How to Set Up Cloudflare: DNS, SSL, CDN, and Basic Security Rules

TL;DR

Add your domain to Cloudflare's free plan, change nameservers at your registrar, set SSL/TLS mode to Full (Strict), proxy your web-facing records (orange cloud), leave mail records unproxied (grey cloud), enable HTTPS redirects, and configure basic WAF rules. The entire process takes about 30 minutes, but nameserver propagation can take up to 24 hours.

Prerequisites

• A registered domain name (e.g., dsncon.com)
• Access to your domain registrar's control panel (to change nameservers)
• A web server with a valid SSL certificate already installed (Let's Encrypt, or any CA-signed cert)
• A Cloudflare account — sign up for free
• Your server's public IP address
• Approximately 30 minutes of time

Step 1: Adding Your Domain to Cloudflare

1. Log in to the Cloudflare Dashboard.
2. Click "Add a site" in the top navigation bar.
3. Enter your domain name (e.g., dsncon.com) and click "Add site".
4. Select the Free plan and click "Continue".
5. Cloudflare will scan your existing DNS records. Review them carefully — make sure all records are present. Cloudflare usually imports them correctly, but always verify.
6. Click "Continue" to proceed to the nameserver change step.

Important: Do not skip the DNS record review. Missing records mean broken services after the nameserver switch.

Step 2: Changing Nameservers at Your Registrar

Cloudflare will provide you with two nameservers, for example:

ada.ns.cloudflare.com
bert.ns.cloudflare.com

You need to replace your current nameservers with these at your domain registrar. The exact steps depend on your registrar:

General Process

1. Log in to your registrar (e.g., Namecheap, GoDaddy, IONOS, Hetzner).
2. Navigate to DNS settings or Nameserver management for your domain.
3. Change from the default nameservers to custom nameservers.
4. Enter the two Cloudflare nameservers exactly as shown.
5. Save the changes.
6. Back in the Cloudflare dashboard, click "Done, check nameservers".

Propagation time: Nameserver changes typically propagate within 1–4 hours but can take up to 24 hours. Cloudflare will email you when your site is active.

You can verify propagation with:

dig dsncon.com NS +short
# Should return:
# ada.ns.cloudflare.com.
# bert.ns.cloudflare.com.

Step 3: DNS Records — Proxied vs DNS-Only

Every DNS record in Cloudflare has a proxy toggle — the orange cloud (proxied) or grey cloud (DNS-only). This is one of the most important decisions you will make.

Proxied (Orange Cloud) — Use for Web Traffic

When enabled, traffic flows through Cloudflare's network. You get CDN caching, DDoS protection, WAF, and SSL termination. The visitor sees Cloudflare's IP, not your server's IP.

Type  Name       Content          Proxy Status
A     dsncon.com 203.0.113.50     Proxied (orange)
A     www        203.0.113.50     Proxied (orange)
A     app        203.0.113.50     Proxied (orange)
AAAA  dsncon.com 2001:db8::1      Proxied (orange)

DNS-Only (Grey Cloud) — Use for Non-HTTP Services

Traffic goes directly to your server. No Cloudflare protection or caching. Required for mail servers, FTP, SSH, and any non-HTTP protocol.

Type  Name       Content                  Proxy Status
MX    dsncon.com mail.dsncon.com (pri 10) DNS-only (always)
A     mail       203.0.113.50             DNS-only (grey)
TXT   dsncon.com v=spf1 include:...       DNS-only (always)
CNAME ssh        server.example.com       DNS-only (grey)
SRV   _sip       ...                      DNS-only (always)

Rules of Thumb

• Orange cloud: Any A/AAAA/CNAME record serving a website or API over HTTP/HTTPS.
• Grey cloud: Mail (MX + associated A records), SSH, FTP, game servers, VPN, any non-HTTP service.
• Never proxy MX records. Cloudflare does not proxy email traffic, and proxied mail records will break email delivery entirely.

Step 4: SSL/TLS Configuration

Navigate to SSL/TLS → Overview in the Cloudflare dashboard. You will see four modes:

Off (Not Secure)

No encryption at all. Never use this.

Flexible

Encrypts traffic between the visitor and Cloudflare, but Cloudflare connects to your server over plain HTTP. This is dangerous. Your data travels unencrypted between Cloudflare and your server. It also causes redirect loops if your server forces HTTPS.

Full

Encrypts traffic end-to-end, but Cloudflare does not verify your server's SSL certificate. Accepts self-signed certificates. Better than Flexible, but still vulnerable to man-in-the-middle attacks on the origin connection.

Full (Strict) — The Only Correct Choice

Encrypts traffic end-to-end and validates your server's certificate against a trusted CA. This is the only mode that provides actual security.

Set it now:

1. Go to SSL/TLS → Overview.
2. Select Full (Strict).
3. Ensure your origin server has a valid SSL certificate (Let's Encrypt is free and works perfectly).

If you cannot install a CA-signed certificate on your server, use a Cloudflare Origin CA certificate:

1. Go to SSL/TLS → Origin Server.
2. Click "Create Certificate".
3. Select RSA or ECDSA, add your hostnames (dsncon.com, *.dsncon.com).
4. Download the certificate and private key.
5. Install them on your web server.

This certificate is only trusted by Cloudflare, which is fine when traffic always flows through the proxy.

Additional SSL Settings

• Always Use HTTPS: Enable under SSL/TLS → Edge Certificates. Redirects all HTTP requests to HTTPS.
• Minimum TLS Version: Set to TLS 1.2. There is no reason to support TLS 1.0 or 1.1 in 2026.
• HSTS: Enable with max-age=31536000, include subdomains. Only do this once you have confirmed HTTPS works correctly.
• Automatic HTTPS Rewrites: Enable this to fix mixed-content issues by rewriting HTTP URLs to HTTPS in your HTML.

Step 5: Fixing Common SSL Errors

ERR_TOO_MANY_REDIRECTS (Redirect Loop)

This is the most common error after setting up Cloudflare. It happens when:

• SSL mode is set to Flexible, but your server forces HTTPS.
• Cloudflare sends HTTP to your server → server redirects to HTTPS → Cloudflare sends HTTP again → infinite loop.

Fix: Set SSL mode to Full (Strict) and ensure your server has a valid certificate.

Error 525: SSL Handshake Failed

Cloudflare cannot establish an SSL connection with your origin server.

• Your server's SSL certificate is expired or misconfigured.
• Your server does not support the cipher suites Cloudflare uses.
• Your server is not listening on port 443.

Fix: Verify your certificate with openssl s_client -connect your-server-ip:443 -servername dsncon.com.

Error 526: Invalid SSL Certificate

You are on Full (Strict) mode but your server's certificate is not valid (expired, self-signed, or wrong hostname).

Fix: Install a valid certificate (Let's Encrypt or Cloudflare Origin CA).

Mixed Content Warnings

Your page loads over HTTPS but references HTTP resources (images, scripts, stylesheets).

Fix: Enable Automatic HTTPS Rewrites in SSL/TLS → Edge Certificates. Long-term, fix the URLs in your code.

Step 6: Caching and Performance

Browser Cache TTL

Go to Caching → Configuration. Set Browser Cache TTL to "Respect Existing Headers" if your server sends proper Cache-Control headers. Otherwise, set a sensible default like 4 hours.

Cache Rules

Cloudflare caches static assets by default (images, CSS, JS). For more control, navigate to Rules → Cache Rules:

Rule: Cache Everything for Static Pages
When: URI path starts with "/static/" OR URI path starts with "/assets/"
Then:
  Cache eligibility: Eligible for cache
  Edge TTL: 1 month
  Browser TTL: 1 week

Rule: Bypass Cache for Admin
When: URI path starts with "/admin" OR URI path starts with "/api/"
Then:
  Cache eligibility: Bypass cache

Cache Everything (for Static Sites)

If you serve a fully static site or specific static pages, you can cache the entire HTML response:

Rule: Cache HTML for landing pages
When: URI path equals "/" OR URI path equals "/pricing"
Then:
  Cache eligibility: Eligible for cache
  Edge TTL: 2 hours
  Browser TTL: 5 minutes

Warning: Never cache pages that contain user-specific content, login sessions, or CSRF tokens.

Purging Cache

After deploying updates, purge the cache: Caching → Configuration → Purge Everything. For targeted purges, use "Custom Purge" and enter specific URLs.

Step 7: Basic Security Rules

WAF (Web Application Firewall)

Navigate to Security → WAF. On the free plan, you get access to basic managed rules. Enable them.

Create custom rules under Security → WAF → Custom Rules:

Rule: Block known bad paths
When: URI path contains "/wp-login.php" OR URI path contains "/xmlrpc.php"
  AND you are NOT running WordPress
Then: Block

Rule: Challenge suspicious requests
When: URI path starts with "/admin"
  AND IP source country is NOT [your country]
Then: Managed Challenge

Rate Limiting

Go to Security → WAF → Rate Limiting Rules:

Rule: Protect login endpoint
When: URI path equals "/login" AND request method equals "POST"
Rate: 5 requests per 10 seconds per IP
Then: Block for 60 seconds

Rule: API rate limit
When: URI path starts with "/api/"
Rate: 100 requests per minute per IP
Then: Block for 120 seconds

Bot Management

Under Security → Bots, enable Bot Fight Mode (available on the free plan). This challenges requests from known bot networks. Be aware this can occasionally block legitimate bots — monitor your analytics.

DDoS Protection

Enabled by default on all plans. Under Security → DDoS, review the sensitivity levels. The defaults work well for most sites. Only adjust if you experience false positives.

Step 8: Page Rules

Cloudflare gives you 3 free page rules. Use them wisely. Navigate to Rules → Page Rules.

Force HTTPS

URL: http://dsncon.com/*
Setting: Always Use HTTPS

Note: This is now better handled via SSL/TLS → Edge Certificates → Always Use HTTPS toggle, which does not consume a page rule.

Redirect www to Apex (or Vice Versa)

URL: www.dsncon.com/*
Setting: Forwarding URL (301 - Permanent Redirect)
Destination: https://dsncon.com/$1

Alternatively, use Rules → Redirect Rules (the newer approach that does not consume page rules):

When: Hostname equals "www.dsncon.com"
Then: Dynamic redirect
Expression: concat("https://dsncon.com", http.request.uri.path)
Status code: 301

Cache Everything for a Static Section

URL: dsncon.com/docs/*
Settings:
  Cache Level: Cache Everything
  Edge Cache TTL: 1 month

Step 9: Speed Optimizations

Navigate to Speed → Optimization.

Brotli Compression

Enable under Speed → Optimization → Content Optimization. Brotli provides ~15–20% better compression than gzip. It is enabled by default on most plans — verify it is on.

Auto Minify

Minifies JavaScript, CSS, and HTML on the fly. Enable all three under Speed → Optimization → Content Optimization. This removes whitespace and comments from your code at the edge.

Note: Cloudflare has deprecated Auto Minify as of 2024 and recommends using build-time minification instead. If the option is still visible in your dashboard, it may be removed soon. Use tools like esbuild, terser, or your framework's built-in minification.

Rocket Loader

Defers loading of all JavaScript until after rendering. Found under Speed → Optimization → Content Optimization. This can significantly improve perceived load time but may break JavaScript-heavy applications. Test thoroughly. If your site uses frameworks like React, Vue, or Angular, you will likely need to keep this off.

Early Hints

Enable under Speed → Optimization → Content Optimization. Cloudflare sends 103 Early Hints responses to preload critical assets before the full response arrives. Free and zero risk — enable it.

HTTP/2 and HTTP/3

Both are enabled by default on Cloudflare. HTTP/3 (QUIC) can be toggled under Speed → Optimization → Protocol Optimization. Keep both enabled.

Troubleshooting

Problem	Cause	Solution
Redirect loop (ERR_TOO_MANY_REDIRECTS)	SSL set to Flexible while server forces HTTPS	Set SSL to Full (Strict)
Site shows Cloudflare error 522	Cloudflare cannot reach your origin server	Check firewall rules — allow Cloudflare IP ranges
Error 525 / 526	SSL certificate issue on origin	Install valid cert, check expiry
Email not working after setup	MX or mail A record is proxied	Set mail-related records to DNS-only (grey cloud)
Stale content after deployment	Cloudflare serving cached version	Purge cache via dashboard or API
Real visitor IP not visible in logs	Server sees Cloudflare's IP instead	Use CF-Connecting-IP header or restore IPs via mod_cloudflare / ngx_http_realip_module
WebSocket connections failing	WebSockets not enabled or proxy misconfigured	Enable WebSockets under Network settings
Rocket Loader breaks site	JavaScript execution order changed	Disable Rocket Loader or add data-cfasync="false" to critical scripts

Essential Diagnostic Commands

# Check nameservers
dig dsncon.com NS +short

# Check if Cloudflare is active (look for cf-ray header)
curl -sI https://dsncon.com | grep -i cf-ray

# Check SSL certificate chain
openssl s_client -connect dsncon.com:443 -servername dsncon.com 2>/dev/null | openssl x509 -noout -issuer -dates

# Check origin directly (bypass Cloudflare)
curl -sI --resolve dsncon.com:443:YOUR_SERVER_IP https://dsncon.com

# Verify Cloudflare IP ranges
curl https://www.cloudflare.com/ips-v4

Prevention & Best Practices

• Always use Full (Strict) SSL. There is no legitimate reason to use Flexible mode in production.
• Never proxy MX records. Email will break silently.
• Whitelist Cloudflare IPs on your firewall. Your server should only accept HTTP/HTTPS traffic from Cloudflare's IP ranges. This prevents attackers from bypassing Cloudflare by connecting directly to your origin.
• Use the CF-Connecting-IP header to log real visitor IPs instead of Cloudflare's proxy IPs.
• Set up monitoring. Use Cloudflare's analytics and set up alerts for spikes in error rates (5xx errors).
• Purge cache after deployments. Automate this with the Cloudflare API in your CI/CD pipeline:

  curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/purge_cache" \
    -H "Authorization: Bearer YOUR_API_TOKEN" \
    -H "Content-Type: application/json" \
    --data '{"purge_everything":true}'

• Keep your origin certificate valid. Set a calendar reminder for renewal, or use Let's Encrypt with auto-renewal.
• Test changes in Development Mode. Under Caching → Configuration, enable Development Mode to temporarily bypass the cache during testing. It auto-disables after 3 hours.
• Use Redirect Rules instead of Page Rules for new setups. Page Rules are a legacy feature with limited slots. Redirect Rules, Cache Rules, and Configuration Rules offer more flexibility.
• Review security events regularly. Check Security → Events weekly to spot attack patterns and false positives.