexible SSL. Traffic is still flowing off port: 80 to your server not port: 443. Once you have this configured you will need to install a plugin on WordPress that Cloudflare developed because of a redirect loop that occurs. You can find it here.
Setting Up A New Site In Cloudflare
Now that we understand all of the features Cloudflare offers lets go over step by step how to add your site to Cloudflare, and how to configure it.
*Pro Tip: Each ACCOUNT is given its own set of nameservers. So if you are using this for PBN's, you will want to have a separate Cloudflare account for each or else you risk creating a very large footprint.
Once you click signup you will be prompted to enter in a unique email address to create your new account, as well as a password of your choosing. Since this is a DNS provider, and this could be a brand new domain, they will NOT make you verify your email address before you can set up the account. So the email address you enter does not have to actually exist.
*Think PBN, and not wanting to have to set up an email service
Next you will be prompted to enter in your domain name. You will want to enter in your root domain (example.com instead of www.example.com), and then Cloudflare will start to scan your current nameservers for DNS records.
*Hacker Tip: Want to know all of the DNS records of one of your competitor's sites, to see if there is any additional info you can learn? Put in your competitor's site here, and they will perform the scan as if you were going to manage their DNS. Then you will have a list of all the DNS records Cloudflare could find.
Cloudflare will show you a quick video going over how their system works, and after that you can continue on to the setup process.
*I have tried to get around this wait period by browsing directly to the account setup page to avoid the extra 60 seconds or so, but it appears they have some sort of flag set not to allow you to move forward until the scan is complete.
As you can see below Cloudflare has found a bunch of the DNS records that namecheap defaults when you purchase a domain. Now if I want Cloudflare to keep my email forwarding at namecheap, then I will leave all of the MX records. If not, you can purge them. You will need to either update or remove the A record, and the CNAME record so that they point to your server, load balancer, etc.
If you purged the records, and are going to use CNAMES, as I recommend, then you will need to create at least 2 CNAMErecords. One for the root domain, and one for the www version of the site. Even if you do not plan to use the www sub domain, it's good practice to have it in place just in case someone types it in manually since its been pretty standard over the years to place www in front of your domain.
For the root domain you will put in the @ symbol for the name and then the location where you want it to point.
The www record you will put "www" without quotes into the name field and then the target hostname.
Automatic TTL stands for how quickly the DNS provider will look to push out changes to your DNS. This has to deal with DNS propagation, and how quickly they will push out new information. Leaving this at automatic is usually fine.
The Cloudflare cloud icon can be toggled on or off here. If you want Cloudflare to act as a proxy for all your traffic and perform the features we discussed above then this should be turned on (orange). If for some reason you do not want Cloudflare to act as a proxy then this should be turned off.
*There are certain instances when you do not want Cloudflare to serve as a proxy. If you are doing any IP based authentication, in your application, or something where a proxy service will screw up the routing then have this turned off. When in doubt if a site isn't rendering and you feel like you did everything right, turn this off to eliminate the possibility that it is the proxying of your traffic that is causing the issue.
Here is an example of a new site with three different CNAME records.
The root domain, the www, and a CDN record for images hosted in AWS.
If you are getting started on a brand new site, I think the free plan is more than sufficient. If on the other hand you are migrating to Cloudflare with a high traffic moneysite, then it may be worth your while to pay the monthly fee for some of the more advanced features that are provided.
Once you hit continue you will be given your new nameservers.
They will follow this convention:
Here is an interesting post on why they landed on using names.
Now you will need to go back to your registrar, and update your nameservers.
Below is what it will look like if you are doing it in namecheap.
No matter what registrar you are using, you should just look for the DNS section, and then find where you need to update your nameservers.
On namecheap make sure you click the green checkbox or your changes won't take.
*Gotcha : Make sure you check that you don't have any trailing spaces or errant characters when you paste these in to your registrar. At least with namecheap it doesn't appear that they do any trimming of the input fields so I have accidentally pasted in a trailing space which caused the update to fail.
Once this is done you can go back to your Cloudflare account, and you should be able to recheck your nameservers. The clicking of this button will schedule a recheck. Cloudflare will do this automatically after a certain amount of time, but I'm impatient 🙂
Now that Cloudflare is set up to start handling our traffic there are a few changes we need to make.
If you are planning on using the Flexible SSL service, then you will need to browse to the Crypto section.
I've found that on some of the new accounts I set up that "Full" SSL is selected by default, which will keep your site from rendering. So make sure you choose Fexible, or Off here.
Once you have updated this it takes a bit of time for Cloudflare to update their configuration settings so if you try browsing to your site on https:// immediately you may get this:
Don't worry about it. It just takes some time. Go grab some coffee, and by the time your back it should have updated.
Next we are going to add some custom page rules.
These are rules that I setup for new sites, that don't have any links, traffic etc. This isn't "required", but I like to take care of it at the DNS level so I don't have to depend on WordPress or my hosting provider to handle it.
As you can see from the message you recieve 3 custom page rules on your free account.
The first one we are going to setup is a redirect from www to the root and/or visa versa. This depends on where you want your main site to be.
So if we are going to want visitors to go to https://mysite.com then we would setup a redirect from www.mysite.com to mysite.com.
So in the first field we are going to enter in www.mysite.com/*
This tells Cloudflare that any traffic that comes in on www.mysite.com to redirect it to mysite.com.
Next you choose the "forwarding url" rule, and select 301 as the http response type.
Now we are going to enter the destination that we want the traffic to go to which will be https://mysite.com/.
If you have any other rules created then you will need to select the order in which you want this rule evaluated. Remember we are dealing with routing here, and routing rules are always followed in a top down order. So the first rule that matches will be used.
Next we will turn on the Always Use HTTPS rule. This ensures that Cloudflare redirects all traffic to the https version of your site.
*Pro Tip: If you have just finished updating your crypto settings this rule will not always be present. It takes a bit of time for the changes to make their way into the rules view, so if its not there don't freak out. Give it some time and it will be an option shortly.
You can verify that these rules are working correctly by opening up a terminal or cmd prompt and running a curl -I mydomain.com request.
This will give you the http response code, as well as the new destination of a 301 if it is set up correctly.
Reporting & Analytics
Along with the Cloudflare free website plan you still get some pretty cool and useful reporting. Here are a few screenshots of some of the information you can get.
This site servers dynamic local content, so there isn't a whole lot of opportunity for caching... as you'll see in the content distribution graph.
Security report of threats they protected you from, as well as the traffic distribution of http vs https:
And thats all she wrote! Now you have a site that is set up behind Cloudflare's system that will help increase site speed, protect you from a DDOS attack, as well as make your life easier when it comes to DNS management.
I hope this was helpful!