What is Cloudflare?
What Cloudflare Does
Cloudflare sits between the internet and your server. When you add a domain to Cloudflare and enable the proxy (the orange cloud), every request to your domain first hits Cloudflare's network before reaching your server.
This gives you, for free on the base plan:
- Global CDN — static assets cached at 200+ cities
- DDoS protection — Cloudflare absorbs attacks before they reach you
- Free SSL — HTTPS for your domain without Certbot
- DNS management — fast, anycast DNS
- Firewall rules — block IPs, countries, bots
Adding Your Domain
- Create a Cloudflare account
- Add your domain (e.g.,
example.com) - Cloudflare scans your existing DNS records and imports them
- Copy the two Cloudflare nameservers (e.g.,
ava.ns.cloudflare.com) - Go to your domain registrar → change nameservers to Cloudflare's
- Wait 0–24 hours for propagation
That's it. Cloudflare is now authoritative for your DNS.
DNS Records in Cloudflare
Cloudflare's DNS interface works like any other. The key difference is the proxy toggle:
| Record | Proxy Status | Effect |
|---|---|---|
example.com → 1.2.3.4 | Proxied (orange) | Traffic routes through Cloudflare |
example.com → 1.2.3.4 | DNS only (grey) | Standard DNS, no Cloudflare features |
When proxied, your server's real IP is hidden behind Cloudflare's IPs — an extra layer of protection.
Common records:
Type: A Name: @ Value: <server IP> Proxy: Proxied
Type: A Name: www Value: <server IP> Proxy: Proxied
Type: A Name: api Value: <server IP> Proxy: Proxied
Type: MX Name: @ Value: mail.example.com Priority: 10
Note: @ means the root domain (example.com).
SSL Modes
Cloudflare handles SSL between users and Cloudflare. But what about between Cloudflare and your server? That's controlled by the SSL/TLS mode:
| Mode | User → Cloudflare | Cloudflare → Server | Use When |
|---|---|---|---|
| Off | HTTP only | HTTP | Never — insecure |
| Flexible | HTTPS | HTTP | Your server has no SSL cert (not recommended) |
| Full | HTTPS | HTTPS | Your server has a self-signed cert |
| Full (Strict) | HTTPS | HTTPS | Your server has a valid cert (Certbot/ACM) |
Use Full (Strict) whenever possible. It encrypts the entire path and validates the cert on your server — avoiding the false security of Flexible mode.
To use Full (Strict), install a cert on your server with Certbot (see the SSL/Certbot section) or use Cloudflare's Origin Certificate (free, only valid for Cloudflare connections).
Cloudflare vs. Route 53 + CloudFront
| Feature | Cloudflare | Route 53 + CloudFront |
|---|---|---|
| Cost | Free base plan | Route 53: $0.50/zone + CloudFront data transfer |
| Setup speed | Minutes | 30–60 minutes |
| DDoS protection | Included free | AWS Shield Standard (free) on CloudFront |
| SSL | Free, automatic | Free via ACM |
| Firewall | Generous free tier | WAF costs extra |
| Caching control | Good | More granular per-behavior |
| Best for | Getting started fast, saving cost | Production AWS stacks wanting deep integration |
Rule of thumb: Cloudflare for simplicity and cost; Route 53 + CloudFront when you're already deep in the AWS ecosystem and need tighter integration (e.g., Lambda@Edge, OAC for private S3).
Page Rules
Page rules let you apply different behavior to different URL patterns:
example.com/api/*→ Cache Level: Bypass (don't cache API responses)example.com/*→ Always Use HTTPSexample.com/static/*→ Cache Level: Cache Everything, Edge Cache TTL: 1 month
Page rules are ordered — the first matching rule wins.
Firewall Rules
Block malicious traffic without touching your server:
(ip.geoip.country eq "CN") and (http.request.uri.path contains "/admin")
→ Block
(cf.threat_score gt 30)
→ Challenge (show CAPTCHA)
Cloudflare's free plan includes 5 firewall rules.