CloudFlare Help & Information Tips and tricks

lphlph Posts: 90

Frequently used CloudFlare settings


Quick Tip: VPS Users and domain owners find Cloudflare very useful for managing ip's host names and much more.


Basic Security Level

CloudFlare Security    Level

CloudFlare lets you adjust the security setting for your website between
High, Medium and Low. CloudFlare protects your website from malicious
attacks by stopping the request before it reaches your server. Often
these requests are from automated bots crawling your website looking for
a vulnerability. Sometimes, the threat is a web surfer whose computer
has been compromised with a virus or malware and the web surfer is
unknowingly spreading viruses online. In these situations, the web
surfer visiting a CloudFlare protected website is presented with a
challenge page asking them to enter a CAPTCHA to prove they are human.
The challenge page also educates the visitor that their computer may be
infected. This helps to clean up the number of infected computers
online, ultimately making the web a better place. The security setting
determines which visitors are challenged based on their associated
threat score.

Note: Threat Level scores
are based on a logarithmic scale, not category, so threat types like
spammer and exploit attacker could have similar scores.

Challenge Page Customization

CloudFlare Captcha    Page

Related to the ‘Security Settings', you can change the look and feel of
your challenge
page

that is presented to your challenged visitors. Website owners can
customize the colors on the page to match their website and the text
that is displayed.

Development Mode

CloudFlare Development    Mode

If you know that you have to make a number of changes to the cachable
content

on your site (images, CSS, javascript, etc.), we recommend going to
‘Development Mode' before making these changes. Going to ‘Development
Mode' will bypass CloudFlare so any site changes to static files are
reflected immediately.

Purge Cache

CloudFlare Purge    Cache

If you want to have CloudFlare fetch a new version of your site's
cachable content, Purge Cache will expire all the cached
resources

that CloudFlare has in your domain's cache. Please note that doing so
means that it will take several days for a new cache to build.

Google Analytics

CloudFlare Google    Analytics

CloudFlare can make sure that Google
Analytics
is appearing on all of your
site's pages, which helps improve the accuracy of your analytics. Adding
the Google Analytics' code will also make sure you're always working off
of the most recent version.

Special Settings for Pro Accounts

CloudFlare Pro accounts have two
additional options available on the settings' page, which are:

Advanced Security Advanced security is a WAF (Web Application
Firewall
) that
helps further protect your
site
from malicious attacks.
Similar to the Basic Security Level, you can change the strength of the
protection to low or high.


Also see: Top Tips after joining
CloudFlare



I am under DDoS attack, what do I do?








This document details how you can defend or protect your web property from a DDoS (distributed denial of service) attack
quickly. If you are currently under DDoS or believe that your web
property is going to be attacked, you should take the following steps
for maximum protection.

Essential steps
Expected time: 30 minutes

Step 1: Upgrade to CloudFlare Business or CloudFlare Enterprise
Step 2: Turn on I’m Under Attack Mode
Step 3: Turn on the WAF (Web Application Firewall)
Step 4: Set your DNS records for maximum security
Step 5: Do not rate-limit or throttle requests from CloudFlare IPs
Step 6: Block specific countries and visitors


Recommended steps once your site is back online
Expected time: 1 hour

Step 7: Create a Page Rule
Step 8: Customize the challenge pages
Step 9: See original visitor IP addresses in your logs


If your site is still offline / Additional security safeguards
Expected time: 1.5 hours

Step 10: Ask your hosting provider for a new server IP
Step 11: Run email on separate server/service



Step 1: SignUp/Upgrade to CloudFlare Business or Enterprise
Time: 2 minutes, Difficulty: Easy

The
CloudFlare Business and Enterprise plans offer advanced DDOS protection
from all attacks: DNS attacks, Layer 3 / 4 attacks, and Layer 7
attacks. Once you are on the Business or Enterprise plan, advanced DDOS
protection is automatic. CloudFlare does not bill by attack size and
does not have an attack cap.

If you are a current CloudFlare
customer, upgrade online to the Business plan right from your My
Websites control panel and go to Step 2.

New to CloudFlare? Sign up online here. Note:
The signup process requires a change to DNS which takes on average 15
minutes for most customers, but may take up to 3 days.


Additional resources:
Difference between the Business and Enterprise plan
How large of a DDoS attack can CloudFlare handle?
More details on types of DDoS attacks


Step 2: Turn on I’m Under Attack mode
Time: 1 minute, Difficulty: Easy

“I’m
Under Attack" mode will help mitigate Layer 7 DDoS attacks. I’m Under
Attack mode enables additional protections to stop potentially malicious
HTTP traffic from being passed to your server. On their first visit,
your legitimate visitors will briefly see an interstitial page while the
additional checks are performed:



Example of interstitial page that visitors to your website might see when you are under attack.

You can customize this page (see Step 7). To activate the feature, go to the Security Settings for your domain: Settings > CloudFlare Settings > Security Settings > Basic protection level Additional details on I'm Under Attack mode



Step 3: Turn on the WAF (Web Application Firewall) 
Time: 1 minute, Difficulty: Easy 

The CloudFlare Web Application Firewall
(WAF) is available to Pro, Business and Enterprise customers. Control
of the WAF is found at the bottom of CloudFlare Settings > Security
Settings.

Link to the WAF is at bottom of CloudFlare Security Settings page.


 
Beyond the Core Rule Set, CloudFlare offers many rule packages and individual rules.

More about the CloudFlare WAF


Step 4: Set your DNS records for Maximum Security
Time: 10 minutes, Difficulty: Medium

Within
the CloudFlare DNS Settings, you have a choice of enabling CloudFlare's
security and performance on a per-record basis. Security is ON when the
cloud is orange. Security is OFF if the cloud is gray, which means that
the attacker can bypass CloudFlare's security and attack your web
server directly.

Here is how to set your DNS records for maximum protection:

  1. Enable the CloudFlare security (orange cloud) on the web records you use - including FTP, SSH 
  2. Use your origin IP to perform actions like FTP, SSH 






Orange cloud all records that get web traffic
Protocols
like mail, ftp, ssh and cPanel have gray clouds by default. If you
enable CloudFlare for these subdomains, the protocols will no longer
work. However, if you have gray clouds, then an attacker can look up
your origin server IP if they know about these subdomains and can
circumvent CloudFlare's DDoS security solution. To resolve, enable
orange clouds for the subdomains.

Use your IP  to perform FTP, SSH, ETC
Once
you enable an orange cloud on all of your DNS records, you will need to
use either the direct IP  to access certain protocols like mail, ftp,
ssh and cPanel. For example, to FTP you would use ftp.yourdomain.com or
ftp://yourserverIP (put in your server IP address).

Note: If
there is no cloud, the record cannot be proxied, but that means it’s
pointing to another service, so should not be a concern.


Note:
CloudFlare provides authoritative DNS service to its direct customers;
this step only applies for those records delegated to CloudFlare. If
you’ve enabled CloudFlare via a hosting partner or CNAME setup, then
your DNS is controlled elsewhere. If the attacker is attacking your
server directly, then you may need to sign up directly through
CloudFlare and restart at Step 1.




Step 5: Do not rate-limit or throttle requests from CloudFlare IPs
Time: 10 minutes, Difficulty: Medium

CloudFlare
acts as a reverse proxy so all connections come from one of our IPs. It
is important to ensure that your server accepts connections from
CloudFlare at all times. CloudFlare IP ranges are listed at http://www.cloudflare.com/ips
and that page includes links to simple text files intended for machine
parsing. CloudFlare will add any new ranges to the public list at least
one month before the new range is used, and will use many methods to
publicize any new ranges.



Step 6: Block specific countries and visitors
Time: 10 minutes, Difficulty: Medium

CloudFlare’s
Threat Control lets you block IP addresses and set entire countries to
be challenged. Once you add an IP or country, the security rule will
take effect within 2 minutes offloading the traffic to your server. To
decide which country or IPs to add to your Threat Control, you will want
to check your log files or follow the steps below under Advanced tip.
You can find the Threat Control panel next to the domain on the My
Websites page.




Advanced tip: To get a list of visitors coming to your site from the last 48 hours by number of requests, follow these steps. You can use the information to identify IPs you may want to manually add to your CloudFlare Threat Control Block list.



If your web property is online, proceed to Step 7. If your web property is still offline from the attack, skip to Step 10.



Step 7: Create a Page Rule
Time: 10 minutes, Difficulty: Medium

If
your site is back online, you can offload more traffic to your server
by creating a Page Rule. A Page Rule offers fine-grained control over
CloudFlare’s CDN default cache policies. If appropriate, create a Page
Rule for your essential web pages and change the caching policy to
“Cache Everything”. This means that CloudFlare will cache the entire
page for your visitors, saving requests to your server.

Example:
Create a Page Rule with Cache Everything turned on for this domain
structure: *example.com/name-of-a-specific-page The * will cover both
the root and any subdomain like www.

Note: You only want to
create a Page Rule once your server is back online, otherwise CloudFlare
will cache an error that will be served for all future requests. You
also want to make sure that there is no personalized information on the
page since with Cache Everything, the HTML gets cached. If you create a
Page Rule and decide you want to delete it, any changes will take effect
within 2 minutes. Page Rules are applied in the order they are listed.


Advanced:
If a login or admin page is cached, it may be served to a different
visitor than intended. This issue can be mitigated by disabling
CloudFlare’s performance cache settings for the admin/login URL (i.e.
example.com/admin/*) and leaving Cache Everything on for the rest of the
web page/folder.


Additional Page Rules Tutorial



Step 8: Customize the challenge pages
Time: 30 minutes, Difficulty: Medium

All
paid customers can fully modify the HTML on the challenge page and the
I'm Under Attack mode page. The challenge page is shown to potentially
suspicious visitors who meet the CloudFlare Basic Security threshold you
set. If the CloudFlare service determines that a visitor to your
website might be potentially malicious, then the visitor would be served
a ‘challenge’ page, requiring them to enter in a CAPTCHA. If the
visitor passes the CAPTCHA test, then they would continue onto your
website.

To customize your challenge page, go to: Settings > Custom Errors.




The
security works whether the page is customized or not, but it’s useful
to make that page reflect your brand and site language.




Step 9: See original visitor IP addresses in your logs
Time: 15 minutes, Difficulty: Medium

CloudFlare
operates as a reverse proxy, so requests to your server(s) are made
from our global network. The requests will therefore come from
CloudFlare IP addresses, but CloudFlare always includes the original
visitor IP address in the request, as an HTTP header. CloudFlare offers
several tools, such as mod_cloudflare for Apache webservers, for pulling
the original visitor IP address from the header. See the full list
here: https://support.cloudflare.com/entries/22055137



If your site is still offline or want to take additional security safeguards



Step 10: Ask your hosting provider for a new server IP
Time: 15 minutes, Difficulty: High

If
you have done all of the above, and your web server continues to get
heavy load, then the attacker has your origin server IP. You will need
to contact your hosting provider and ask them to give you a new origin
IP and then update it in your CloudFlare DNS settings page.

You
can tell your web host that: “I am under a DDOS attack. I now have a
DDOS protection service called CloudFlare set up. However, the attacker
has my origin server IP therefore bypassing my DDOS protection. Please
give me a new origin server IP so that the attacker can no longer attack
my server directly.”

Once you have the new server IP address, make sure you update the IP in your CloudFlare DNS Settings page.

With
CloudFlare enabled for all web records, CloudFlare helps to mask the
server IP address(es) so the attacker can not get the new IP address.



Step 11: Run email on separate server/service
Time: 60 minutes, Difficulty: High

If
you are running your mail on the same server as your website, then the
attacker can always find your origin server IP. To close this possible
security gap, you can use an email service on a separate server than
your website, whether through your hosting provider or an outside
service (e.g., Google Apps).

For Mac users: You
can run this command in Terminal to see what IP is being reported with
your MX records: dig +short $(dig mx +short WEBSITE)

For
example, if I was concerned about example.com, I would enter: dig +short
$(dig mx +short example.com) The output will be an IP address. This is
the IP address that an attacker can always find. You want to make sure
this IP address is different that the IP address for your web server.
Otherwise, no matter how many times you change your web server, if your
email is also on the same server, then the attacker can always find the
new IP.

For PC users: You can run this command in command prompt to see what IP is being reported with your MX records: nslookup -q=mx WEBSITE

For example, if I was concerned about example.com, I would enter: nslookup -q=mx example.com

The
output will be an IP address. This is the IP address that an attacker
can always find. You want to make sure this IP address is different that
the IP address for your web server. Otherwise, no matter how many times
you change your web server, if your email is also on the same server,
then the attacker can always find the new IP.





Sign In or Register to comment.