Cloudflare is a popular reverse proxy and CDN for WordPress site owners, mostly as it offers a convenient Free plan for personal sites and blogs. This plan provides access to Cloudflare's global CDN, along with performance and security features.
Follow the steps below to secure your sites with Cloudflare.
Proxy all traffic
This is the most important step, which is to proxy as much traffic as possible in DNS setting. Otherwise, attackers can directly attack your host servers. It is also recommended to change your servers' IP addresses after proxying traffic.
Set proper TLS mode
Set SSL/TLS encryption mode in SSL/TLS setting to Full (Strict), which requires a trusted certificate. You can use Certbot or Cloudflare's origin certificates. The latter is recommended, since certificates from Let's Encrypt only last for 90 days, while those from Cloudflare can last for 15 years.
Go to Origin Server and create a certificate. Remember to copy and paste public key and private key to files. Upload those files to your server and change your configuration properly.
Reject requests that bypass Cloudflare
Set Authenticated Origin Pulls in Origin Server to on and do the following configuration in Apache.
Download the public key from here. Assume you upload it to folder
$FOLDER in your web server.
Add these lines in proper area in
SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile $FOLDER/origin-pull-ca.pem
Record visitors' IP addresses
When using Cloudflare, your server can only receive requests from Cloudflare, since it acts as a reverse proxy. You may want to record visitors' real IP addresses.
First, enable mod_remoteip.
Second, add this line in proper area in
Third, change all
%a in LogFormat entry in
/etc/apache2/conf-available/remoteip.conf and add the following lines in it.
RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxy 22.214.171.124/20 RemoteIPTrustedProxy 126.96.36.199/22 RemoteIPTrustedProxy 188.8.131.52/22 RemoteIPTrustedProxy 184.108.40.206/22 RemoteIPTrustedProxy 220.127.116.11/18 RemoteIPTrustedProxy 18.104.22.168/18 RemoteIPTrustedProxy 22.214.171.124/20 RemoteIPTrustedProxy 126.96.36.199/20 RemoteIPTrustedProxy 188.8.131.52/22 RemoteIPTrustedProxy 184.108.40.206/17 RemoteIPTrustedProxy 220.127.116.11/15 RemoteIPTrustedProxy 18.104.22.168/12 RemoteIPTrustedProxy 22.214.171.124/13 RemoteIPTrustedProxy 126.96.36.199/22 RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32
At last, restart Apache.
systemctl restart apache2