Complete Cloudflare Setup Guide for DomainIndia Hosting (DNS, SSL, Caching, Security)

# Complete Cloudflare Setup Guide for DomainIndia Hosting (DNS, SSL, Caching, Security) ## What Cloudflare gives you Cloudflare sits between your visitors and our origin server. Every request hits Cloudflare first — cached assets are served from their nearest data centre (Mumbai, Chennai, Delhi, Bangalore), and only dynamic requests reach our servers. Free-tier benefits: - Global CDN with 330+ data centres (3 in India: Mumbai, Chennai, Delhi) - Free universal SSL (Cloudflare origin cert + auto-renewing edge cert) - Unlimited DDoS protection (Layer 3/4/7) - Smart image/CSS/JS optimisation - Basic WAF rules against common OWASP attacks - Analytics (requests, bandwidth, bot traffic) Paid plans ($25/mo Pro → $200/mo Business → Enterprise) add advanced WAF, image resizing, mobile optimisation, and uptime SLA. ## Step 1 — Create a Cloudflare account and add your domain ## Step 2 — Change nameservers at DomainIndia Propagation takes 4–48 hours for most TLDs, usually under 2 hours for `.com` and `.in`. Cloudflare emails when your domain is active. ## Step 3 — Configure SSL correctly This is the most commonly misconfigured step. Cloudflare offers 4 SSL modes: **Always use Full (strict).** Our DomainIndia hosting provides free Let's Encrypt SSL on all plans — your origin already has a valid cert. In Cloudflare: SSL/TLS → Overview → Full (strict). Also enable: - SSL/TLS → Edge Certificates → **Always Use HTTPS** = On - SSL/TLS → Edge Certificates → **Automatic HTTPS Rewrites** = On - SSL/TLS → Edge Certificates → **Minimum TLS Version** = TLS 1.2 ## Step 4 — Tune caching Cloudflare caches static assets (CSS, JS, images) by default. But HTML isn't cached unless you tell it to. **For marketing/brochure sites (WordPress-style):** - Caching → Configuration → **Browser Cache TTL** = 4 hours - Page Rule: `*yourcompany.com/*` → Cache Level: Cache Everything, Edge Cache TTL: 2 hours **For dynamic sites (e-commerce, dashboards):** - Leave HTML uncached, let Cloudflare cache only static assets - Use `Cache-Control` headers in your app to fine-tune ## Step 5 — Firewall and bot protection Free plan includes: - **Security Level:** set to **Medium** (Security → Settings) - **Bot Fight Mode:** On (stops common bot scrapers — our customer saved 260 GB of bandwidth this month by enabling this) - **Challenge Passage:** 30 minutes - **Browser Integrity Check:** On Create custom WAF rules (Security → WAF → Custom Rules): ``` Rule 1: Block known bad bots (http.user_agent contains "MJ12bot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "SemrushBot") → Block ``` ``` Rule 2: Rate-limit login (http.request.uri.path eq "/wp-login.php") → Managed Challenge ``` ``` Rule 3: Block countries you don't serve (ip.geoip.country in {"CN" "RU" "KP"}) → Block (only if you don't sell to those countries) ``` ## Step 6 — Performance features Under Speed → Optimization: - **Auto Minify:** enable JS, CSS, HTML - **Brotli:** On (better compression than gzip) - **Rocket Loader:** Off for most sites (breaks JavaScript on WordPress if unlucky) - **Early Hints:** On (speeds up page paint) Under Speed → Content Optimization: - **Polish (Pro plan):** auto-compresses images, converts to WebP - **Mirage (Pro plan):** lazy-loads images on slow connections ## Common pitfalls ## Verifying everything works From your laptop: ```bash # Check nameservers resolve to Cloudflare dig NS yourcompany.com +short # Should return two *.ns.cloudflare.com # Check Cloudflare is in front curl -sI https://yourcompany.com | grep -i cf-ray # Should return a cf-ray header # Check cache curl -sI https://yourcompany.com/logo.png | grep -i cf-cache-status # Should say "HIT" on second request ``` ## When NOT to use Cloudflare - Internal-only apps (staff dashboards behind VPN) — adds latency with no benefit - Very low-traffic sites (<1,000 visits/month) — benefit is minimal - Specialised protocols (non-HTTP/HTTPS) — Cloudflare is primarily an HTTPS proxy ## FAQ