This post deals with the Cloudflare service. What is it, how it works and how to protect a website using their services.
1. What is Cloudflare?
There are various service levels: from completely free, to “enterprise” that goes over several hundred US dollars per month. With the free package being quite functional for most small, medium and even some large websites. Company policy is to get people to test the service for free (and use them as test subjects for the service at the same time), knowing they will later be willing to pay for more of what they like.
An example of this pricing policy: in the post about redirections, I explained how they can be set up using Cloudflare Page Rules. Free service gives you 3 Page Rules, while each additional 5 cost 5$ per month.
2. How does it work?
There’s a vast network of Cloudflare servers across the whole planet. Traffic of websites that use these services is usually routed to the server closest to the website visitor first.
Servers contain a copy of website static data, while dynamic (and non-cacheable) data is updated from the website host server, using fastest available network infrastructure (more expensive plans offer “Railgun” – technology Cloudflare developed with some ISP-s to provide fast data transfer).
In order for this to work and all the traffic to first go through Cloudflare servers, website owner must set up the domain to use Cloudflare’s DNS. With this set up, in addition to providing a fast and good quality DNS, Cloudflare will also protect the website from attacks, practically hiding the host server behind its network.
3. Services offered
There are four price levels, with services of each level including all the previous level services, plus services of that level. Without going into details, more expensive plans offer better DDoS and Firewall protection, better caching, more customization and faster technical support answers. Though “Free” package is quite good and webmasters can usually tell when they need something more. More details on packages and prices can be found on Cloudflare’s website.
4. How to setup Cloudflare with a WordPress website
These instructions are for those using SSL (many hosting providers offer free SSL with Let’s Encrypt), which is advisory. All the options not mentioned should be left as they are (by “default”).
Make an account on Cloudflare.com and click the button: “+ Add a Site”. Then, after entering the domain name, you will be given a list of two nameservers – which should be entered instead of the existing nameservers on your domain registrar. Depending on the registrar you use, the menu might differ from picture 2:
Make a page rule to not cache the website when administrating it (of course, replace “example.com” part with your website domain):
These two rules ensure that no one can visit the website without encryption and that while administrating the website, no cached content is shown to the administrator. After that, one can setup other options from Cloudflare menu, one by one. Here’s how I did it on my website(s):
In the Crypto menu, if the website has an SSL certificate, it will usually work with “Full (strict)” option enabled. If there is no widely (and by Cloudflare) recognized SSL certificate, then “Full” option will work, while “Flexible” is for servers without certificates (when the communication between Cloudflare and the hosting server will not be encrypted). More details on Cloudflare support.
Other options that should be setup here are (without explaining why):
- Always Use HTTPS: On
- Authenticated Origin Pulls: Off – if server is not set up for it and/or if using RailGun – info.
- Minimum TLS Version: TLS 1.2
- Opportunistic Encryption: On
- Onion Routing: On
- TLS 1.3: Enabled+0RTT
- Enable Universal SSL (unless Cloudflare Dedicated SSL is bought)
Firewall menu, again, briefly:
- Security Level: Medium
- Challenge Passage: 1 day
- Privacy Pass Support: On
- Auto Minify: select all
- Enable Accelerated Mobile Links: On
- Brotli: On
- Rocket Loader™: On
- Caching Level: Standard
- Browser Cache Expiration: Respect Existing Headers (if website caching is set up)
- Always Online™: On
Scrape Shield menu:
- Hotlink protection: On
5. My experience
Bikegremlin.com uses Cloudflare since the summer of 2018. So far so good. Can’t see any results but slightly better page load times and lower server load when Cloudflare is used. I haven’t had any serious attacks, though I suppose an additional security layer isn’t a bad thing. Pictures 5 and 6 show a few stats from last month: