Cloudflare is one of the most widely used web infrastructure services in the world. It provides CDN (Content Delivery Network) caching, DDoS protection, DNS management, and SSL certificates, all from a single dashboard. The best part is that the free plan covers most of what small to mid-sized websites need.
Here is how to set up Cloudflare for your website from scratch.
What Cloudflare Does
Before diving into setup, it helps to understand what Cloudflare actually provides:
- CDN: Caches your static content (images, CSS, JavaScript) on servers worldwide, so visitors load content from the nearest server instead of your origin.
- DDoS Protection: Absorbs and filters malicious traffic before it reaches your server. Learn more about DDoS attacks in our DDoS protection guide.
- DNS: Fast, reliable DNS hosting with a user-friendly management interface.
- SSL/TLS: Free SSL certificates and flexible encryption modes.
- Firewall: Web Application Firewall (WAF) rules, IP blocking, and rate limiting.
- Performance: Minification, Brotli compression, image optimization, and HTTP/3 support.
Cloudflare acts as a reverse proxy. Traffic flows from the visitor to Cloudflare to your origin server. Cloudflare inspects, filters, and caches along the way.
Step 1: Create a Cloudflare Account
Go to cloudflare.com and sign up with an email address and password. Enable two-factor authentication immediately since your Cloudflare account controls your domain's DNS and security settings.
Step 2: Add Your Domain
Click "Add a Site" and enter your domain name (e.g., example.com). Cloudflare will scan your existing DNS records automatically. This scan picks up most records, but always verify that nothing is missing.
Choose a plan. The Free plan includes:
- DNS hosting
- CDN and caching
- Basic DDoS protection
- Universal SSL certificate
- 5 Page Rules
The Pro plan ($20/month) adds the WAF, image optimization, and better analytics. The Business plan ($200/month) includes custom SSL certificates and advanced security features.
For most websites, start with the Free plan and upgrade only if you need specific Pro features.
Step 3: Update Your Nameservers
Cloudflare will provide two nameservers, something like ada.ns.cloudflare.com and bob.ns.cloudflare.com. You need to update your domain's nameservers at your registrar to point to these.
Log into your domain registrar, find the nameserver settings, replace the existing nameservers with Cloudflare's, and save.
Nameserver propagation can take up to 24 hours, though it usually happens within an hour. Cloudflare will email you when the change is detected.
Step 4: Configure DNS Records
Once your domain is active on Cloudflare, review your DNS records. You should see the records that were imported during the initial scan.
Key records to verify:
- A record: Points your root domain (
example.com) to your server's IP address. - CNAME record: Points
wwwto your root domain or hosting provider. - MX records: Point to your mail server. Critical for email delivery.
- TXT records: SPF, DKIM, and DMARC records for email authentication.
The Proxy Toggle (Orange Cloud vs Gray Cloud)
Each DNS record has a proxy status toggle:
- Orange cloud (proxied): Traffic goes through Cloudflare. You get CDN, DDoS protection, and SSL. Your origin IP is hidden.
- Gray cloud (DNS only): Cloudflare only provides DNS resolution. Traffic goes directly to your server.
Proxy your web-facing records (A and CNAME for your website). Do not proxy MX records, mail subdomain records, or any records for services that need direct connections (SSH, FTP, game servers).
Step 5: Configure SSL/TLS
Go to the SSL/TLS section and choose your encryption mode:
- Off: No encryption. Never use this.
- Flexible: Encrypts traffic between the visitor and Cloudflare, but the connection from Cloudflare to your server is unencrypted. Use only if your server does not support SSL at all.
- Full: Encrypts both connections, but does not validate your server's SSL certificate. Acceptable for testing.
- Full (Strict): Encrypts both connections and validates your server's certificate. This is the recommended setting.
For Full (Strict), your origin server needs a valid SSL certificate. You can use a free Let's Encrypt certificate or a Cloudflare Origin CA certificate (free, valid for 15 years, but trusted only by Cloudflare).
Enable these additional SSL settings:
- Always Use HTTPS: Redirects all HTTP requests to HTTPS.
- Automatic HTTPS Rewrites: Fixes mixed content by rewriting HTTP links to HTTPS.
- Minimum TLS Version: Set to TLS 1.2.
Step 6: Set Up Caching
Cloudflare caches static content by default based on file extensions (.jpg, .css, .js, etc.). For most sites, the default settings work well.
Key caching settings:
- Caching Level: "Standard" is fine for most sites.
- Browser Cache TTL: How long browsers cache files. "Respect Existing Headers" is the safest choice if your server already sets cache headers.
- Always Online: Shows a cached version of your site if your origin server goes down.
To purge the cache after a deployment, go to Caching > Configuration > Purge Everything. You can also set up a Page Rule to bypass cache for specific URLs like your admin panel.
Step 7: Page Rules
Page Rules let you customize Cloudflare's behavior for specific URL patterns. You get 3 free Page Rules (Free plan) or 20 (Pro plan).
Common page rules:
Bypass cache for admin areas:
example.com/admin/*chr(10)Cache Level: BypassForce HTTPS on all pages:
http://example.com/*chr(10)Always Use HTTPSSet cache for static assets:
example.com/static/*chr(10)Cache Level: Cache Everythingchr(10)Edge Cache TTL: 1 monthStep 8: Security Settings
Under Attack Mode
If your site is experiencing a DDoS attack, enable "Under Attack Mode" from the Overview page. This adds a JavaScript challenge that visitors must pass before accessing your site. It blocks most automated attacks but adds a brief loading page for legitimate visitors.
Only enable this during active attacks. Leave it off during normal operation.
Firewall Rules
Create firewall rules to block or challenge traffic based on IP, country, ASN, user agent, or URI. For example:
- Block traffic from countries you do not serve
- Challenge requests to login pages
- Block known bad user agents
Bot Fight Mode
Enable this free feature to challenge suspected bot traffic. It helps reduce scraping, credential stuffing, and content theft.
Monitoring and Analytics
Cloudflare's Analytics dashboard shows:
- Total requests and bandwidth saved
- Threats blocked
- Cache hit ratio
- Bandwidth by country
Check your analytics regularly to ensure Cloudflare is working as expected and to identify potential issues or attacks early.
Common Mistakes to Avoid
- Proxying MX records: This breaks email delivery. Always keep mail-related records on DNS-only (gray cloud).
- Using Flexible SSL: This leaves the connection between Cloudflare and your server unencrypted. Use Full (Strict) with a valid origin certificate.
- Forgetting to purge cache: After updating your site, purge Cloudflare's cache or wait for the TTL to expire.
- Over-aggressive firewall rules: Blocking entire countries or overly broad patterns can lock out legitimate users.
Cloudflare is a powerful tool that improves performance, security, and reliability for any website. Take the time to configure it properly, and it will serve you well.
