A CDN is a group of servers distributed around the world. It improves your website’s speed by caching content in multiple locations, reducing the load on the origin server and handling traffic peaks.
Many CDNs include a WAF (Web Application Firewall) and protection against DDoS (Distributed Denial of Service) attacks. The IP address of the origin server is never exposed.
Cloudflare offers a free plan with DNS hosting, CDN, WAF, and API access. It also includes Tunnel (for securely exposing services) and SSO (Single Sign-On).
A open-source alternative similar to Cloudflare Tunnel and SSO (but without CDN or WAF) is Pangolin [Link]. It uses WireGuard for tunneling and Traefik for reverse proxy and certificate management.
Back to Cloudflare…
SETTING UP FREE DNS SERVICE
Create an account and add your first site (domain):

Select the free option:

Cloudflare will automatically detect your existing DNS records:
![]()

Note: Two records have warnings on the left. These records expose your server’s IP address and should be removed. Delete these two lines to hide your web server!
Cloudflare will then show you the new nameservers to set at your domain registrar:

Point your domain to the Cloudflare nameservers:

Answer a few questions about basic features:

Setup completes after a few hours once the new nameservers propagate across the Internet:

ENABLING SSL/TLS WILDCARD

On the SSL/TLS tab, select Flexible for now:


A wildcard certificate hides your subdomains (any old certificates will eventually expire):


Copy the private and public keys to a safe location.
Change the mode to Full or Full (strict):

Your site may go offline until you install the certificates on your origin server.
INSTALL ORIGIN CERTIFICATE ON THE SERVER
Create the directory /etc/cloudflare/ and save the following files using the keys you copied earlier:
/etc/cloudflare/example.com.pem
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
/etc/cloudflare/example.com.key
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
For NGINX, edit /etc/nginx/sites-available/default and add:
server {
listen 443;
ssl on;
ssl_certificate /etc/cloudflare/example.com.pem;
ssl_certificate_key /etc/cloudflare/example.com.key;
server_name example.ca;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
root /var/www/html/;
index index.php index.html;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
}
For Apache2, edit /etc/apache2/sites-available/000-default.conf and add:
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/cloudflare/example.com.pem SSLCertificateKeyFile /etc/cloudflare/example.com.key SSLCertificateChainFile /etc/cloudflare/ca.pem ServerAdmin [email protected] DocumentRoot /var/www/html ServerName example.com ServerAlias www.example.com ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
After editing the web server config, restart the service.
For Apache2, make sure the SSL module is enabled before restarting:
sudo a2enmod ssl
The red line in the Apache configuration is optional and only needed in some setups. The CA file can be found in the Cloudflare help center.
Set permissions to 600 on all certificate files:
sudo chmod 600 /etc/cloudflare/*
You can now block port 80 on your server, since Cloudflare will automatically redirect all HTTP traffic to HTTPS.
Did you know you can use Cloudflare as Dynamic DNS for a website hosted on a Raspberry Pi?
Yes! Using the API, you can automate updates whenever your IP address changes:
git clone https://github.com/K0p1-Git/cloudflare-ddns-updater.git cd cloudflare-ddns-updater cp cloudflare-template.sh cloudflare.sh nano cloudflare.sh
Customize the following variables at the top of the script:
auth_email="[email protected]" auth_key="c7d36f12f8c9189f053ca39e90e859eaa77b1" zone_identifier="542818cd0a64a3b2b96ef8859c6ddac0" record_name="myhome.mydomain.com"
Replace the values in bold with your own, make the file executable, and run it:
chmod +x cloudflare.sh ./cloudflare.sh
If your domain or subdomain updates successfully, add the following line to crontab (crontab -e):
* * * * * /path/cloudflare.sh > /dev/null 2>&1
BONUS
Take a look at AI Labyrinth, a new tool designed to combat web-crawling bots that harvest content for AI training without consent. This free, opt-in solution detects suspicious bot activity and leads them through a maze of AI-generated decoy pages, wasting their time and resources.
