When I previously show you how to get a valid certificate with Certbot, I have talked about Cloudflare. Today, I am going to show you what useful features you can get with Cloudflare free plan.
If you do not have a account already, you need to register on Cloudflare. Using it means you use it to manage your DNS records. You need to point your name servers from you domain registrar to Cloudflare.
Following the instructions, you should be able to import all existing records. Make sure all the records are correct before proceed, if you do not want any down time on your websites. Then, you need to wait for DNS propagation for it to take effects. Even thought it says it may take 24 hours to take effect, it usually take last than a hour if you domain registrar is not too bad.
DNS is the most basic and the most important feature. I was using Namecheap where I bought my domain as my DNS server. However, the propagation is slow. Namecheap usually takes half an hour for changes and Cloudflare takes several minutes.
Cloudflare is also a domain registrar. You can buy a domain with minimum fee (Only Wholesale registry fee and ICANN fee).
It also provides public DNS server
220.127.116.11 which has a lower latency than Google public DNS server
Cloudflare DNS record limit is 3500 which is much more than common registrar that limit you to last than 100. You can also contact support if you need more.
Another advantage is Cloudflare has REST api for managing DNS record. Certbot has plugin for DNS-01 challenge, so you no longer need to add and cleanup DNS records yourself.
Also, Cloudflare supports most if not all types of DNS records. Some DNS providers only support a fraction of DNS record type.
Other than the basic DNS features, we will go through what you can get with free plan. Note that most of the features require you to enable Cloudflare proxy.
Cloudflare collects traffic information allows you to view basic traffic information. Although the information is not as detail as Google Analytics, but it is done by network level so users cannot hide themselves by blocking the script.
Aside from the DNS features mentioned above, it can protect your server real IP address.
When user try to resolve IP address for the domain
example.com, user get cache server IP address instead of your server. Because of all the traffic passing through Cloudflare, they can provide all these features.
Cloudflare support DNSSEC. DNSSEC is a public standard that means to prevent other DNS forging fake DNS records. You can read more about DNSSEC here.
HTTPS is provided by default even if your website does not support HTTPS. There four different on how it communicate with your servers and users.
The most secure way is Full (Strict). This require you to have a valid HTTPS certificate which should be easy with Let's Encrypt.
If for some reasons that you must use a self-signed certificate, then you can use Full. For attackers to compose your website, they need to take over nodes between your servers and Cloudflare servers.
Flexible and Off should not use since attackers can read and change the package easily. Also, Flexible can cause infinity redirects if your server redirect HTTP to HTTPS because it always communicates with HTTP.
Always Use HTTPS
You used to enable redirecting HTTP to HTTPS by configuring your web server. It can handle the it for you without the request hitting your servers.
HTTP Strict Transport Security (HSTS)
Same as redirecting HTTP to HTTPS, Cloudflare can adding HSTS related headers automatically.
Authenticated Origin Pulls
By setting up authenticated origin pulls, your servers only allow clients with matching private key (Cloudflare) to access data. Others cannot request your servers direct with IP address and Host header to bypass Cloudflare.
Minimum TLS Version
Cloudflare supports many TLS versions. For some security standards, you may need to enforce minimum TLS version.
Automatic HTTPS Rewrites
Automatic HTTPS Rewrites helps fix mixed content by changing “http” to “https” for all resources or links on your web site that can be served with HTTPS.
This prevents you from DDOS. You can raise the security level if you servers is under attack. For example, all your users must verify they are human.
You can limit who can visit your servers by login and URL. You can have 5 users setup for free.
Cloudflare is also a CDN which caches the files for your servers. You can define how to cache and purge the cache.
If your servers go down, it will still servers a static copy for your websites.
It is definitely worth trying out Cloudflare. Not only it is free but it provides many functions and has a much better UI than most of the domain registration service.