Instructions

CDN from Scratch (2) Take Full Advantages of Cloudflare

0、Foreword

Cloudflare

When it comes to DDoS defense, the one that everyone may immediately think of is Cloudflare. Even in the free version, Cloudflare provides unlimited DDoS defense, and the powerful console provides a wealth of features waiting for us to explore. Therefore, before connecting to any other CDN, we should first consider making full use of the free version of Cloudflare (It is of course better to afford the paid plan, which can save many steps).

1. Access

There are two access methods:

  1. NS access;
  2. CNAME access.

1.1, NS access

The first method is to set the domain name DNS server to Cloudflare's DNS server. This is the simplest method. However, this method has the following problems:

  • Parse IP random

If the IP is blocked, the website will be inaccessible.

  • Assign IP according to plan

In addition, the IPs assigned by the Free and Pro plans are often used by many people and even many illegal sites, which may be very detrimental to SEO.

  • Cannot customize IP

If you cannot customize the IP, many nodes will not be hit, because the traffic and bandwidth costs in regions such as Asia are higher than those in Europe and the United States, so in these regions it may be hit to regions that are farther away but cheaper for Cloudflare.

In particular, if you cannot customize the IP, you cannot use the preferred IP method to speed up access. In addition, this approach only applies to using Cloudflare as a pure CDN, and does not consider integrated CDN solutions.

  • No DNS API support

Cloudflare's DNS API is not available for free domain names using Freenom.

1.2, CNAME access

This is the method I highly recommend, and subsequent tutorials will also use this method as examples.

Refer to the article on this site:

Use SaaS to connect to Cloudflare
https://blog.tsinbei.com/archives/1315/

After using CNAME to access, you can modify the CNAME record in DNSPod, etc. to the required Cloudflare IP, such as the preferred IP mentioned below.

2. Bypass filing

Refer to the article on this site:

Use Cloudflare custom return-to-origin port to bypass registration blocking
https://blog.tsinbei.com/archives/1281/

3. Preferred IP

Refer to the article on this site:

CDN Tuning Guide (3) Prefer Cloudflare IP
https://blog.tsinbei.com/archives/1349/

4. Avoid pitfalls

There are still many pitfalls for newbies to avoid when using Cloudflare. Let me briefly talk about my own and my friends’ pitfalls experiences.

4.1、HTTPS

Too many redirects.

If the origin site uses HTTPS redirection such as Forced SSL or HTTP Jump HTTPS, the SSL must be set to "Complete"; if the origin site has set a valid certificate (for example, I also configured If you have a Let's Encrypt certificate, or you use a Cloudflare Origin CA certificate), you can set it to "Full (strict)".

Note: "Complete" means HTTPS back-to-origin, and "flexible" means HTTP back-to-origin. If the redirect is enabled, HTTP back-to-origin will redirect the user to HTTPS, but if HTTPS is used to access Cloudflare, the back-to-origin will still be HTTP, and then it will be an endless loop.

In fact, if you consider the speed, you can turn off the forced SSL of the origin site and use HTTP to return to the origin.

The certificate is not trusted.

It may be that you used the Cloudflare Origin CA certificate as the origin certificate and did not enable "proxy" in DNS. This certificate is not used for direct access, but can only be used to return to the source.

4.2. Hide origin IP

Many people think that if the website is linked to Cloudflare, the origin IP can be hidden by checking "Proxy". In fact, it is not completely correct, because there are scanners such as Censys and SecurityTrail, which will scan 0.0.0.0/0, that is, all hosts, and then put them on their search engines for everyone to query. Therefore, the correct method to hide the origin IP is:

1. The default website sets an empty certificate

Taking the Pagoda panel as an example, add a website and set it as the default, and set a blank certificate:

(private key)

Text 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDXyF6m81zOeoOPvfk6nGKtyfczRG6/yeSkcc+66vGvq0s8oB7V
cCzLl1YcNsru3ixelPR2z1zvjKqa9/Aqh8+TvP1kGGbLD/mynjnj8l+0vVzZ+vnz
AH0RN9fpqzlpHmFBHQzQ25AtIAH8pXOL1541YN0TNPRA3kHUCL0FH8CkwwIDAQAB
AoGAQ4ejh6AV5VCWJ8AOZXdXsofIYzUBa+glNAmiNx8b8BwteZWq0KVAf56nBkFn
lQXW4OrA7wXKUfW11rXNZaIHJePJXv1swkN9+Em18Hon6BrtcqnKAwzAbhok3SzY
IVjI/zrgOABH6+ii77xCRBzI1itVPNN88DAUHC7PYLYiaaECQQD7PSoij37+kMc/
wPeEkl9r3vzU0OrsCsjU8Ev714OaoL/SIuAh6nsiRh9rcbUrrpGSSzIcmsk9HMDa
hXBNkNl5AkEA298yQvssaUc4tbEWxAVfd9DsHJdCdbXfgf9Dy5/tpCzYncY7T0du
VVHqKu3jXWoMc5XlesiCOerU/DIlMM8dGwJBANQn7GLO5iC1xWvS2bF7oVSIMtzL
pvW4jaszWBbNAPccc59RkA9T4LMqn/GtTZ4bhhYRpbl+BB21IC3nrNPzU5ECQG8T
Ln0QDruQs2F2eR3F6RjKfr1i3LxCiQtPPZycypzp2vS5tDS0zVRk8XuGehoy/N9X
lnqU2NURgU92tbsWpokCQQDdc9tU3B/OM/YfzUNwvOLmUVwrJX6PFSFsOn+XHrCC
q9LcGEAHyzaf5GEWje84ee4rkv5oaZcwll3dg4IioBnC
-----END RSA PRIVATE KEY-----

(Certificate)

Text 
1
2
3
4
5
6
7
8
9
10
11
 
-----BEGIN CERTIFICATE-----
MIIBkjCB/AIJAI3bCYqa39hiMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAYTAiAg
MCAXDTE4MTEyNDA5MDMzOFoYDzIwOTkxMjMxMDkwMzM4WjANMQswCQYDVQQGEwIg
IDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA18hepvNcznqDj735Opxircn3
M0Ruv8nkpHHPuurxr6tLPKAe1XAsy5dWHDbK7t4sXpT0ds9c74yqmvfwKofPk7z9
ZBhmyw/5sp454/JftL1c2fr58wB9ETfX6as5aR5hQR0M0NuQLSAB/KVzi9eeNWDd
EzT0QN5B1Ai9BR/ApMMCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBiqHZsuVP09ubT
GzBSlAFEoqbM63sU51nwQpzkVObgGm9v9nnxS8Atid4be0THsz8nVjWcDym3Tydp
lznrhoSrHyqAAlK3/WSMwyuPnDCNM5g1RdsV40TjZXk9/md8xWxGJ6n1MoBdlK8T
H6h2ROkf59bb096TttB8lxXiT0uiDQ==
-----END CERTIFICATE-----

Effect:

blank certificate

Then fill in the pseudo-static (or configuration file, find a blank line):

Nginx 
1
 
return 444;

If it's Apache:

Text 
1
2
 
RewriteEngineOn
RewriteRule .* - [R=404,L]

2. Block other IP access

This is a once-and-for-all method. In addition to using Cloudflare CDN, other CDNs are also common.

Principle: Query all IP segments of the CDN and then put them into the access whitelist; other IPs are prohibited from accessing.

If the entire server website uses CDN, you can directly allow only ports 80 and 443 of the CDN IP range in the security group. If it is used by individual websites, you can edit the configuration file (Nginx is used as an example below).

First check the Cloudflare IP segment:

IPv4
https://www.cloudflare.com/ips-v4
IPv6
https://www.cloudflare.com/ips-v6

Then paste the following content into the blank space of the configuration file:

Nginx 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
#IPv4
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 104.16.0.0/12;
allow 108.162.192.0/18;
allow 131.0.72.0/22;
allow 141.101.64.0/18;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 173.245.48.0/20;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;

#IPv6
allow 2400:cb00::/32;
allow 2405:8100::/32;
allow 2405:b500::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2c0f:f248::/32;
allow 2a06:98c0::/29;

#Block
deny all;

Set on demand, if the server only has IPv4 (or IPv6) you can remove the IPv6 (or IPv4) part.

5. Other configurations

Enable WebSocket and gRPC to reverse proxy certain websites:

WebSocket

Cloudflare is not only a CDN, but also a free DNS and supports free DNSSEC:

DNSSEC

Top-level domain name support is required. Generally speaking, general top-level domain names (such as .com) and new top-level domain names (such as .top) are supported, but some national domain names (such as .al) are not supported.

Other configurations such as page rules and caching will be explained together with the common configuration of all CDNs in subsequent articles.

6. Write at the end

Although accessing Cloudflare in China is slow:

Comparison before and after acceleration

And it gets blocked from time to time, but Cloudflare's defenses are really strong. When being attacked, you might as well try switching to Cloudflare, or like me, CNAME all overseas and cloud vendors to Cloudflare SaaS, and resolve domestic ones to a faster CDN.

In addition, website access speed is more subjective, because web page loading speed will also affect "access speed". For example, Sike Questions and Answers, which is jointly operated by Qingbei Technology and IURT, is hosted on Cloudflare and did not choose any IP. It uses the default IP, but the access speed is still good. This is because of the The client is separated, and the animation of loading and switching pages is smooth, giving users an experience similar to that of a mobile app.

CDN from Scratch (2) Take Full Advantages of Cloudflare

https://blog.tsinbei.com/en/archives/760/

Author
Hsukqi Lee
Posted on

2023-11-19

Edited on

2023-11-19

Licensed under

CC BY-NC-ND 4.0

CDN from Scratch (1) About Content Delivery Network
Custom Hostnames: CNAME CDN by Cloudflare for SaaS

Comments

Name
Mail
Site
None yet
×
Pages
Columns This page collects some high-qua... Download App This site uses App Inventor to p... Subscribe Articles on this site are synchr... Friendship Links My information ... About Tsinbei Blog 1. About meHsukqi Lee is my Engl...
Tags
Programing 31 posts Cpp 20 posts OpenJudge 20 posts NOI 20 posts NOIP 20 posts