At this point we are using Cloudflare as follows:
1. As our authoritative DNS - Cloudflare facilitates fast and secure DNS lookups as soon as your visitors open their browsers and type in our domain name. Additionally, we should create a CNAME record for “www”, redirecting it to makerflare.com (our base domain). This ensures that visitors reach the same content if they type www.makerflare.com or makerflare.com into their browsers.
2. Cloudflare Universal SSL – Provides secure and encrypted connections between your visitors and Cloudflare, and also between Cloudflare and your origin server. We also need to turn on the option to “Always Use HTTPS”, so that visitors trying to access http://makerflare.com get redirected to https://makerflare.com (which offers a secure connection).
3. Argo Tunnel – Allows our Raspberry Pi to establish the fastest possible connection to Cloudflare’s vast network. All visitor web traffic will flow to your origin through this secure, encrypted and highly available tunnel. We also enabled load balancing for Argo Tunnel in the config.yml file we created for the Cloudflared agent in Part 5. More on this topic in Part 9.
There is still some further configuration to be done.
We can now configure Cloudflare’s Firewall for added protection. First, we can block all incoming ports to your origin because we are using Argo Tunnel (which creates a persistent, encrypted and secure tunnel for network traffic). We had previously created some rules to allow incoming traffic on ports 80, 443, and 5900. These can now be removed.
sudo ufw delete allow 80
sudo ufw delete allow 443
sudo ufw delete allow 5900
Now let’s set up our Web Application Firewall (WAF) by first logging into the Cloudflare Dashboard (dash.cloudflare.com). Now, navigate to the “Managed Rules” tab.
Turn on the WAF if it is currently disabled.
Configure the managed ruleset as you see fit. We’ve enabled the rules for Cloudflare Php, Cloudflare Miscellaneous, and Cloudflare Specials.
Further rules can be set and turned on. We’ve enabled the OWASP Core Rule Set and set the sensitivity to “Medium”, and the action to “Challenge”.
This should give our site adequate protection. Note that Cloudflare also prevents flooding type DDoS attacks by default. This does not require any further configuration.
Cloudflare’s CDN is primarily used to cache static content from your site, making it available at the data centers closest to your visitors. You can learn more about CDN and caching here: https://www.cloudflare.com/learning/cdn/what-is-a-cdn/
Another advantage of Cloudflare’s caching technology is that it can be used to keep your website alive even if your origin server is unavailable. This functionality is called “always online”.
Log into the Cloudflare Dashboard and navigate to the Caching tab. Then set the caching level to “Standard”, and the TTL to “1 day”. Now turn on “Always Online”. Finally, let’s create a Page Rule to cache all content (not just static images and html) for your site.
Navigate to “Page Rules”, create a new Page Rule. Type in your domain name and wildcards in this format:
Select “Cache Level” from the dropdown, and then “Cache Everything”. Save and deploy the rule.
Cloudflare’s crawler will automatically cache your site and make a copied version available to visitors even if your origin becomes unavailable.
We've learnt how to configure Cloudflare to protect and improve performance of our site.