Protecting a web server using Cloudflare

Prerequisites

To use this, you'll need...

  • Comfort with changing domain registration settings in your registrar of choice
  • ...who has support for DNSSEC signature algorithm 13...
  • ...which will let you change the nameservers to two custom nameserver
  • ...and an HTTPS website that is already online with an open port 443.

Procedure

If you have everything that you need, you can proceed.

  1. Go to cloudflare.com.
  2. If you don't already have an account with Cloudflare, you'll need to sign up for one. If you do, skip to step 4.
  3. Give Cloudflare a reliable email address, as this is where important updates on the status of your domain protection will come from. Make sure that you type in your password correctly, as Cloudflare has opted for only a single password field.
  4. You'll now need to add a site. You can't add a subdomain, only root domain addresses. So, you couldn't add kakuna.sejinkim.net, but you could just add sejinkim.net.
  5. If you don't need any of the more advanced features (check the Cloudflare DDoS protection pricing chart for more information), then the Free plan should work just fine. Note: if you are processing card information or require PCI compliance, you'll need to dish out some pretty pennies to secure the page to a reasonable degree
  6. Now, you need to review the DNS records. Cloudflare will attempt to automatically detect all of the DNS records for your website, but it doesn't always work correctly. Look specifically for the site(s) that you are trying to protect.
  7. If you don't see the DNS record already exist for the target site, you'll need to re-add it to Cloudflare. This shouldn't interfere with normal site operations, but you should still put some sort of banner on the site informing users that there may be moments of unexpected downtime. Note: in recreating the DNS records, Cloudflare will also create a cached version of the site. In the event that the web server is taken down (by hackers or as part of scheduled maintenance), users will be served a cached version of the site instead, straight from Cloudflare. This functionality is free.
  8. To re-add a missing DNS record, go to your existing registrar, and find the existing DNS records. You'll probably need to recreate both an A record and a CNAME record in Cloudflare, so note the IP address of the server AND what prefix DNS is looking for.
  9. Recreate those exact settings in Cloudflare's DNS resolver settings. If there ever were a time for your site to be inaccessible to new users (most existing users will probably have a cached version that their web-browser might serve instead), this is the time. The process of activating these records can take up to 48 hours, but most of the time, it takes less than 30 seconds.
  10. You'll then be asked if you'd like to transfer your domain name to Cloudflare instead of your existing registrar. If you like your existing registrar and you don't mind having your DDoS protection separate from your registrar, you can just select the default method. If your really hate your registrar (say, they're overpricing you or they treat you like garbage), then you could transfer the domain name and use the Cloudflare registrar. Refer to Cloudflare's documentation.
  11. If you've chosen to stay with your existing registrar, you'll then be asked to change your nameservers, as they're almost certainly not correct for what Cloudflare needs. Log into your existing registrar's DNS settings, and you should find a section to change the nameservers. Remove the existing nameservers, and replace them with both of Cloudflare's nameservers. Make sure you type these in correctly!
  12. Now, depending on your registrar, you'll have to wait for them to process the nameserver change. This can take up to 24 hours, but most of the time, it happens within 10 minutes. Just be patient.
  13. At this point, your site is protected. Once the nameserver has been changed and Cloudflare is able to access the site properly, you should be able to go to the dashboard and see that Cloudflare is now protecting your site! (yay!)

There's some things that you might want to consider setting up at this point, though your site is now theoretically protected.

  • If you go to the Analytics app, you'll see that your web server is seeing no traffic! This is normal! Cloudflare only displays new information when the time is appropriate; most of the time, this is on the hour, but during different usage levels, this might be more or less frequent. Don't panic!
  • You should probably enable DNSSEC. DNSSEC is responsible for preventing DNS spoofing attacks or forged DNS answers. Do do so:
    1. Go to the DNS app in the Cloudflare administration console.
    2. Scroll down to the DNSSEC section. You should see a button to enable DNSSEC. Click on this.
    3. Cloudflare will now generate a key-pair. At the bottom of the container, click on the dropdown for the DS Record.
    4. Now, you need to go to your domain registrar's administration console. Find the DNSSEC section, typically under the DNS settings.
    5. Under the Cloudflare console, find the key tag, which is one to five digit number.
    6. In your registrar's console, create a new DS record. Paste in the key tag from Cloudflare.
    7. In your registrar's console, set the algorithm to 13: ECDSA/P256/SHA256. This setting is typically in a dropdown menu or a list of radios.
    8. In your registrar's console, set the digest type to type 2, SHA256. This setting is typically in a dropdown menu or a list of radios.
    9. Back in the Cloudflare console, find the digest. This is a long string of hex-encoded information. Copy this. Note: make sure that you're not copying the DS record. These aren't the same thing!
    10. Back in your registrar's console, paste the digest into the field.
    11. Double-check your work! If you do this incorrectly, your website will be inaccessible, due to DNSSEC responding that an answer is forged!
    12. Add or apply the DS record in your registrar's console.
    13. Wait about 30 seconds for the changes to be made active.
    14. Force a refresh and reload of the Cloudflare administration console, which you can do by holding down the shift key while clicking the refresh button.
    15. If you scroll back down to the DNSSEC section, you should see a green checkmark indicating that the address is now protected with DNSSEC.
  • In the SSL/TLS tab, you should make sure that your SSL/TLS encryption mode is set to Full. If it's not, click the radio next to Full.
  • If you know that there are certain countries that many of your attacks originate from, you can create a new firewall rule. To do so:
    1. Go to the Firewall app in the Cloudflare administration console.
    2. Go to the Firewall Rules tab in the applet.
    3. Create a new firewall rule.
    4. Give the firewall rule a friendly name, say "JS challenge for Canada".
    5. Under the incoming requests filter, change the field to Country, change the operator to "equals", and the value to the country that you'd like to protect against.
    6. Don't click Deploy yet! First, you need to choose what action to carry out if the condition is true. You should only block as a last resort. Choose to issue a JS challenge first. If you notice that this isn't as effective as you'd like, try changing the rule to issue a captcha challenge instead.
    7. Once you're satisfied, deploy the new rule.
    Keep in mind that (at the free plan), you're limited to five active firewall rules, though you can make as many as you want, provided that they are deactivated. This is handy if you find that your target keeps changing.
  • One really cool Cloudflare DDoS protection feature is something called "Always Online". If your server goes down for some reason, Cloudflare will serve the website's static content from a cached version that Cloudflare hosts and delivers, until you're able to get your server back up. To enable this, go to the Caching app, then scroll down to Always Online, and turn it on.
  • In order to prevent email harvesting by bots and spammers, you can choose to obfuscate email addresses automatcially. Go to the Scrape Shield app in the Cloudflare console, and turn on Email Address Obfuscation.
  • Cloudflare is able to notice abnormal behavior that's indicative of disreputable visitors, and can hide publically-available but easily-abusable information from them, like addresses, phone numbers, or social media handles. To enable this, enable the server-side excludes setting in the Scrape Shield app.
  • Cloudflare also has something called Development Mode, which disables caching, so that changes to the origin server can be seen in real time. This setting only shows up if you have some caching setting enabled. Note that this can result in higher resource usage on the origin server and its network!
  • If you've just made changes, and you'd like Cloudflare to update their version of the cached webpage, you can also choose to manually purge the cache. You can change the time that Cloudflare will update their cached version in the Caching app.