HON’s Wiki # Cloudflare

Home / Cloud

Contents

• DNS Hosting
• HTTP Reverse Proxy

Mostly a list of how I like things in Cloudflare, for the very few features I use.

DNS Hosting

• Plan: Free
• DNS:
  • DNSSEC: Yes (no multi-signer)
• Boilerplate records (using zone “example.net”):
  • CNAME @ "mario.example.net" (where the main site is hosted)
  • CNAME www "mario.example.net" (for redirect til non-www)
  • TXT @ "v=spf1 include:_spf.google.com ~all" (including Google-mail, remove include: if not used)
  • TXT * "v=spf1 ~all" (avoid mail from random subdomains)
  • TXT _dmarc "v=DMARC1; p=quarantine; pct=100;"

HTTP Reverse Proxy

• DNS proxy status (traffic through Cloudflare):
  • Enabled for most HTTP/HTTPS sites that behave properly and I want better cached performance and extra security for (e.g. main site).
• SSL/TLS:
  • Mode: Full (strict) (with exception through page rules)
  • Always use HTTPS: Yes
  • HSTS: On, no max-age, don’t include subdomains, preload.
  • Minimum TLS version: 1.2
  • Origin certificates: Create for websites served through Cloudflare. Or just use Let’s Encrypt (requires a non-HTTPS page rule for HTTP challenge).
  • Authenticated Origin Pulls: Yes. Must be configured on the hosting webserver too to prevent direct connections.
• Security:
  • Security level: Low or Medium (default)
• Caching:
  • Boilerplate rules (example sites):
    • “No cache (example.net)” (if the main site doesn’t like caching, disable it):
      • When: hostname equals "example.net"
      • Then: Bypass cache.
• Rules:
  • Normalization type: Cloudflare (default)
  • Normalize incoming URLs: True (default)
  • Boilerplate rules (example sites):
    • “ACME Flexible SSL” (configuration rule):
      • When: URI Path starts with "/.well-known/acme-challenge/"
      • Then: SSL mode Flexible.
    • “Remove WWW” (redirect rule):
      • When: Hostname equals "www.example.net"
      • Then: Dynamic, concat("https://example.net", http.request.uri.path), 301 (permanent), preserve query string.
    • “Redirect to other site” (redirect rule) (if this domain doesn’t have its own main site):
      • When: Hostname equals "example.example"
      • Then: Static, https://example.net, 303 (temporary, see other).
• Network:
  • Websockets: On
  • gRPC: On

---

hon.one | HON95/wiki | Edit page