Use Cloudflare Proxy for Free SSL and DDoS Protection

Using Cloudflare to proxy your website is one of the easiest ways to add free SSL certificates, basic DDoS protection, and improved performance to any website. Whether you're running WordPress, a custom site, or any web application, Cloudflare's free proxy service can significantly improve your website's security and performance.

This guide covers how to set up Cloudflare proxy for your domain, what benefits you get, and important considerations about DDoS protection limitations.

What Is Cloudflare Proxy?

Cloudflare proxy (indicated by the orange cloud icon in Cloudflare DNS) routes your website traffic through Cloudflare's global network before it reaches your origin server. Instead of visitors connecting directly to your server, they connect to Cloudflare, which then forwards requests to your server.

This provides several benefits:

• Free SSL certificates: Cloudflare handles SSL/TLS encryption between visitors and Cloudflare
• DDoS mitigation: Cloudflare filters malicious traffic before it reaches your server
• Performance improvements: Content caching and Cloudflare's CDN can speed up your site
• IP hiding: Your origin server's IP address is hidden from most visitors (though not completely)

Free SSL Certificates

One of the biggest benefits of using Cloudflare proxy is automatic free SSL certificates. Cloudflare provides SSL/TLS encryption between your visitors and Cloudflare's edge network. This means your website can use HTTPS without purchasing or managing SSL certificates yourself.

How Cloudflare SSL Works

• Flexible SSL: Encrypts traffic between visitors and Cloudflare, but not necessarily between Cloudflare and your origin server (if your origin doesn't have SSL)
• Full SSL: Encrypts traffic end-to-end, including between Cloudflare and your origin server (requires SSL on your origin server)
• Full (Strict): Most secure option, validates your origin server's SSL certificate

For most websites, Flexible SSL works fine and requires no changes to your origin server. Cloudflare automatically provisions and renews SSL certificates for your domain.

DDoS Protection: What You Get and What You Don't

This is where it gets important to understand the limitations. Cloudflare's DDoS protection is effective, but it's not absolute.

What Cloudflare Protects Against

Requests going through Cloudflare's proxy are protected. This includes:

• All legitimate website traffic using your domain name
• Attacks targeting your domain name through Cloudflare
• Layer 7 (HTTP/HTTPS) attacks coming through Cloudflare
• Many types of volumetric attacks targeting your domain

Cloudflare's free tier includes basic DDoS protection that can handle significant attack volumes. For most small to medium websites, this is more than sufficient.

The Critical Limitation: Direct IP Attacks

Important caveat: If attackers know your origin server's IP address, they can bypass Cloudflare entirely and attack your server directly. Cloudflare's proxy only protects traffic that goes through Cloudflare's network.

If someone attacks your server's IP address directly (not through your domain name), Cloudflare cannot protect you because the attack never touches Cloudflare's network. This is a fundamental limitation of any proxy service, not just Cloudflare.

How Attackers Might Discover Your IP

• Historical DNS records: Old DNS records or cached records might show your real IP
• Email headers: If your server sends email, email headers might reveal your IP
• SSL certificate transparency logs: Certificates issued directly to your IP might be in public logs
• Subdomain misconfiguration: If you have subdomains pointing directly to your IP (not proxied)
• Web server headers: Some server configurations leak IP information
• Social engineering or leaks: IP addresses can be discovered through various means

Additional Protection Measures

Because direct IP attacks can bypass Cloudflare, consider these additional measures:

• Firewall rules: Configure your server firewall to only accept connections from Cloudflare IP ranges (Cloudflare publishes their IP ranges)
• Server-level DDoS protection: Use your hosting provider's DDoS protection if available
• Rate limiting: Implement rate limiting on your origin server
• Monitoring: Monitor your server for direct IP attacks
• IP rotation: Some hosting providers allow changing your server IP if it's compromised

Bottom line: Cloudflare provides excellent protection for traffic going through their proxy, but it's not a silver bullet. If attackers know your IP and target it directly, your origin server can still be attacked. Use Cloudflare as part of a layered security strategy, not as the only protection.

Setting Up Cloudflare Proxy

Setting up Cloudflare proxy is straightforward:

Step 1: Create a Cloudflare Account

1. Go to dash.cloudflare.com/sign-up
2. Create a free account (or use existing account)
3. Verify your email address

Step 2: Add Your Domain

1. In Cloudflare dashboard, click Add a Site
2. Enter your domain name (e.g., example.com)
3. Select a plan (Free plan is sufficient for most sites)
4. Click Continue

Step 3: Configure DNS Records

Cloudflare will scan your current DNS records and import them. Review the records and ensure they're correct. For each record you want proxied:

• Ensure the Proxy status shows an orange cloud icon (proxied)
• If it shows a gray cloud, click it to enable proxy

Important records to proxy:

• A record for your root domain (e.g., example.com)
• A record for www subdomain if you use it
• Other subdomains you want protected (optional)

Records you typically don't proxy:

• Mail servers (MX records) - keep these as gray cloud (DNS only)
• Some API subdomains if they need direct IP access
• Other services that require direct server access

Step 4: Change Nameservers

Cloudflare will provide you with two nameservers (e.g., linda.ns.cloudflare.com and rick.ns.cloudflare.com). You need to update your domain's nameservers at your domain registrar:

1. Copy the nameservers provided by Cloudflare
2. Log into your domain registrar (where you bought the domain)
3. Find your domain's nameserver settings
4. Replace the existing nameservers with Cloudflare's nameservers
5. Save the changes

DNS changes can take 24-48 hours to propagate, though often it's much faster (minutes to a few hours). Once propagation is complete, your domain will be using Cloudflare.

Step 5: Configure SSL Settings

Once your domain is active on Cloudflare:

1. Go to SSL/TLS in the Cloudflare dashboard
2. Select Flexible mode (if your origin server doesn't have SSL) or Full mode (if your origin server has SSL)
3. Cloudflare will automatically provision an SSL certificate

Within a few minutes, your website should be accessible via HTTPS. Cloudflare handles certificate provisioning and renewal automatically.

Performance Benefits

Beyond SSL and DDoS protection, Cloudflare proxy provides performance benefits:

• Global CDN: Content is cached and served from Cloudflare's edge locations worldwide
• Faster page loads: Static content is cached, reducing load on your origin server
• Reduced bandwidth: Cached content doesn't hit your origin server, saving bandwidth
• HTTP/2 and HTTP/3: Cloudflare supports modern protocols for faster connections

Cloudflare Free Plan Limitations

The free plan includes:

• Unlimited bandwidth
• Free SSL certificates
• Basic DDoS protection
• CDN and caching
• Analytics (basic)

The free plan is sufficient for most websites. Paid plans add features like:

• Advanced DDoS protection
• WAF (Web Application Firewall) rules
• Image optimization
• Enhanced analytics
• Page rules and more configuration options

Important Considerations

Email Functionality

If you use email on your domain:

• Do NOT proxy MX records (mail server records) - keep them as gray cloud (DNS only)
• Email will continue to work normally as long as MX records aren't proxied
• Cloudflare doesn't interfere with email when MX records are DNS-only

Server Configuration

When using Cloudflare proxy:

• Your origin server should still be accessible (Cloudflare needs to connect to it)
• You can configure your server to only accept connections from Cloudflare IPs for additional security
• Monitor your server logs - you'll see Cloudflare IPs in logs, not visitor IPs (unless you configure Cloudflare to pass real IP headers)

Real Visitor IP Addresses

By default, your server logs will show Cloudflare IP addresses instead of real visitor IPs. To get real visitor IPs:

• Configure Cloudflare to pass real visitor IP headers
• Update your server/application to read the CF-Connecting-IP header
• Many applications (like WordPress) have plugins or modules to handle this automatically

When to Use Cloudflare Proxy

Cloudflare proxy is a good choice when:

• You want free SSL certificates without managing certificates yourself
• You need basic DDoS protection for your website
• You want to improve website performance with CDN caching
• You want to hide your origin server IP from casual observation
• You're running WordPress, static sites, or most web applications

Cloudflare proxy may not be suitable when:

• You need direct IP access for specific services
• You have applications that require special IP-based authentication
• You need advanced WAF rules (requires paid plan)
• Your application has specific requirements that conflict with proxying

Conclusion

Using Cloudflare to proxy your website is an excellent way to add free SSL certificates, basic DDoS protection, and performance improvements to almost any website. The free tier is powerful and sufficient for most sites.

However, it's important to understand that Cloudflare's DDoS protection applies to traffic going through their proxy. If attackers know your origin server's IP address and attack it directly, Cloudflare cannot protect you. Use Cloudflare as part of a layered security strategy, and consider additional firewall rules or server-level protections for complete coverage.

For most websites, the benefits far outweigh the limitations. Free SSL, basic DDoS protection, and improved performance make Cloudflare proxy a no-brainer for most web projects.