Secure Sites With Cloudflare

Cloudflare is a popular reverse proxy and CDN for WordPress site owners, mostly as it offers a convenient Free plan for personal sites and blogs. This plan provides access to Cloudflare's global CDN, along with performance and security features.

Follow the steps below to secure your sites with Cloudflare.

Proxy all traffic

This is the most important step, which is to proxy as much traffic as possible in DNS setting. Otherwise, attackers can directly attack your host servers. It is also recommended to change your servers' IP addresses after proxying traffic.

Set proper TLS mode

Set SSL/TLS encryption mode in SSL/TLS setting to Full (Strict), which requires a trusted certificate. You can use Certbot or Cloudflare's origin certificates. The latter is recommended, since certificates from Let's Encrypt only last for 90 days, while those from Cloudflare can last for 15 years.

Go to Origin Server and create a certificate. Remember to copy and paste public key and private key to files. Upload those files to your server and change your configuration properly.

Reject requests that bypass Cloudflare

Set Authenticated Origin Pulls in Origin Server to on and do the following configuration in Apache.

Download the public key from here. Assume you upload it to folder $FOLDER in your web server.

Add these lines in proper area in /etc/apache2/sites-available/default-ssl.conf.

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile $FOLDER/origin-pull-ca.pem

Record visitors' IP addresses

When using Cloudflare, your server can only receive requests from Cloudflare, since it acts as a reverse proxy. You may want to record visitors' real IP addresses.

First, enable mod_remoteip.

a2enmod remoteip

Second, add this line in proper area in /etc/apache2/sites-available/default-ssl.conf.

RemoteIPHeader CF-Connecting-IP

Third, change all %h to %a in LogFormat entry in /etc/apache2/apache2.conf.

Then create /etc/apache2/conf-available/remoteip.conf and add the following lines in it.

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/12
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32

At last, restart Apache.

systemctl restart apache2