Patet

Set up Cloudflare

Put a free CDN, DNS, HTTPS, and basic protection in front of your site — adding it, DNS records, SSL modes, caching, and security.

Cloudflare sits in front of your site and does four big things for free: CDN acceleration, DNS, HTTPS certificates, and basic protection. It catches visitor requests at its global edge first, then forwards them to your origin — faster for visitors, lighter and safer for your server. For a personal project it's almost a must, and highly recommended.

为什么用 Cloudflare / Why Cloudflare

  • Free CDN / caching — static assets (images, JS, CSS) are cached at edge nodes worldwide, so visitors pull from a nearby node and your origin's bandwidth and load drop sharply.
  • Free SSL — it issues and renews HTTPS certificates automatically. You never touch Let's Encrypt, and the green padlock just works.
  • DDoS protection — even the free plan includes capacity-level L3/L4 DDoS mitigation, so you ride out volumetric attacks at no extra cost.
  • Hides your origin IP — visitors only see Cloudflare's IPs; your server's real address stays off the public internet, making scans and direct attacks harder.
  • Analytics — see requests, cache hit ratio, blocked threats, and geography for free, without installing your own stats stack.

All of this comes with the free plan — plenty for personal projects and small-to-medium sites.

添加站点 / Add your site

Setup has two parts: add the domain in Cloudflare, then go to your registrar and change the nameservers to the two Cloudflare gives you. Haven't bought a domain yet? Start with Buy a domain.

Add the domain in Cloudflare

After creating a Cloudflare account, click Add a site, enter your bare domain (e.g. example.com, without www), and pick the Free plan.

Let it scan your DNS

Cloudflare automatically scans and imports your domain's current DNS records. Review them carefully: confirm your A, CNAME, MX, and other records are all there, and add any that are missing (especially mail-related MX and TXT records).

Change nameservers at your registrar

Cloudflare gives you two nameserver addresses (like xxx.ns.cloudflare.com). Log in to your registrar, change the domain's nameservers to those two, and remove the old ones.

Wait for activation

Once the nameservers change, Cloudflare detects it automatically. Activation usually takes minutes to a few hours (up to 24–48 hours at most). When the domain status shows Active, you're set up.

Changing nameservers is the "fully managed" approach: it hands DNS entirely to Cloudflare, so you manage all records in the Cloudflare dashboard — and it's the prerequisite for using the proxy (orange cloud) features.

配置 DNS 记录 / DNS records

DNS records tell the browser "this name points here." The most common types:

  • A / AAAA — point a name at an IP address (A is IPv4, AAAA is IPv6). Use these when your origin is your own server.
  • CNAME — point a name at another hostname (e.g. the your-app.vercel.app your platform gives you).
  • MX — mail servers, for receiving email.
  • TXT — plain-text records for verification, SPF/DKIM, etc.

橙云 vs 灰云 / Proxied vs DNS only

Each A / AAAA / CNAME record has a cloud icon in front of it:

  • Orange cloud (Proxied) — traffic goes through Cloudflare before reaching your origin. This is what powers CDN, caching, HTTPS, DDoS protection, and hiding your origin IP. Your main site entry points should all be proxied.
  • Grey cloud (DNS only) — Cloudflare only resolves the name; traffic connects directly to your origin and bypasses Cloudflare. Use grey cloud for records that can't be proxied (like MX) or subdomains you want connected directly.
TypeNameContentProxy
A@203.0.113.10 (your server IP)Orange (proxied)
CNAMEwwwexample.comOrange (proxied)
CNAMEappyour-app.vercel.appOrange (proxied)
MX@mx.your-mail.comGrey (DNS only)
TXT@v=spf1 include:...Grey (not proxyable)

SSL/TLS 模式 / SSL modes

In SSL/TLS → Overview, choose the encryption mode that governs the Cloudflare-to-origin leg:

  • Off — no encryption, don't use it.
  • Flexible — browser-to-Cloudflare is encrypted, but Cloudflare-to-origin is plain HTTP. It looks like HTTPS while the back half is exposed. Don't use it.
  • Full — encrypted end to end, but the origin certificate isn't validated (self-signed is fine).
  • Full (strict) — encrypted end to end and validates the origin certificate. Strongly recommended.

If your origin has no valid certificate, install a free Cloudflare Origin Certificate (generate it under SSL/TLS → Origin Server) so you can safely run Full (strict).

Never use Flexible. If your server also redirects HTTP→HTTPS, Flexible causes an infinite redirect loop, and the Cloudflare-to-origin hop travels in plaintext — an insecure connection. The right setup is HTTPS on the origin with the mode set to Full (strict).

Then, under SSL/TLS → Edge Certificates, turn on:

  • Always Use HTTPS — auto-301 every HTTP request to HTTPS.
  • Automatic HTTPS Rewrites — rewrites http:// asset links in your pages to https://, avoiding mixed-content warnings.

缓存 / Caching

By default, Cloudflare caches common static assets (images, CSS, JS, fonts, etc.) and does not cache HTML.

  • Cache Rules / Page Rules — under Caching → Cache Rules, customize caching by path/extension: e.g. give /static/* a longer Edge Cache TTL, or explicitly "don't cache" for /api/*. Page Rules are the legacy approach — prefer Cache Rules for new projects.
  • Purge after a deploy — after shipping a new version, old files may still sit in the edge cache. Go to Caching → Configuration → Purge Cache; use Purge Everything only in a pinch, and prefer purging individual URLs to avoid tanking your hit ratio.
  • Don't cache HTML for dynamic apps — if pages with login state or personalized content get cached, user A can see user B's data. Make sure HTML responses carry the right Cache-Control (like no-store or private), or explicitly Bypass with a Cache Rule.

Give content-hashed static assets (like app.3f9a.js) a very long cache, since the filename changes when the content does. Keep the HTML entry point uncached or short-cached, so deploys reach users without a manual purge.

基础安全 / Basic security

Cloudflare's free plan already blocks a lot of junk traffic. Enable these in order:

  • WAF managed rules — under Security → WAF, turn on Cloudflare's Managed Rules to automatically block common injection, scanning, and similar attacks.
  • Bot Fight Mode — under Security → Bots, free blocking of obvious malicious crawlers and bots.
  • Rate limiting — set rate limits on sensitive endpoints like login and APIs (e.g. "block if more than N requests per minute") to stop brute force and abuse. The free plan includes a basic allowance.
  • Always Use HTTPS — as above, force HTTPS site-wide.
  • HSTS — tells browsers "only ever reach this site over HTTPS." Enable it under SSL/TLS → Edge Certificates → HSTS. Turn it on only once HTTPS works on all subdomains, or you'll lock users out of an unreachable site.

For deeper server hardening, firewalls, and backups, see Security & ops; to get indexed by search engines, see SEO.

常见坑 / Common pitfalls

  • Redirect loop — SSL mode set to Flexible while the origin also forces HTTP→HTTPS: Cloudflare fetches over HTTP → origin redirects to HTTPS → Cloudflare fetches over HTTP again… an endless loop. Fix: put HTTPS on the origin and switch the mode to Full (strict).
  • Proxying a record that shouldn't be — setting a record like MX to orange cloud breaks email; only HTTP/HTTPS traffic can be proxied. Keep mail MX records, and anything that needs a direct connection, on grey cloud (DNS only).
  • Caching dynamic content — accidentally caching logged-in HTML or API responses makes users see someone else's data or stale content. Always Bypass cache or set Cache-Control: no-store for dynamic content.

Checklist for this step

  • Added the site in Cloudflare and changed the nameservers at your registrar to Cloudflare's two addresses — status is Active
  • Reviewed DNS records: site entry points on orange cloud (proxied), MX and similar on grey cloud (DNS only)
  • Set SSL mode to Full (strict) and enabled Always Use HTTPS and Automatic HTTPS Rewrites
  • Configured caching so dynamic/HTML content isn't cached by mistake, and know how to Purge Cache after a deploy
  • Enabled WAF managed rules, Bot Fight Mode, and rate limiting where needed; turned on HSTS only after confirming HTTPS works everywhere

See the full launch checklist.

Buy a domain

How to pick a registrar and TLD, dodge the renewal trap, protect your privacy, and point DNS once you've bought it.

Ops security

A fresh VPS gets scanned by the whole internet within minutes—this guide uses a few concrete commands to block ~99% of automated attacks.

On this page

为什么用 Cloudflare / Why Cloudflare添加站点 / Add your siteAdd the domain in CloudflareLet it scan your DNSChange nameservers at your registrarWait for activation配置 DNS 记录 / DNS records橙云 vs 灰云 / Proxied vs DNS onlySSL/TLS 模式 / SSL modes缓存 / Caching基础安全 / Basic security常见坑 / Common pitfalls