How to Set Up Cloudflare CDN
Cloudflare — most popular free CDN + DDoS protection + SSL. Setup in 15 min: 1) Register, 2) Add site, import DNS, 3) Switch nameservers to Cloudflare at registrar, 4) Wait propagation (1-24h), 5) Enable Proxy (orange cloud) for A/AAAA records. SSL automatic (Full or Full Strict). Free tier: unlimited bandwidth, 100k req/s, 3 Page Rules.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Register free account: cloudflare.com
- Add site: cloudflare.com → Add Site → enter domain
- Cloudflare scans existing DNS — review imported records
- Update nameservers: at registrar (reg.ru, GoDaddy, etc.) → change NS to assigned CF nameservers (e.g. craig.ns.cloudflare.com, isla.ns.cloudflare.com)
- Wait propagation — Enterno DNS Checker shows when done
- Proxy (orange cloud): enable for A/AAAA with HTTP traffic. Off (grey) for MX (mail)
- SSL/TLS mode: Full (strict) if origin has valid cert; Full if self-signed; Flexible (NOT safe) if no origin SSL
- Always Use HTTPS: toggle on — auto 301 HTTP → HTTPS
- Cache: default fine. For static-heavy: Page Rule "Cache Everything"
Working Examples
| Scenario | Config |
|---|---|
| Page Rule: cache static assets | URL: example.com/*.(css|js|png|jpg|woff2)
Settings:
Cache Level: Cache Everything
Edge Cache TTL: 1 month
Browser Cache TTL: 1 year |
| Page Rule: bypass cache for admin | URL: example.com/admin/*
Settings:
Cache Level: Bypass
Disable Performance |
| nginx real IP (behind Cloudflare) | # Without this = CF IP
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
# ... (full list: https://www.cloudflare.com/ips-v4)
real_ip_header CF-Connecting-IP; |
| Firewall Rule: block country | # Cloudflare Dashboard → Security → WAF → Create rule
Field: Country
Operator: equals
Value: CN, KP
Action: Block |
| Tunnel (no open ports on origin) | # Cloudflared tunnel — zero-trust connect
# No need to expose 80/443 on origin firewall
cloudflared tunnel create my-tunnel
cloudflared tunnel route dns my-tunnel example.com
cloudflared tunnel run my-tunnel |
Common Pitfalls
- Flexible SSL mode — UNSAFE (HTTP between CF and origin). Use Full (Strict) with valid cert
- Orange cloud for mail MX — breaks mail. Keep MX grey (DNS only)
- Cache misses: if origin sets Cache-Control: private, CF does not cache. Check response headers
- Real IP: without set_real_ip_from, backend sees all requests from CF IPs
- Rate limit free tier: 3 Page Rules, 1 Cache Rule. For enterprise needs — Pro $20/mo
Learn more
Frequently Asked Questions
Is Cloudflare really free?
Yes, unlimited bandwidth, 100k req/s, DDoS protection, SSL. Paid adds: more rules, advanced WAF, analytics depth, prioritization.
Is origin still accessible directly?
Yes if IP is known. Hide via Cloudflare Tunnel (cloudflared) — no public IP needed. Or firewall whitelist CF IPs only.
Works in Russia?
Cloudflare is reachable, but there may be routing issues with Tier-2 ISPs. For primary RU audience — Yandex Cloud CDN may be faster.
How to purge cache?
Dashboard → Caching → Purge Cache → all files or specific URLs. API tool: <code>curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/purge_cache" -H "Authorization: Bearer TOKEN" -d '{"purge_everything":true}'</code>