Cloudflare FAQs

Learn how to add and remove members from a Cloudflare account.

Overview

Add account members

Revoke account membership

Overview

All Cloudflare customer plans can share account access with additional members.

Customers in all plans can have members with the following roles:

Super Administrator - All Privileges:Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Non-enterprise customers can only have one super administrator.

Administrator: Can access the full account and configure dashboard, but cannot manage billing or account membership. An unlimited number of members can be added to an account as administrators.

In addition, Enterprise customers can have more than one super administrator and assign additional membership roles. Also, super administrators can the revoke access of other super administrators. Learn How to set up Multi-User accounts on Cloudflare.

To learn more about multi-user access, visit this blog post.

Add account members

Follow these steps to add members to your account:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account where access will be shared. You should see the Home tab with a list of your sites.

3. Click theMemberstab located in the top navigation bar.

4. In theInvite Members panel, enterthe email address requiring account access. You can enter additional email addresses.

To ensure that all invited members enable Two-Factor Authentication, setMember 2FA enforcement toon.

5. ClickInvite.

6. The new members will receive an email invitation with a confirmation link.

Revoke account membership

Follow these steps to revoke user access:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account where access will be removed.You should see the Home tab with a list of your sites.

3. Click theMemberstab located in the top navigation bar.

4. Scroll to the list ofMembers.

5. Enter the email address to revoke. The Members list automatically updates with matching results.

6. Click the expand arrow to the far right of the email address requiring revocation.

7. Click Revoke, then click Yes, revoke access to confirm.

Understand how to use a Cloudflare Origin CA certificate to encrypt traffic between Cloudflare and your origin web server. Learn how to manage Origin CA certificates via Cloudflare and receive advice to install Origin CA certificates at your origin web server.

Overview

Step 1 - Create an Origin CA certificate

Step 2 - Install an Origin CA certificate at your origin web server

Step 3 - Configure the SSL mode in the Cloudflare SSL/TLSapp

Step 4(optional) - Add Cloudflare Origin CA root certificates

Remove an Origin CA certificate

Related resources

Overview

Use Origin CA certificates to encrypttraffic between Cloudflare and your origin web server.

To ensure greater convenience, security, and performance, Cloudflare recommends an Origin CA certificate over a self-signed certificate or a certificate purchased from a Certificate Authority. With an Origin CA certificate, you can use Fulland Full(strict)SSL modes in the Cloudflare SSL/TLSapp without first purchasing a certificate from a Certificate Authority to install at your origin web server.

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.

Deploying Origin CA certificates typically requires three steps:

Create an Origin CA certificate

Install an Origin CA certificate at your origin web server

Configure the SSL mode in the Cloudflare SSL/TLS app

Google App Engine does not support Cloudflare Origin CA certificates.

Step 1 - Create an Origin CA certificate

You can generate your own Origin CA certificate in the Cloudflare dashboard:

Log in to Cloudflare.

Select the appropriate account for the domain requiring an Origin CA certificate.

Select the domain.

Click the SSL/TLSapp.

Click theOrigin Servertab.

Click Create Certificate to open the Origin Certificate Installationwindow.

In the Origin Certificate Installationwindow, choose either:

Let Cloudflare generate a private key and a CSR- requires specifying whether the Private key typeis RSAor ECDSA.

I have my own private key and CSR- requires pasting the Certificate Signing Requestinto the text field.

List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone root and first level wildcard hostname are included by default.

You can include up to 100 hostnames or wildcard hostnames on a single certificate and can include hostnames for other domains within the same Cloudflare account. You can also add support for multi-level subdomains such as *.test.dev.www.example.com.

Choose the certificate expiration. The default is 15 years and the minimum is 7 days.

Click Next.

Select the Key Format. Select the key pair format that best matches your environment. Most OpenSSL-based web servers such as Apache and NGINX expect PEM files (Base64 encoded ASCII), but also work with binary DER files. Windows and Apache Tomcat users must opt for PKCS#7.

Copy the signed Origin Certificateand Private keydetails into separate files as instructed by the Origin Certificate Installationwindow.

Be sure to copy the Private keyinformation before clicking OK. For security reasons, the Private keyis not displayed again after Origin certificate creation.

Click OK.

It is possible to create Cloudflare Origin CA certificates via the Cloudflare API.

Step 2 - Install an Origin CA certificate at your origin web server

Adding an Origin CA certificate to an origin web server requires several general steps:

Upload theOrigin CA certificate (created above in Step 1) to your origin web server.

Use the linked installation guides below to update your web server configuration to point to the certificate.

(Optionalfor most origin web servers) Upload Cloudflare's CA root certificate to your origin web server.

Some web servers, such as IIS and cPanel, validate the Origin CA root certificate. Such web servers require Cloudflares root RSA certificate during configuration.

Enable SSL and port 443 at your origin web server.

Check that your origin server firewall doesn't block connections to port 443.

Review the list of links below for installation instructions specific to your origin web server. For further assistance installing an Origin CA certificate, contact your hosting provider, web administrator, or web server vendor.

Apache httpd

GoDaddy Hosting (with cPanel)

Microsoft IIS 7

Microsoft IIS 8 and 8.5

Microsoft IIS 10

NGINX

Tomcat

Click to expand certificate installation instructions for additional origin web servers.

2X Application Server

3Com Wireless LAN

Adobe Connect

AEP Netilla

Alpha Five

Amazon Web Services

Barracuda Spam & Virus

Barracuda SSL VPN

Cerberus FTP Server

Checkpoint VPN

Cisco ASA

Cisco Mobility

Citrix Access Gateway

Citrix Access Essentials

Citrix NetScaler VPX

Cobalt RaQ3x/4x/XTR

Courier IMAP

cPanel

Ensim Control Panel

F5 BIG-IP

F5 FirePass

FileZilla Server

Hsphere Web Server

IBM HTTP Server

iPlanet

Java (Generic) Web Servers

Lighttpd

Lotus Domino Go 4.6.2.6+

Lotus Domino 4.6x & 5.0x

Lotus Domino 8.5

Lync 2010

Lync 2013

Mac OS X Lion

Mac OS X Mavericks

Mac OS X Yosemite

Mac OS X El Capitan

Microsoft AD LDAP (2008)

Microsoft AD LDAP (2012)

Microsoft AD FS

Microsoft Exchange 2007

Microsoft Exchange 2010

Microsoft Exchange 2013

Microsoft Forefront TMG

Microsoft IIS 4.x

Microsoft IIS 5.x/6.x

Microsoft Office 365

Microsoft Office Comm Server

Microsoft Outlook Web Access

Microsoft SharePoint 2010

Microsoft SharePoint 2013

NetScreen

Novell ConsoleOne

Novell I-Chain

Oracle Wallet Manager

Parse.com

Plesk Server

Qmail

Radware Alteon

Small Business Server 2011

Small Business Server 2008

SonicWALL NSA

SonicWALL SSL VPN

Sun Java Web Server

SurgeMail

Ubuntu Server with Apache2

Weblogic 8 & 9

Weblogic (previous versions)

Webmin

Website Pro

Websphere

WebSTAR

WHM

Windows Azure Cloud Service

Windows Azure Website

Zeus Loadbalancer

Zeus Webserver

Zimbra

Zyxel Zywall

Step 3 - Configure the SSL mode in the Cloudflare SSL/TLS app

Instruct Cloudflare to encrypt traffic to your origin web server after you install the Cloudflare Origin CA certificate at your origin web server. Set the SSL mode in the Cloudflare SSL/TLSapp to either Fullor Full(strict)to enable encryption between Cloudflare and your origin web server.

Make this change globally via the SSL/TLSapp only if all of your origin hosts are protected by Origin CA certificates or publicly trusted certificates. Otherwise, consider setting SSLto Fullor Full(strict) via the Cloudflare Page Rulesapp.

To avoid redirect loop errors, first ensure your origin web server configuration does not redirect HTTPS to HTTP or HTTP to HTTPS in a manner contrary to how the Cloudflare SSL mode is configured for Cloudflare connections to your origin web server.

(optional) Step 4 - Add Cloudflare Origin CA root certificates

Some origin web servers require uploading the Cloudflare Origin CA root certificate. See below for an RSA and ECC version of the Cloudflare Origin CA root certificate. Click on a link to download a file:

cloudflare_origin_ecc.pem

cloudflare_origin_rsa.pem

cPanel does not support ECC certificates. Use the Origin CA root RSA certificate below.

Alternatively, click to expand the root certificate contents for copy and paste into your origin web server configuration:

Cloudflare Origin CA RSA Root

-----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91 ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8 VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6 0iykLhH1trywrKRMVw67F44IE8Y= -----END CERTIFICATE-----

Cloudflare Origin CA ECC Root

-----BEGIN CERTIFICATE----- MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5 tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ= -----END CERTIFICATE-----

The previous version of root certificates expire on 2019-11-14T01:43:50Z for the RSA root and 2021-02-22T00:24:00Z for the ECC root. If your origin web server is using outdated root certificates, you must replace them with the latest version to avoid site disruptions.

Remove an Origin CA certificate

Follow these steps to revoke an Origin CA certificate:

Log in to Cloudflare.

Select the appropriate account for the domain where the Origin CA certificate needs revoked.

Select the domain.

Click the SSL/TLSapp and scroll down to Origin Certificates.

Visitors will see errors about site insecurity until an Origin CA certificate is replaced. To avoid errors, ensure that the SSL mode is set to either Fullor Flexibleand not Full(strict), either globally via the SSL/TLSapp or for a specific hostname via the Page Rulesapp before revoking an Origin CA certificate.

Click the Xicon to the right of the certificate name in the list of Origin CA certificates.

The Revoke Origin Certificateconfirmation window appears.

Check the confirmation box and click Revoke.

Related resources

Understanding Cloudflare SSL: an overview

Cloudflare Blog: Introducing Cloudflare Origin CA

Secure customer traffic to your website with a Cloudflare SSL certificate. Learn which Cloudflare SSL product fits your sites needs with guidance from the resources below.

Learn the basics

Enhance your SSL security

Customize your SSL settings

Troubleshoot

Learn the basics What is SSL ?

Learn how SSL prevents malicious snooping of your websites Internet traffic. End-to-end Encryption with Cloudflare

Learn which Cloudflare settings ensure end-to-end encryption of traffic proxied to Cloudflare.

Learn about Cloudflares SSL products

Observe the differences between Cloudflare SSL offerings and determine which SSL product best fits the needs of your website. Distinguish the certificates that encrypt traffic between visitors and Cloudflare or between Cloudflare and your origin web server.

Understand Universal SSL

See how Cloudflares free SSL certificate secures traffic for your domain and understand the limitations.

Manage Custom SSL (Business or Enterprise domains only)

Learn how to manage Custom SSL certificates purchased outside of Cloudflare.

Manage Dedicated SSL

Discern the differences between Dedicated SSL certificatesand

Dedicated SSL certificateswith Custom Hostnamesand

identify the benefits for your domain.

Understand Keyless SSL (Enterprise domains only)

Serve your certificate from Cloudflares network without providing Cloudflare

the private keys for your certificate.

Manage Custom Hostnames

(Enterprise domains only)

Extend Cloudflares benefits to your customers and preserve your branding

without requiring your customers to create Cloudflare accounts.

Manage Origin SSL certificates

Ensuretraffic encryption between Cloudflare and your origin web server.

SSL FAQ

Find answers to common SSL questions. Determine the SSL Option for your site

Ensure traffic is encrypted between Cloudflare and your origin web server and avoid common configuration pitfalls such as redirect loops and 5XX errors.Enhance your SSL security Configure Authenticated Origin Pull

Force your origin web server to validate that a web request comes from Cloudflare. Enable TLS Client Auth (Enterprise domains only)

Configure Cloudflare to only allow authorized clients to visit your site if those clients present a certificate that is approved by your organization. Configure HTTP Strict Transport Security ( HSTS )

Secure HTTPS web servers against SSL downgrade attacks and force browsers to strictly enforce web security practices.Customize your SSL settings Enable Opportunistic Encryption

Allow clients to securely access your site using HTTP(instead of HTTPS) over an encrypted TLS channel. Use Cloudflare Onion Routing

Allow Cloudflare to serve your websites content directly through the Tor network without requiring exit nodes. Enable TLS 1.3

Enable the latest TLS protocol to improve speed and security for content served over HTTPS. Choose a Minimum TLS Version

Enforce stronger cryptographic standards for HTTPS traffic to your domain.Troubleshoot Troubleshooting SSL errors

Find answers to common SSL issues. Why do I see redirect loop errors in the browser?

Identify and resolve certain CloudflareSSL/TLSandPage Rulessettings that are incompatible with your origin web server configuration and cause redirect loop errors for visitors. How do I fix SSL Mixed Content errors?

Identify the symptoms of Mixed Content errors and learn which Cloudflare settings resolve the issue.

Diagnose and resolve 5XX errors for Cloudflare proxied sites.

Overview

500: internal server error

502: bad gateway or 504: gateway timeout

503: service temporarily unavailable

520: web server returns an unknown error

521: web server is down

522: connection timed out

523: origin is unreachable

524: a timeout occurred

525: SSL handshake failed

526: invalid SSL certificate

527: Railgun listener to origin

Error 530

Related resources

Overview

When troubleshooting most 5XX errors, the correct course of action is to first contact your hosting provider or site administrator to troubleshoot and gather data.

Cloudflare Support only assists the domain owner to resolve issues. If you are a site visitor, report the problem to the site owner.

Required error details to provide your hosting provider

Specific 5XX error code and message

Time and timezone the 5XX error occurred

URL that resulted in the HTTP 5XX error (for example: https://www.example.com/images/icons/image1.png)

The error cause is not always found in the origin server error logs Check logs of all load balancers, caches, proxies, or firewalls between Cloudflare and the origin web server.

Additional details to provide to your hosting provider or site administrator are listed within each error description below. Cloudflare Custom Error Pages change the appearance of default error pages discussed in this article.

Error 500: internal server error

Error 500 generally indicates an issue with your origin web server. Error establishing database connection is a common HTTP 500 error message generated by your origin web server. Contact your hosting provider to resolve.

Resolution

Provide details to your hosting provider to assist troubleshooting the issue.

However, if the 500 error contains cloudflare or cloudflare-nginx in the HTML response body, provide Cloudflare support with the following information:

Your domain name

The time and timezone of the 500 error occurrence

The output of www.example.com/cdn-cgi/trace from the browser where the 500 error was observed (replace www.example.comwith your actual domain and host name)

If you observe blank or white pages when visiting your website, confirm whether the issue occurs when temporarily pausing Cloudflare and contact your hosting provider for assistance.

Error 502 bad gateway or error 504 gateway timeout

An HTTP 502 or 504error occurs when Cloudflare is unable to establish contact with your origin web server.

There are two possible causes:

(Most common cause) 502/504 from your origin web server

502/504 from Cloudflare

502/504 from your origin web server

Cloudflare returns an Cloudflare-branded HTTP 502 or 504 error when your origin web server responds witha standard HTTP 502 bad gateway or 504 gateway timeout error:

MTR/Traceroute Diagnosis and Usage

Resolution

Contact your hosting provider to troubleshoot these common causes at your origin web server:

Ensure the origin server responds to requests for the hostname and domain within the visitors URL that generated the 502 or 504 error.

Investigate excessive server loads, crashes, or network failures.

Identify applications or services that timed out or were blocked.

502/504 from Cloudflare

A 502 or 504 error originating from Cloudflare appears as follows:

If the error does not mention cloudflare, contact your hosting provider for assistance on 502/504 errors from your origin.

Resolution

To avoid delays processing your inquiry, provide these required details to Cloudflare Support :

Time and timezone the issue occurred.

URL that resulted in the HTTP 502 or 504 response (for example: https://www.example.com/images/icons/image1.png)

Output from browsing to www.example.com/cdn-cgi/trace (replace www.example.com with the domain and host name that caused the HTTP 502 or 504 error)

Error 503: service temporarily unavailable

HTTP error 503 occurs when your origin web server is overloaded. There are two possible causes discernible by error message:

Error doesnt contain cloudflare or cloudflare-nginx in the HTML response body.

Resolution: Contact your hosting provider to verify if they rate limit requests to your origin web server.

Error contains cloudflare or cloudflare-nginx in the HTML response body.

Resolution: A connectivity issue occured in a Cloudflare data center. Provide Cloudflare support with the following information:

Your domain name

The time and timezone of the 503 error occurrence

The output of www.example.com/cdn-cgi/trace from the browser where the 503 error was observed (replace www.example.comwith your actual domain and host name)

Error 520: web server returns an unknown error

Error 520 occurs when the origin server returns an empty, unknown, or unexpected response to Cloudflare.

Resolution

A quick workaround while further investigating 520 errors is to either grey cloud the DNS record in the Cloudflare DNSapp or temporarily pause Cloudflare.

Contact your hosting provider or site administrator and request a review of your origin web server error logs for crashes and to check for these common causes:

Origin web server application crashes

Cloudflare IPs not whitelisted at your origin.

Origin web server TCP idle timeouts shorter than 300 seconds

Headers exceeding 8 KB (typically due to too many cookies)

An empty response from the origin web server that lacks an HTTP status code or response body

Missing response headers or origin web server not returning proper HTTP error responses

520 errors are prevalent with certain PHP applications that crash the origin web server.

If 520 errors continue after contacting your hosting provider or site administrator, provide the following information to Cloudflare Support :

Full URL(s) of the resource requested when the error occurred

Cloudflare Ray IDfrom the 520 error message

Output from http://www.example.com/cdn-cgi/trace(replace www.example.comwith your hostname and domain where the 520 error occurred)

Two HAR files :

one with Cloudflare enabled on your website, and

the other with Cloudflare temporarily disabled.

Error 521: web server is down

Error 521 occurs when the origin web server refuses connections from Cloudflare. Security solutions at your origin may block legitimate connections from certain Cloudflare IP addresses.

The two most common causes of 521 errors are:

Offlined origin web server application

Blocked Cloudflare requests

Resolution

Contact your site administrator or hosting provider to eliminate these common causes:

Ensure your origin web server is responsive

Review origin web server error logsto identify web server application crashes or outages.

Confirm Cloudflare IP addresses are not blocked or rate limited

Whitelist all Cloudflare IP ranges in your origin web server's firewall or other security software

Error 522: connection timed out

Error 522 occurs when Cloudflare times out contacting the origin web server. Two different timeouts cause HTTP error522 depending on when they occur betweenCloudflare and the origin web server:

Before a connection is established, the origin web server does not return a SYN+ACK to Cloudflare within 15 seconds of Cloudflare sending a SYN.

After a connection is established, the origin web server doesnt acknowledge (ACK) Cloudflares resource request within 90 seconds.

An HTTP 524 error occurs if the origin web server acknowledges (ACK) the resource request after the connection is established, but doesnot send a timely response.

Resolution

Contact your hosting provider to check the following common causes at your origin web server:

(Most common cause) Cloudflare IP addresses are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider whitelists Cloudflare IP addresses.

An overloaded or offline origin web server drops incoming requests.

Keepalives are disabled at the origin web server.

The origin IP address in your Cloudflare DNSapp does not match the IP address currently provisioned to your origin web server by your hosting provider.

Packets were dropped at your origin web server.

If none of the above leads to a resolution, request the following information from your hosting provider or site administrator before contacting Cloudflare support :

An MTR or traceroute from your origin web server to a Cloudflare IP address that most commonly connected to your origin web serverbefore the issue occurred. Identify a connecting Cloudflare IP recorded in the origin web server logs.

Details from the hosting providers investigationsuch as pertinent logs or conversations with the hosting provider.

Error 523: origin is unreachable

Error 523 occurs when Cloudflare cannot contact your origin web server. This typically occurs when a network device between Cloudflare and the origin web server doesnt have a route to the origins IP address.

Resolution Contact your hosting provider to excludethe following common causes at your origin web server:

Confirm the correct origin IP address is listed for A or AAAA records within your Cloudflare DNSapp.

Troubleshoot Internet routing issues between your origin and Cloudflare, or with the origin itself.

If your hosting provider frequently changes your origin web servers IP address, refer to Cloudflares documentation on dynamic DNS updates.

If none of the above leads to a resolution, request the following information from your hosting provider or site administrator:

An MTR or traceroute from your origin web server to a Cloudflare IP address that most commonly connected to your origin web serverbefore the issue occurred. Identify a connecting Cloudflare IP from the logs of the origin web server.

If you use Railgun via a Cloudflare Hosting Partner, contact your hosting provider to troubleshootthe 523 errors.

If you manage your Railgun installation, provide the following to Cloudflare support :

A traceroute to your origin web server from your Railgun server.

The most recent syslog file from your Railgun server.

Error 524: a timeout occurred

Error 524 indicates that Cloudflare successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 second connection timed out.

Enterprise customers can increase the 524 timeout up to 600 seconds.

Resolution Contact your hosting provider to exclude the following common causes at your origin web server:

A long-running process on the origin web server.

An overloaded origin web server.

Logging request response time at your origin web server helps identify the cause of resource slowness. Contact your hosting provider or site administrator for assistance in adjusting log formats or search for related logging documentation for your brand of web server such as Apache or Nginx.

If you regularly run HTTP requests that take over 100 seconds to complete (for example large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Cloudflare DNSapp.

If error 524 occurs for a domain using Cloudflare Railgun, ensure the lan.timeoutis set higher than the default of 30 seconds and restart the railgun service.

Error 525: SSL handshake failed

525 errors are often caused by a configuration issue on the origin web server. Error 525 occurs when these two conditions are true:

The SSL handshake fails between Cloudflare and the origin web server, and

Fullor Full (Strict) SSLis set in the Overview tab of your Cloudflare SSL/TLSapp.

Resolution

Contact your hosting provider to exclude the following common causes at your origin web server:

No valid SSL certificate installed

Port 443 (or other custom secure port) is not open

No SNI support

The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server

If 525 errors occur intermittently, review the origin web server error logsto determine the cause. Configure Apache to log mod_ssl errors. Also, nginxincludes SSL errors in its standard error log, but may possibly require an increased log level.

Error 526: invalid SSL certificate

Error 526 occurs when these two conditions are true:

Cloudflare cannot validate the SSL certificate at your origin web server, and

Full SSL (Strict) SSLis set in the Overview tab of your Cloudflare SSL/TLSapp.

Resolution

For a potential quick fix, set SSLto Fullinstead of Full (strict) in the Overview tab of your Cloudflare SSL/TLSapp for the domain.

Request your server administrator or hosting provider to review the origin web servers SSL certificates and verify that:

Certificate is not expired

Certificate is not revoked

Certificate is signed by a C ertificate Authority (not self-signed)

The requested domain name and hostname are in the certificate's Common Name or Subject Alternative Name

Your origin web server accepts connections over port SSL port 443

Temporarily pause Cloudflare and visit https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com (replace www.example.comwith your hostname and domain) to verify no issues exists with the origin SSL certificate:

If the origin server uses a self-signed certificate, configure the domain to use Full SSLinstead of Full SSL (Strict). Refer to recommended SSL settings for your origin.

527Error: Railgun Listener to originerror

A 527 error indicates an interrupted connection between Cloudflare and your origin's Railgun server (rg-listener). Common causes include:

Firewall interference

Network incidents or packet loss between the Railgun server and Cloudflare

For additional details to aid troubleshooting, increase Railgun logging.

Common causes of 527 errors include:

Connection timeouts

LAN timeout exceeded

Connection refusals

TLS/SSL related errors

If contacting Cloudflare support, provide the following information from the Railgun Listener:

The full content of the railgun.conffile

The full content of the railgun-nat.conffile

Railgun log files that detail the observed errors

Connection timeouts

The following Railgun log errors indicate a connection failure between the Railgun Listener and your origin web server:

connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout

no response from origin (timeout) 0.0.0.0:80/example.com

Resolution

Contact your hosting provider for assistance to test for connectivity issues between your origin web server and your Railgun Listener. For example, a netcat command tests connectivity when run from the Railgun Listener to the origin web servers SERVERIPand PORT(80 for HTTP or 443 for HTTPS):

nc -vz SERVERIP PORT

LAN timeout exceeded

The following Railgun Listener log error is generated if the origin web server does not send an HTTP response to the Railgun Listener within the 30 second default timeout:

connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout

The time is adjusted by the lan.timeoutparameter of the railgun.conffile.

Resolution

Either increase the lan.timeoutlimit in railgun.conf, or review the web server configuration. Contact your hosting provider to confirm if the origin web server is overloaded.

Connection refusals

The following errors appear in the Railgun logs when requests from the Railgun Listener are refused:

Error getting page: dial tcp 0.0.0.0:80:connection refused

Resolution

Whitelist the IP of your Railgun Listener at your origin web servers firewall.

TLS/SSL related errors

The following errors appear in the Railgun logs if TLS connections fail:

connection failed 0.0.0.0:443/example.com: remote error: handshake failure

connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443:connection refused

connection failed 127.0.0.1:443/www.example.com: x509: certificate is valid for

example.com, not www.example.com

Resolution

If TLS/SSL errors occur, check the following on the origin web server and ensure that:

Port 443 is open

An SSL certificate is presented by the origin web server

the SAN or Common Name of the origin web servers SSL certificate contains the requested hostname

SSLis set to Fullor Full (Strict) in the Overview tab of the Cloudflare SSL/TLSapp

If your origin web server SSL certificate is self-signed, set validate.cert=0in railgun.conf.

Error 530

HTTP error 530 is returned with an accompanying 1XXX error displayed. Search for the specific 1XXX error within the Cloudflare Help Center for troubleshooting information.

Related resources

Gathering information to troubleshoot site issues

Contacting Cloudflare Support

Customizing Cloudflare error pages

Learn to set up your Cloudflare account and activate your domain by watching short video tutorials.

Overview

Add a domain to Cloudflare

Change domain nameservers to Cloudflare

Add MX records to Cloudflare

Performance overview

Security overview

OverviewGetting started with Cloudflare is a multi-step process. The following video tutorials guide you through the onboarding process and highlight some best practices.Add a domain to CloudflareWhen you create a new Cloudflare account, part of the process includes adding a new domain.

Change domain nameservers to CloudflareTo use Cloudflare as your authoritative DNS provider, you must update the nameservers at your domain registrar so that your web traffic routes through the Cloudflare network. This video explains how to change your nameservers at your domain registrar when adding your website to Cloudflare.

Add MX records to CloudflareAdding DNS records to Cloudflare is required during the onboarding process. Cloudflare DNS only proxies HTTP traffic, so MX recordscan'tbe proxied through our network. This video demonstrates best practices when adding MX records to Cloudflare.

Performance overviewCloudflare creates features that improve your site performance. This video describes key performance-enhancing features, including Auto-Minify, Brotli, Polish, and WebP.Some of these features require at least a Pro plan to activate.

Security overviewCloudflare offers many solutions to encrypt web traffic. This video describes the basics of HTTP and HTTPs, and demonstrates how to secure and protect your site using the Cloudflare SSL/TLS tab.

Learn to utilize IP Access Rules to restrict, challenge, or whitelist traffic to your site.

Overview

Add an IP Access Rule

Types of Access Rules

Address range examples

IP Access Rule limits

Two-letter country codes

Related resources

OverviewIP Access Rules are commonly used to block or challenge suspected malicious traffic. Another common use of IP Access Rules is to whitelist services that regularly access your site (APIs, crawlers, payment providers, etc). IP Access Rules allow whitelist, block, and challenge actions for traffic based on the visitor's IP address, country, or AS number.There are four configurable actions for an IP Access Rule:

Whitelist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by Cloudflare's default security features. Whitelist takes precedence over block.Whitelisting a country code does not bypass Cloudflare's WAF.

Requests containing certain attack patterns in the User-Agent field are checked before being processed by the general firewall pipeline. Therefore, such requests are blocked before any whitelisting logic takes place. Firewall events downloaded from the API show rule_id as security_level and action as drop when this behavior occurs.

JavaScript Challenge: Presents the I'm Under Attack Mode interstitial page to visitors. Requires a visitor's browser or client to support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors.

Challenge: Requires the visitor to complete a CAPTCHA before visiting your site. Prevents bots from accessing the site.

Block: Prevents a visitor from visiting your site.

Add an IP Access RuleTo create an IP Access Rule, follow these steps:

Log in to your Cloudflare account.

Select your domain.

Click the Firewall app.

Click on the Tools tab.

Under IP Access Rules, enter the following details:

Enter the Value as an IP, IP range, or two-letter country code.

Select an Action.

Select whether the rule applies to This website or All websites in the account.

(Optional) add a Note (i.e. Payment Gateway).

Click Add.

Types of Access RulesThere are several types of Access Rules:

Type

Example Value

IPv4 address

192.0.2.3

IPv4 /24 range

192.0.2.0/24

IPv4 /16 range

192.0.0.0/16

IPv6 address

2001:db8::

IPv6 address range

2001:db8::/48,2001:db8::/64

Country (by name or code)

US, germany, tor, CN

Autonomous System Number (ASN)

AS13335

IPs globally whitelisted by Cloudflare override a Country block via IP Access Rules but not a Country block via Firewall Rules.Address range examples

CIDR

Start of range (example)

End of range (example)

Number of addresses

/64

2001:db8::

2001:db8:0000:0000:ffff:ffff:ffff:ffff

18,446,744,073,709,551,616

/48

2001:db8::

2001:db8:0000:ffff:ffff:ffff:ffff:ffff

1,208,925,819,614,629,174,706,176

/32

2001:db8::

2001:db8:ffff:ffff:ffff:ffff:ffff:ffff

79,228,162,514,264,337,593,543,950,336

/24

192.1.2.0

192.1.2.255

256

/16

192.1.0.0

192.1.255.255

65,536

IP Access Rule limitsThe number of allowed IP Access Rules varies based on the number of active zones within your Cloudflare account and the plan level for each zone:

Free 500 rules

Pro 1,000 rules

Business 2,000 rules

Enterprise 10,000 rules

For example, if you have two zones at the Free level of service and one at the Pro level, the IP rule limit for your Cloudflare account will be 2,000 rules.Two-letter country codesBelow is a full list of the two letter country codes in ISO 3166-1 Alpha 2 format needed to create Access Rules for the IP Firewall:

Country codes

Cloudflare also uses T1 (not an ISO code) for Tor exit nodes.

Afghanistan

AF

land Islands

AX

Albania

AL

Algeria

DZ

American Samoa

AS

Andorra

AD

Angola

AO

Anguilla

AI

Antarctica

AQ

Antigua and Barbuda

AG

Argentina

AR

Armenia

AM

Aruba

AW

Australia

AU

Austria

AT

Azerbaijan

AZ

Bahamas

BS

Bahrain

BH

Bangladesh

BD

Barbados

BB

Belarus

BY

Belgium

BE

Belize

BZ

Benin

BJ

Bermuda

BM

Bhutan

BT

Bolivia, Plurinational State of

BO

Bonaire, Sint Eustatius and Saba

BQ

Bosnia and Herzegovina

BA

Botswana

BW

Bouvet Island

BV

Brazil

BR

British Indian Ocean Territory

IO

Brunei Darussalam

BN

Bulgaria

BG

Burkina Faso

BF

Burundi

BI

Cambodia

KH

Cameroon

CM

Canada

CA

Cape Verde

CV

Cayman Islands

KY

Central African Republic

CF

Chad

TD

Chile

CL

China

CN

Christmas Island

CX

Cocos (Keeling) Islands

CC

Colombia

CO

Comoros

KM

Congo

CG

Congo, the Democratic Republic of the

CD

Cook Islands

CK

Costa Rica

CR

Cte d'Ivoire

CI

Croatia

HR

Cuba

CU

Curaao

CW

Cyprus

CY

Czech Republic

CZ

Denmark

DK

Djibouti

DJ

Dominica

DM

Dominican Republic

DO

Ecuador

EC

Egypt

EG

El Salvador

SV

Equatorial Guinea

GQ

Eritrea

ER

Estonia

EE

Ethiopia

ET

Falkland Islands (Malvinas)

FK

Faroe Islands

FO

Fiji

FJ

Finland

FI

France

FR

French Guiana

GF

French Polynesia

PF

French Southern Territories

TF

Gabon

GA

Gambia

GM

Georgia

GE

Germany

DE

Ghana

GH

Gibraltar

GI

Greece

GR

Greenland

GL

Grenada

GD

Guadeloupe

GP

Guam

GU

Guatemala

GT

Guernsey

GG

Guinea

GN

Guinea-Bissau

GW

Guyana

GY

Haiti

HT

Heard Island and McDonald Islands

HM

Holy See (Vatican City State)

VA

Honduras

HN

Hong Kong

HK

Hungary

HU

Iceland

IS

India

IN

Indonesia

ID

Iran, Islamic Republic of

IR

Iraq

IQ

Ireland

IE

Isle of Man

IM

Israel

IL

Italy

IT

Jamaica

JM

Japan

JP

Jersey

JE

Jordan

JO

Kazakhstan

KZ

Kenya

KE

Kiribati

KI

Korea, Democratic People's Republic of

KP

Korea, Republic of

KR

Kuwait

KW

Kyrgyzstan

KG

Lao People's Democratic Republic

LA

Latvia

LV

Lebanon

LB

Lesotho

LS

Liberia

LR

Libya

LY

Liechtenstein

LI

Lithuania

LT

Luxembourg

LU

Macao

MO

Macedonia, the Former Yugoslav Republic of

MK

Madagascar

MG

Malawi

MW

Malaysia

MY

Maldives

MV

Mali

ML

Malta

MT

Marshall Islands

MH

Martinique

MQ

Mauritania

MR

Mauritius

MU

Mayotte

YT

Mexico

MX

Micronesia, Federated States of

FM

Moldova, Republic of

MD

Monaco

MC

Mongolia

MN

Montenegro

ME

Montserrat

MS

Morocco

MA

Mozambique

MZ

Myanmar

MM

Namibia

NA

Nauru

NR

Nepal

NP

Netherlands

NL

New Caledonia

NC

New Zealand

NZ

Nicaragua

NI

Niger

NE

Nigeria

NG

Niue

NU

Norfolk Island

NF

Northern Mariana Islands

MP

Norway

NO

Oman

OM

Pakistan

PK

Palau

PW

Palestine, State of

PS

Panama

PA

Papua New Guinea

PG

Paraguay

PY

Peru

PE

Philippines

PH

Pitcairn

PN

Poland

PL

Portugal

PT

Puerto Rico

PR

Qatar

QA

Runion

RE

Romania

RO

Russian Federation

RU

Rwanda

RW

Saint Barthlemy

BL

Saint Helena, Ascension and Tristan da Cunha

SH

Saint Kitts and Nevis

KN

Saint Lucia

LC

Saint Martin (French part)

MF

Saint Pierre and Miquelon

PM

Saint Vincent and the Grenadines

VC

Samoa

WS

San Marino

SM

Sao Tome and Principe

ST

Saudi Arabia

SA

Senegal

SN

Serbia

RS

Seychelles

SC

Sierra Leone

SL

Singapore

SG

Sint Maarten (Dutch part)

SX

Slovakia

SK

Slovenia

SI

Solomon Islands

SB

Somalia

SO

South Africa

ZA

South Georgia and the South Sandwich Islands

GS

South Sudan

SS

Spain

ES

Sri Lanka

LK

Sudan

SD

Suriname

SR

Svalbard and Jan Mayen

SJ

Swaziland

SZ

Sweden

SE

Switzerland

CH

Syryan Arab Republic

SY

Taiwan, Province of China

TW

Tajikistan

TJ

Tanzania, United Republic of

TZ

Thailand

TH

Timor-Leste

TL

Togo

TG

Tokelau

TK

Tonga

TO

Trinidad and Tobago

TT

Tunisia

TN

Turkey

TR

Turkmenistan

TM

Turks and Caicos Islands

TC

Tuvalu

TV

Uganda

UG

Ukraine

UA

United Arab Emirates

AE

United Kingdom

GB

United States

US

United States Minor Outlying Islands

UM

Uruguay

UY

Uzbekistan

UZ

Vanuatu

VU

Venezuela, Bolivarian Republic of

VE

Vietnam

VN

Virgin Islands, British

VG

Virgin Islands, U.S.

VI

Wallis and Futuna

WF

Western Sahara

EH

Yemen

YE

Zambia

ZM

Zimbabwe

ZW

Unknown/reserved

XX

Related resources

Understanding your site protection options

Firewall Analytics

Gain insights into traffic steering decisions through Cloudflare Load Balancing Analytics. These metrics are a feature of the Cloudflare Load Balancing add-on product.

Overview

Access Load Balancing Analytics

Review your load balancing metrics

Related resources

OverviewCloudflare Load Balancing Analytics offers multiple ways to analyze your load balancing metrics. You can evaluate traffic flow, assess the health status of origin servers in your pools, and review events that capture changes in load balancer pool and origin server pool health.

Cloudflare Load Balancing is an account-level, add-on product available to all customer plans. When enabled, Load Balancing is configurable via the Cloudflare Traffic app. For subscription information, visit Cloudflare Pricing.

Access Load Balancing AnalyticsLoad Balancing Analytics is available to Cloudflare Load Balancing customers in paid plans (Pro, Business, and Enterprise).

To view metrics for your load balancer:

Log in to the Cloudflare dashboard.

Click the appropriate Cloudflare account for your site, then pick the domain.

Next, click the Traffic app.

Click the Load Balancing Analytics tab.

The Load Balancing Analytics app displays a navigation bar on the left where you can access statistics under Overview, Latency, and Logs. To understand the various metrics available, see Review your load balancing metrics below. Cloudflare GraphQL Analytics API documentation Review your load balancing metricsEach metrics section features controls to fine-tune your analysis. Below is a summary of each analytics section available.OverviewOverview metrics help you optimize your infrastructure based on traffic flow and distribution. For example, you can:

Examine effects of adding or removing a pool to your load balancer,

decide when to create new origin pools, and

plan for peak traffic demands and upcoming infrastructure needs.

When you click the Overview section, the form controls are loaded with defaults, these include:

A Load Balancer name - the first load balancer in alphabetical order

The time period - Last 24 hours

The pool - All pools

Use the Add filter control to add filters for Region and Origin.LatencyLatency displays an interactive map to help you understand global performance. With this information, you can:

See regions where health checks are underperforming, and

take steps for ensuring that site response is fast and consistent regardless of where a request originates.

When you click the Latency section, the form controls are filled with defaults for Load Balancer and Pool, that you can change to suit your needs. Hovering over each pool on the map, represented by a colored dot, displays latency information for each origin associated with the pool. The meaning of each color is:

Blue represents healthy.

Yellow means slow.

Red equals unhealthy.

LogsBefore the release of Load Balancing Analytics, Event Logs appeared as a feature under the Traffic Load Balancing tab. This same feature now appears as the Logs section in Load Balancing Analytics.Logs provide a history of all origin server status changes and how they affect your load balancing pools.When you click the Logs section, the time period defaults to the last week. You can review up to 30 days of recorded eventsYou can also filter by Pool Health, Pool, Origin Health, and Origin. Click on any entry in the events table, to see additional details. You can also sort by any of the columns on the table.Related resources

When requests pass through the Cloudflare network, we capture many data points associated with HTTP traffic, encryption, security, DNS, and Workers. The resulting metrics appear in analytics products, including our dashboard UI and APIs.

About the Cloudflare Analytics product line

Understand how Cloudflare captures and processes Analytics data

Understand apparent data discrepancies

About missing metrics

About the Cloudflare Analytics product lineIn an effort to make analytics a ubiquitous component of all our products, Cloudflare has implemented, and continues to evolve, several ways in which customers can access and gain insights from Internet properties on Cloudflare.The offerings below encompass the current set of Cloudflare Analytics products. Click each link to learn more.[Coming soon!] Cloudflare Account Analytics (beta) - Displays aggregated metrics for all sites in your account.

Cloudflare Site Analytics - Features an extensive set of reports for a specific site in your account.Product Analytics:

Cloudflare Firewall Analytics - Highlights attack and mitigation metrics detected by the Cloudflare Firewall.

Load Balancing Analytics - Features metrics to help gain insights into traffic load balancer steering decisions.

The Cloudflare Analytics GraphQL API - Empowers customers to access and manipulate site and account level data directly. This API replaces and expands onthe previous Zone Analytics API.

Understand how Cloudflare captures and processes Analytics dataThe underlying datasets that Cloudflare Analytics captures and processes share the following characteristics:All metrics reflect traffic proxied (orange-clouded) through the Cloudflare network, as configured via DNS records in the Cloudflare DNS app. Note that for a CNAME Setup, Cloudflare is unable to offer DNS metrics.Cloudflare does not count traffic for unproxied DNS records. However, if your site is not proxied through Cloudflare but Cloudflare is your authoritative DNS server, then we are able to collect DNS metrics.Cloudflare can only proxy information for traffic traveling over specific ports.In determining the originating country, Cloudflare uses the IP address associated with each request. Learn about Configuring Cloudflare IP Geolocation.Understand apparent data discrepanciesIn addition to the characteristics described above, its possible that your Cloudflare metrics do not fully align with data for the same site as reported by other sources such as Google Analytics and web server logs.Once Cloudflare identifies a unique IP address for a request, we identify such request as a visit. Therefore, the number of visitors Cloudflare Analytics shows is probably higher than what other analytics services may report.For example, Google Analytics and other web-based analytics programs use JavaScript on the web browser to track visitors. As a result, Google Analytics doesnt record threats, bots, and automated crawlers because those requests typically do not trigger JavaScript. Also, these services do not track visitors who disable JavaScript on their browser or who leave a page before it fully loads.Finally, its likely that unique visitor data from the Cloudflare Analytics app is greater than your search analytics unique pageviews. This is because pageviews reflect when someone visits a page via a web browser and loads the entire page. However, when another site or service like a bot, plugin, or API is consuming partial content from your site (but not loading a full page), this counts as a unique visitor in Cloudflare and not as a pageview.About missing metricsYou may not be seeing metrics your Cloudflare Analytics for the following reasons:

You only recently signed up for Cloudflare. Metrics are delayed 24 hours for domains on afree Cloudflare plan.

If you signed up directly with Cloudflare, your nameservers might not be pointing to Cloudflare at your registrar just yet (registrars can take 24-72 hours to change the nameservers to ours). Metrics will not start gathering until we detect the nameservers pointing to Cloudflare.

If you signed up through a Cloudflare hosting partner option, something might not configured correctly. Contact the hosting partner for support.

Some browser extensions designed to block ads may prevent analytics from loading. Disabling the extension or whitelistingCloudflare.com should remove this possibility.

Note that activations through a hosting partner works via a CNAME Setup on the www record. If most of your traffic actually goes to domain.com, forward your traffic from domain.com to www.domain.com.

In early 2019, Cloudflare partnered with Shopify to provide all Shopify merchant sites with Cloudflares performance and security benefits.

Overview

Shopifys integration with Cloudflare eliminates the need for Shopify merchants to proxy their store traffic directly through Cloudflare. All Shopify merchants can benefit from enhanced store performance and security thanks to a combination of certain Cloudflares features with Shopifys own technology. This is all done directly through Shopify.

What happens if I was previously proxying my store through Cloudflare?

With this change, merchants who previously proxied store traffic directly through Cloudflare should not experience additional security risks or a decrease in performance. However, we encourage merchants to continue using their Cloudflare account for DNS resolution (gray cloud) of store traffic.

With this migration, your Shopify store subdomain has been converted to grey cloud (Cloudflare DNS resolution only).

If you only used Cloudflare to proxy your Shopify store traffic, you can downgrade your Cloudflare customer plan to a lower plan type and turn off any add-on features.

Can I still use Cloudflare on top of Shopify going forward?

No. With this integration, it is no longer possible to proxy web traffic by stacking any content delivery network (CDN), including Cloudflare, on top of Shopify. Going forward, your Shopify site may remain in Cloudflare only for DNS resolution (grey cloud).

If you turn your grey clouded Shopify store back to orange cloud in the Cloudflare DNS app, site visitors will experience a 10xx error. To fix this error, turn your orange clouded domain back to grey cloud in the Cloudflare DNS app.

Note that Shopify protects all merchants with its own Web Application Firewall (WAF).

In addition, Transport Layer Security (TLS) settings are now determined by Shopify policies on e-commerce traffic.

Can I still use Cloudflare for other sites?

Yes. We encourage customers to continue fully proxying their non-Shopify sites through Cloudflare (orange cloud). Cloudflare continues to provide performance and security benefits for your non-commerce sub-domains.

This article provides guidance to troubleshoot common concerns about Cloudflare DNS.

Why do I have a dc-######### subdomain?

Why are DNS queries returning incorrect results?

No A, AAAA or CNAME record found?

Why have I received an email: Your Name Servers have Changed?

Why do I have a dc-######### subdomain?

The dc-##### subdomain is added to overcome a conflict created when your SRV orMX recordresolves to a domain configured to proxy to Cloudflare.

Do not orange-cloud DNS records used to receive mail: Cloudflare does not proxy mail traffic by default.

Therefore, Cloudflare will create a dc-##### DNS record that resolves to the origin IP address. The dc-##### record ensures that traffic for your MX or SRV recordisn'tproxied (it directly resolves to your origin IP) while the Cloudflare proxy works for all other traffic.

For example, before using Cloudflare, suppose your DNS records for mail are as follows:

example.com MX example.comexample.com A 192.0.2.1

After using Cloudflare and proxying the A record, Cloudflare will provide DNS responses with a Cloudflare IP (203.0.113.1 in the example below):

example.com MX example.comexample.com A 203.0.113.1

Since proxying mail traffic to Cloudflare would break your mail services, Cloudflare detects this situation and creates a dc-##### record:

example.com MX dc-1234abcd.example.comdc-1234abcd.example.com A 192.0.2.1 example.com A 203.0.113.1

Removing the dc-###### record is only possible via one of these methods:

If no mail is received for the domain, delete the MX record.

If mail is received for the domain, update the MX record to resolve to a separateA recordfor a mail subdomain thatisn'tproxied by Cloudflare:

example.com MX mail.example.commail.example.com A 192.0.2.1example.com A 203.0.113.1

If your mail server resides on the same IP as your web server, your MX record will expose your origin IP address.

Why are DNS queries returning incorrect results?

Third-party tools can sometimes fail to return correct DNS results if a recursive DNS cache fails to refresh. In this circumstance, purge your public DNS cache via these methods:

Purging your DNS cache at OpenDNS

Purging your DNS cache at Google

Purging your DNS cache locally

No A, AAAA or CNAME record found?

No A, AAAA or CNAME record found means the Cloudflare DNSapp lacks proper recordsfor DNS resolution.

Add the missing DNS records to your domain.

Sites generally have at least an A recordthat points to the origin server IP address, typically for the wwwsubdomain and the root domain.

Why have I received an email: Your Name Servers have Changed?

For domains where Cloudflare hosts the DNS, Cloudflare continuously checks whether the domain uses Cloudflares nameservers for DNS resolution. If Cloudflare's nameservers are not used, the domain status is updated from Activeto Movedin the Cloudflare Overviewappand an email is sent to the customer.

Steps to resolve the issue require updating the DNS at your domain registrar to utilize the Cloudflare nameservers:

Follow steps 2 and 3 within our domain troubleshooting article.

Click Re-check Now in the Cloudflare UI Overviewapp.

Cloudflare DNS can be used as an alternative DNS to Google Cloud DNS. Here are the steps how to enable Cloudflare DNS.

As a first step you will need to sign up to Cloudflare or you can use an existing account. Signing up for Cloudflare is easy and takes less than 5 minutes to configure. https://www.cloudflare.com/sign-up

updated the nameservers at your registrar

Once you sign up you'll be guided through an easy setup wizard where you need to add domain name of your Google Cloud Project. Please note thatCloudflare DNScan only be enabled for root level domains, so you would add "example.com" not "subdomain.example.com."

For Cloudflare and Google Cloud Project to work together, you will need to update the DNS records on Cloudflare to point to your Google Cloud Instances.

First, find the external IP address for your instance:

Then enter that IP address for the Arecord of the subdomain that you want this instance to power:

Make sure that the subdomain is "orange clouded" and that you have to use Cloudflare's nameservers, and traffic will flow through Cloudflare to your Google Cloud instance!

Learn how Always Online keeps a limited version of your site online if your origin web server goes offline.

Overview

Best practices using Always Online

Limitations

Toggle Always Online

Related resources

OverviewCloudflares Always Online feature ensures access to visitors for a portion of your Cloudflare-enabled website even if your origin web server is offline. Cloudflare does not cache every page of your website. Specifically, Always Online caches the first 10 links from your root HTML, then just the first links from each of those pages, and finally the first links from each of those subsequent pages.A Cloudflare crawler identifies resources to place in the Always Online cache. For details, refer to our documentation about Cloudflare crawlers.The Always Online crawler ignores robots.txt.

When always online is enabled, visitors see a green notification button at the top of their web page: Understanding Cloudflares CDN When Always Online displays content for an offline website, Cloudflare returns an HTTP status 503. Cloudflare continually checks for the site to come back online in order to display the full website to visitors. If the requested page is not in Cloudflares Always Online cache, the visitor sees the actual error page caused by the offline origin web server.For domains proxied to Cloudflare, Cloudflare IPs connect to your origin web server. Security solutions can affect connections from Cloudflare unless you whitelist Cloudflare IPs. If you observe the Always Online banner while your origin web server is online, your origin web server or hosting provider are likely blocking or rate limiting Cloudflare requests. Best practices using Always OnlineDo not use Always Online with:

Custom Hostnames (SSL for SaaS),

API traffic,

An IP Access Rule or Firewall Rule that blocks the United States, or

A Cache Everything Page Rule that configures an Edge Cache TTL lower than the Always Online crawl frequency pertaining to your domain plan type.

LimitationsThere are limitations with the Always Online functionality: 1. Always Online is not immediately active for sites recently added to Cloudflare due to:

DNS record propagation (can take 24-72 hours), or

Always Online has not initially crawled the website.

2. Cloudflare cannot show private content behind logins or handle form submission (POSTs) if your origin web server is offline. 3. In order to trigger Always Online, your web server must return one of the following standard HTTP error codes:

502 or 504 timeout,

Cloudflare errors ( 521 & 523 ),

Timeouts ( 522 & 524 ),

SSL errors ( 525 & 526 ), or

Unknown errors ( 520 ), except for errors due to empty replies from your origin web server.

Always Online does not trigger for HTTP response codes such as 404, 503, or 500 errors such as database connection errors or internal server errors.

Toggle Always OnlineAlways online is enabled by default. To change the setting:

Log in to your Cloudflare account.

Choose the appropriate domain.

Click the Caching app.

Set Always Online to Off or On.

Alternatives to globally enabling Always Online include:

Using Cloudflare Page Rules to enable Always Online, or

Allowing your origin web server to determine which content to cache for display if your origin web server is offline:

Disable Always Online,

Set Origin Cache Control for your resources, and

Enable stale-if-error at your origin.

Before enabling Origin Cache Control, consider the impact it has on how Cloudflare caches resources by default as well as any custom caching Page Rules you have configured. Consider setting origin cache headers that duplicate the default Cloudflare cached resources and duration.

To ensure Always Online caches resources for your site, do not set your origin web servers Cache Control header to no-cache, must-revalidate, or max-age=0.

Related resources

Origin Cache Control

This article provides steps to troubleshoot errors that occur when adding a domain to Cloudflare.

Step 1 - Disable DNSSEC

Step 2 - Register the domain

Step 3 - Resolve DNS for root domain

Step 4 - Verify if the domain is banned at Cloudflare

Step 1 - Disable DNSSEC

Cloudflare cannot provide authoritative DNS resolution for a domain whenDNSSECis enabled at your domain registrar. You can re-enable DNSSECafter the domain is Activeon Cloudflare, but must configure DNSSEC using Cloudflares DNSSEC requirements.

DNSSECmust only be disabled for domains on Full setups where Cloudflares nameservers will be authoritative.

Possible symptoms of DNSSECbeing enabled at the registrarinclude:

DNS does not resolve after switching to Cloudflares nameservers.

DNS query response status is SERVFAIL.

The domain remains in a Pendingstatus in the Cloudflare Overviewapp.

Contact your domain provider if you need assistance to disable DNSSEC. If a DSrecordexists for the domain, DNSSECis likely enabled. DS recordscan be checked via third-party online tools such as https://mxtoolbox.com/ds.aspx or via a command-line terminal:

dig +short ds cloudflare.com

2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9

Step 2 - Register the domain

There are several domain registration issues that will prevent a domain from being added to Cloudflare:

Domain uses a new TLD (top-level domain) not yet on the Public Suffix List

You may see an error similar to the following:

We were unable to identify bad.psl-example as a registered domain. Please ensure you are providing the root domain and not any subdomains (e.g., example.com, not subdomain.example.com) (Code: 1099)

Instructions for updating the Public Suffix List exist at https://github.com/publicsuffix/list/wiki/Guidelines

Domain is not yet fully registered or registration data does not list nameservers

Contactyour domain registrar to update the nameservers in the registration

Below are some possible errors in the Cloudflare dashboardwhen adding an improperly registered domain via + Add site:

exampledomain.com is not a registered domain (Code: 1049)

Failed to lookup registrar and hosting information of exampledomain.com at this time. Please contact Cloudflare Support or try again later. (Code: 1110)

Step 3 - Resolve DNS for root domain

Before a domain can be added to Cloudflare, the domain must return NS recordsfor valid, working nameservers. NS recordscan be checked via third-party online tools such as https://www.whatsmydns.net/#NS/ or via a command-line terminal using a dig command:

dig +short ns cloudflare.com

ns3.cloudflare.com.

ns4.cloudflare.com.

ns5.cloudflare.com.

ns6.cloudflare.com.

ns7.cloudflare.com.

Additionally, the domain must return a valid SOA recordwhen queried. SOA records can be checkedvia third-party online tools such as https://www.whatsmydns.net/#SOA/ or via a command-line terminal:

dig +short soa cloudflare.com

ns3.cloudflare.com. dns.cloudflare.com. 2029202248 10000 2400 604800 300

Step 4 - Verify if the domain is banned at Cloudflare

Cloudflare disallows the addition of certain domains on either a permanent or a temporary basis. See the instructions below for removing either type of ban.

Removing a temporary ban

When Cloudflare observes too many attempts to add a domain to Cloudflare, an error is returned:

Error with Cloudflare request: [1105] This zone is temporarily banned and cannot be added to Cloudflare at this time, please contact Cloudflare Support.

Before contacting Cloudflare support, wait3 hours before attempting to re-add the domain to Cloudflare.

Cloudflare support cannot expedite expiration of the temporary ban.

Clearing a permanentban

File a request with Cloudflare Support if any of the following errors are observed when adding a domain:

Error: This zone is banned and cannot be added to CloudFlare at this time, please contact CloudFlare Support. (Code: 1097)

This zone cannot be added to Cloudflare at this time, please contact Cloudflare Support. (Code: 1093)

Error (Code: 1093) or (Code: 1116) can also mean that you included a subdomain (somehost.example.com) instead of the root domain (example.com) when adding the domain to Cloudflare.

This article describes the domain setup options available for Cloudflare partners to add their customers domains to Cloudflare.

Overview

There are two options for a partner to add their customer's domain to Cloudflare:

Full - Authoritative DNS is managed by Cloudflare.

CNAME - Authoritative DNS is managed outside of Cloudflare.

Cloudflare provisions a Universal SSL certificate as soon as a customers traffic is proxied to Cloudflare.

Full setup

A Full DNS setup requires configuration changes at the existing DNS provider in order to point to Cloudflare's nameservers for authoritative DNS. Update the host provider's nameservers after the domain is added to Cloudflare.

Full DNS setup is currently available through these integrations:

Host API

cPanel plugin

CNAME setup

A CNAME setup does not require changes to authoritative DNS. Instead, proxy a subdomain to Cloudflare via aCNAME record.

Traffic for the root domain cannot be proxied or protected via a CNAME setup. For example, www.example.com can be proxied but example.com cannot.

Partial (CNAME) setup is available via these integrations:

Host API

cPanel plugin

ServerShield extension for Plesk 12 and higher

The CNAME setup differs depending on whether anA recordorCNAME recordis currently used for a subdomain. The A and CNAME examples below usewww.example.com as an examplesubdomain for proxy to Cloudflare.

A record

Ifwww.example.comis currently an A record:

www.example.comA203.0.113.1

then, change www.example.comto a CNAME record inauthoritative DNS:

www.example.com CNAME www.example.com.cdn.cloudflare.net

Additionally, add an A recordin authoritative DNS to point traffic back to the origin IP:

cloudflare-resolve-to.www.example.com A 203.0.113.1

CNAME record

Ifwww.example.comis currently aCNAME record:

www.example.com CNAME example.com

then, update www.example.comin authoritative DNS to:

www.example.com CNAME www.example.com.cdn.cloudflare.net

Additionally, add two records in authoritative DNS to point traffic back to the origin IP:

cloudflare-resolve-to.www.example.com CNAME example.com

example.com A 203.0.113.1

This article describes the purpose of Secondary DNS and outlines how to configure Secondary DNS at Cloudflare.

What is Secondary DNS?

Prerequisites

Configuring a Secondary Zone through the CloudFlare API

Related resources

What is Secondary DNS?Secondary DNS is available for domains on Enterprise plans.

Secondary DNS allows Cloudflare to act as a Secondary DNS provider to another organization's Master DNS.With Secondary DNS, DNS entries are edited in a system outside of Cloudflare and changes are transferred to Cloudflare's infrastructure.If the current DNS provider does not support Zone Transfer, Cloudflare cannot become a Secondary DNS provider.Secondary DNS domains cannot use the Cloudflare proxy or any Cloudflare features.

Prerequisites1. Contact your Cloudflare Account team to request Secondary DNS.

Update configuration parameters at the primary DNS provider

Before configuring Cloudflare as your Secondary DNS provider, allow traffic to the Master DNS servers from port 53 and update your Access Control Lists. The Allow Ranges are where Cloudflare's AXFR requests originate and Notify IPs are the IP addresses where you notify Cloudflare's Secondary DNS to initiate a pull of new zone information from your Master DNS servers.

Allow Range:

162.158.64.0/21

198.41.150.0/23

198.41.152.0/22

198.41.246.0/23

198.41.250.0/24

198.41.252.0/24

2a06:98c0:1400::/48

2a06:98c0:1401::/48

2a06:98c0:3600::/48

2400:cb00:36::/48

2606:4700:1101::/64

Notify IPs:

198.41.246.49

2a06:98c0:3600::53

Consult your DNS provider's documentation for instructions on configuring the Master zone.

When configuring your Master DNS settings, choose TCP notify over UDP to minimize the chances of packet loss.

2. In the CloudflareOverviewapp for the domain requiring Secondary DNS:

Identify the Cloudflare Account ID.

Identify the Cloudflare Zone ID.

Note the two Cloudflare Nameservers.

If the Cloudflare Nameservers don't contain secondary in the name, confirm the Cloudflare Account team has enabled Secondary DNS.

3. Determine the configuration parameters from the Master zone:

Master IP Address - The IP address that Cloudflare should accept Zone Transfers from.

Zone transfer type - Will zone transfers be full (AXFR) or incremental (IXFR)?

(Optional)TSIGSecret - The secret string used to authenticate zone transfers.

(Optional) TSIG Algorithm - The algorithm used to authenticate zone transfers.

Once the list of prerequisites have been completed, configure the Secondary Zone at Cloudflare.Configuring a Secondary Zone through the CloudFlare APIDNSSEC is currently unsupported when Cloudflare is configured as a Secondary DNS provider

Secondary DNS can only be configured via the Cloudflare API. Requests can be sent to the API via a command-line utility likecURLor a browser plugin such asPostman.Refer to the Cloudflare API documentation for full examples on the supported API methods available:

Secondary DNS(TSIG)

Secondary DNS(Master)

Secondary DNS(Zone)

For each POST example provided in the steps below, replace:account_tagwith theAccount IDidentified from thePrerequisites sectionof this article:

STEP 1 - Create the Secondary Zone

Create a secondary zone through the Create Zone API by setting type to secondary:

curl -X POST "https://api.cloudflare.com/client/v4/zones"

-H "X-Auth-Email: [email protected]"

-H "X-Auth-Key: yourapikeyhere"

-H "Content-Type: application/json"

--data '{"name":"examplesecondaryzone.fyi","account":{"id":"accountidhere"},"jump_start":true,"type":"secondary"}'

STEP 2 - Configure TSIG (Optional)

In the example request below,nameandsecretmust be provided by the primary DNS provider andalgomust reflect the correct TSIG algorithm from the Master DNS server.

#POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/tsigs/

{"name": ":tsig_secret_name",

"secret": ":tsig_secret_string",

"algo": "hmac-sha512"}

A successful POST request will respond with an id. Include this id when adding a Master.

STEP 3 - Add a Master

Multiple Masters can be added via the Cloudflare API.

#POST https://api.cloudflare.com/client/v4/accounts/:account_tag/secondary_dns/masters/

{"ip": ":master_ip",

"port": 53,

"ixfr_enable": true,

"tsig_id": ":tsig_tag"}

:master_ipis theIPv4/IPv6 address of Master nameserver.

ixfr_enableset totrue enables IXFR transfer protocol. The default is AXFR.

:tsig_tag (optional) is the id providedin the previous step, if configured

A successful POST request will respond with an id for the Master DNS server and must be included when creating a Secondary Zone via the Cloudflare API.

STEP 4 - Link Master to Secondary Zone

#POST https://api.cloudflare.com/client/v4/zones/:zone_tag/secondary_dns/

{"id": ":zone_tag",

"name": ":zone_name",

"masters": [ ":zone_master_tag" ],

"auto_refresh_seconds": 86400 }

:zone_tag is the Zone ID of the domain configured for Secondary DNS.

:zone_nameis the domain name configured for Secondary DNS.

:zone_master_tagis the list of Master IDs created in the previous step.

The Cloudflare DNS UI will be disabled for secondary zones since records are managed through the primary DNS provider's master server.

STEP 5 - Add Secondary Nameservers to your Registrar

Add Cloudflare's Secondary DNS Nameservers to the existing nameservers specified at your registrar. Review the instructions in the Prerequisites section above to locate the names of your Secondary Nameservers.

STEP 6 - Testing Secondary DNS

Add aTXT recordto the primary DNS provider to test transfer to Cloudflare's Secondary DNS servers. Then, verify theTXT recordis visible when querying Cloudflare's nameservers.ReplacensNNNNwith the correct name of a Cloudflare Secondary DNS servers for the domain:

dig @nsNNN.secondary.cloudflare.com :zone_name txt +short

The Cloudflare Analytics app will continue to provide DNS data but only for DNS requests that Cloudflare's nameservers answer.

Related resources

Postman

TSIG Specification

The Cloudflare (Site) Analytics app helps you gain insight about each specific site in your Cloudflare account. These metrics comprise request and response data for web traffic, security, performance, DNS, and Workers.

Overview

View your site analytics

Review your site metrics

OverviewThe Cloudflare dashboard (Site) Analytics app is a major component of the overall Cloudflare Analytics product line. Specifically, this app gives you access to a wide range of metrics, collected at the site or domain level.Read Cloudflare Analytics: A quick overview for general information about all of Cloudflares analytics offerings. You can also understand the characteristics of the data that Cloudflare captures and processes.

View your site analyticsTo view metrics for your site:

Log in to the Cloudflare dashboard.

Click the appropriate Cloudflare account for your site, then pick the domain.

Next, click the Analytics app icon.

Once it loads, the Analytics app displays a set of tabs for Traffic, Security, Performance, DNS, Workers, and Logs (Enterprise domains only). To understand the various metrics available, see Review your site metrics below. Cloudflare Logs Logpush Review your site metricsThis section outlines the metrics available under each Analytics app tab. Before proceeding, note that each tab may contain:

One or more panels to further categorize the underlying metrics, and

a dropdown (on the panels top right) to filter metrics for a specific time period. The time period you can select may vary based on the Cloudflare plan that your domain is associated with.

Below is a summary of each Analytics app tab.TrafficThese metrics include legitimate user requests as well as crawlers and threats. The Traffic tab features the following panels:

Web Traffic - Displays metrics for Requests, Bandwidth, Unique Visitors, and Status Codes. Note that if you use Cloudflare Workers, subrequest analytics are available under the Workers tab.

Web Traffic Requests by Country - Is an interactive map that breaks down the number of requests by country. This panel also includes a data table for Top Traffic Countries / Regions that display the countries with the most number of requests (up to five, if the data exists).

Share Your Stats - Lets you share actual site statistics on social media (Twitter) for: Bytes saved, SSL requests served, and attacks blocked.

SecurityFor this tab, the number and type of charts may vary based on existing data and customer plan. Most of the metrics in this tab come from the Cloudflare Firewall app. The panels available include:

Threats - Displays a data summary and an area chart showing threats against the site.

Threats by Country - Is an interactive map highlighting the countries where threats originated. It also includes data tables with statistics on Top Threat Countries / Regions and Top Crawlers / Bots.

Rate Limiting (add-on service) - Features a line chart highlighting matching and blocked requests, based on rate limits. To learn more, consult Rate Limiting Analytics.

Overview - Displays a set of pie charts for: Total Threats Stopped, Traffic Served Over SSL, and Types of Threats Mitigated. If available, the expandable Details link display a table with numerical data.

PerformanceThe metrics aggregated under this tab span multiple Cloudflare services. The panels available include:

Origin Performance (Argo) (add-on service) - Displays metrics related to response time between the Cloudflare edge network and origin servers for the last 48 hours. For additional details, see Argo Analytics.

Overview - Displays a set of pie charts for: Client HTTP Version Used, Bandwidth Saved, and Content Type Breakdown. If available, the expandable Details link display a table with numerical data.

DNSThe DNS tab presents several statistics for DNS queries. Note that metrics are available as long as Cloudflare is the sites authoritative DNS server, even if the site is not proxied by Cloudflare. Therefore, DNS metrics are not offered for sites with a CNAME Setup.The metrics panels available under the DNS tab include:

DNS Queries - Displays several area charts and data tables for DNS record metrics including queries by Response Code, Record Type as well as records that return an NXDOMAIN response (dns record doesnt exist). You can filter by one or several DNS records by entering record names (for example, www.example.com) in the dropdown near the top.

DNS Queries by Data Center - Lets you see DNS query distribution across Cloudflares data centers. Metrics appear as interactive maps and data tables, and include statistics for Traffic, NXDOMAIN, and NOERROR.

WorkersThis panel features metrics for Cloudflare Workers. To learn more, read Cloudflare analytics with Workers.LogsThe Logs tab is not a metrics feature. Instead, Customers in the Enterprise plan can enable the service. You can use Logpush to download and analyze data using any analytics tool of your choice.

Total Threats Stopped measures the number of suspicious and bad requests that were aimed at your site. Requests receive these labels by our IP Reputation Database as they enter Cloudflares network:

Legitimate: request pass directly to your site

Suspicious: request has been challenged with a CAPTCHA page or JavaScript challenge page.

Bad: request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block.

Cloudflare uses Threat Scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the Threat Score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.

In addition to threat analytics you can also monitor search engine crawlers going to your websites. For most websites, threats and crawlers make up 20% - 50% of traffic.

Cloudflare Pro, Business, and Enterprise domains have access to Cloudflare Firewall Analytics and filtering. Learn how Firewall Analytics helps identify security enhancements for your site.

About firewall analytics

Filter firewall analytics

Review the Firewall Activity log

Share firewall analytics filters

Export activity log data

Select visible columns in the activity log

Print or download PDF firewall analytics report

Related resources

About firewall analyticsCloudflare Pro, Business, and Enterprise customers benefit from Firewall Analytics and the Activity log of firewall events in the Firewall app under the Overview tab. Firewall analytics allow management and visualization of threats and help customers tailor their security configurations.Firewall Analytics allows filters and exclusions and provides the following data for a predefined duration of 30 minutes to up to 72 hours:

Events by action provides the count of firewall activity per action (Block, Log/Simulate, JS Challenge, Challenge, etc) taken on traffic during the report duration selected.

Events by service lists the firewall activity per Cloudflare security feature (WAF, Firewall Rules, Access Rules, Hotlink Protection, Rate Limits, etc).

Top events by source provides details of the traffic flagged or actioned by a Cloudflare security feature (IP addresses, User Agents, Paths, Countries, Hosts, ASNs, HTTP Methods, etc).

Activity log summarizes firewall events by date to show the action taken and the Cloudflare security feature applied.

Denial-of-service attacks mitigated counts automatically mitigated Layer 4 attacks blocked by Cloudflare over the last 72 hours.

Firewall analytics and events may be presented from sampled data in order to improve performance.Cloudflare logs challenge success in order to provide customers the Captcha Success Rate.Filter firewall analyticsTo narrow the scope of Firewall Analytics, you can apply multiple filters and exclusions as well as adjust the report duration.Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including the Activity Log and all graphs, except for the Denial-of-service attacks mitigated graph.Adjust the scope of analytics by either clicking on Add filter under Firewall Events or clicking the Filter or Exclude buttons that appear when hovering over analytics data legend. What options are available for protecting a site? When applying filters:

Wildcards are not allowed.

Quotation marks are not necessary around field values.

If entering ASN numbers, leave out the AS prefix. For example, enter 1423 instead of AS1423.

Firewall analytics captures all traffic actioned or flagged by a Cloudflare security setting, including features such as Browser Integrity Check.

Review the Firewall Activity logTo view WAF event details:1. Log in to the Cloudflare dashboard.2. Click the appropriate Cloudflare account.3. Select the proper domain.4. Click the Firewall app.5. The Overview tab lists the Activity log.6. Click any entry in the Firewall Activity log to expand further details.To search for a WAF event by IP address (or similar field):Click + Add filter under Firewall Events at the top of the Firewall app.

Select IP for Action.

Choose equals.

Enter the IP address.

Alternatively, expand a Firewall event from the Activity log and click the Filter button that appears when mousing over the IP address.Requests containing certain attack patterns in the User-Agent field are blocked before any whitelisting logic occurs. Firewall events downloaded from the API show rule_id as security_level and action as drop when this behavior occurs.

Firewall Events are shown by individual event rather than by request. For example, if a single request triggers three different Firewall features, the firewall events appear as three individual events in the Activity log.Share firewall analytics filtersWhen you add a filter and specify a duration (time window) in firewall analytics, the Cloudflare dashboard URL changes to reflect the parameters included in your filtering. You can share that URL with other users so that they can analyze the same information that you see.https://dash.cloudflare.com/a67e14da49djdceeb9adf85449ba496eb/example.net/firewall?action=challenge&time-window=4320Export activity log dataYou can export a set of up to 500 raw events from the Activity log section of firewall analytics by clicking the Export button. The data is in JSON format.This option is useful when you need to combine and analyze Cloudflare data with your own stored in a separate system or database, such as a security information and event management system (SIEM). The data you export will reflect any filters you have applied.Select visible columns in the activity logYou can configure which columns to display in the Activity logsection of firewall analytics by clicking theEdit columnsbutton. This gives you flexibility depending on the type of analysis that you need to perform.An example use case for this option is when you're trying diagnose a bot related issue. You may want to see the user-agent and the source country. Another example is when you'd like to identify a DDoS attack. You may want to see IP addresses, ASSNs, path, and other attributes.Print or download PDF firewall analytics reportYou can print or download a snapshot report from your Firewall Events analytics dashboard by clicking the three-dots icon (...) and selecting Print report.Note that any filters you have applied will reflect in the printed or downloaded report.Your web browser's printing interface will present you with options for printing or downloading to PDF.Related resources

Cloudflare Blog: Firewall tab and analytics

Learn how to cancel your Cloudflare account. Once you cancel your Cloudflare account, your site no longer benefits from Cloudflares security, speed, and reliability.

Overview

Prerequisites

Cancel your Cloudflare account

Related resources

Overview

Before canceling your account, contact Cloudflare Support to help you troubleshoot any issues. Issues are often resolved by making minor changes to Cloudflare account settings.

Once the account is canceled, Cloudflare cannot reactivate the original email address for your account. If you decide to use Cloudflare again, you will need a different email address to set up the new account.

Prerequisites

Add-on services and plan extensions are the two terms well to describe Cloudflare products and services that have an additional monthly cost.

If after contacting Cloudflare Support, you would still like to cancel your account:

Cancel your subscriptions to Cloudflare add-on services

Remove your domain from Cloudflare

Remove Cloudflare nameservers at your domain registrar

If you are using a Cloudflare CNAME setup, update your DNS records at your DNS provider to point to your website IPs or hostnames instead of Cloudflare.

Delete payment information

You cannot remove payment information if you have active paid Cloudflare payment plans or subscriptions for Cloudflare plan extensions.

The process outlined above is required for each domain associated with your Cloudflare account.

Cancel your Cloudflare account

After following the prerequisites above, contact Cloudflare Support to request the cancellation of your account. Your account is canceled once the support team provides confirmation.

Related resources

Canceling Cloudflare subscriptions

Removing your domain from Cloudflare

Updating your billing information

Temporarily pausing Cloudflare

Learn to quickly set up your Cloudflare account and activate your domain. Understand best practices for Cloudflare-proxied domains.

This article formerly appeared under the title Step 1: How does Cloudflare work?

Overview

Cloudflares global network enhances website security and performance. Review our article on how Cloudflare works for further details.

Activate your domain on Cloudflare in two steps:

Create a Cloudflare account and add a website

Use Cloudflare nameservers at your domain registrar

Step 2 is not required for Business and Enterprise domains on CNAME setups.

Additionally, Cloudflare recommends several best practices for newly activated domains. If you run into issues setting up your first Cloudflare domain, refer to our Troubleshooting FAQ for new Cloudflare customers.

Best practices for active Cloudflare domains

Cloudflare recommends the following actions and enhancements for each new domain added to Cloudflare:

Recommended actions

Ensure successful interaction between your origin web server, third-party services, and Cloudflare:

Whitelist Cloudflare IP addresses at your origin web server, and

Whitelist third-party services your site uses via Cloudflare IP Access rules.

Your origin server IPs are automatically whitelisted for your domain when adding the domain to Cloudflare.

Recommended enhancements

Learn which Cloudflare features improve your site speed and optimize security:

Improve site performance

Optimize security

Recommended reading

Secure traffic over HTTPS for both your site visitors and for traffic between Cloudflare and your origin web server.

End-to-end HTTPS with Cloudflare

Troubleshooting FAQ for new Cloudflare customers

Contacting Cloudflare support

Understanding Cloudflare DDOS protection

Best Practices: DDoS preventative measures

Getting started with DNS

Getting started with Cloudflare SSL

Learn to transfer, manage, and renew your existing domain with Cloudflare Registrar.

Overview

Before getting started

Transfer a domain to Cloudflare

Renew domains via Cloudflare Registrar

Renew domains automatically

Understand renewal notification

Related resources

OverviewCloudflare only supports domain transfer and not direct purchase for existing Cloudflare customers.

Existing Cloudflare customers can transfer and manage domains via Cloudflare Registrar. Cloudflare Registrar offers free personal data redaction (Whois Privacy) that meets current ICANN guidelines. If a registry provides a promotional price for a top-level domain (TLD), Cloudflare automatically provides that price to customers.Cloudflare continuously adds support for new TLDs. Refer to Cloudflare's list of supported TLDs.

Only domains Active at Cloudflare via a Full setup (Cloudflare hosts the authoritative DNS ) are eligible for Cloudflare Registrar. Domains on CNAME setups are ineligible.Cloudflare Registrar abides by the ICANN Registrant Rights and Responsibilities.

Before getting startedBefore transferring a domain to or from Cloudflare:

Disable DNSSEC by removing the DS record at your current DNS host and then turn off DNSSEC within the Cloudflare DNS app, and

Notify your financial institution before initiating multiple domain transfers to avoid flagging the charges as fraudulent.

Because a transfer can take up to 15 days, a transfer may fail if performed too close to the expiration date. If your domain expires before the transfer to Cloudflare completes, perform the following actions:

Renew the domain at your current registrar.

Ensure the nameservers at your current registrar still point to Cloudflares nameservers.

Ensure your domain is still Active at Cloudflare or click the Re-check now button if it appears in the Cloudflare Overview app.

Transfer the domain to Cloudflare.

Transfer a domain to CloudflareRefer to the Cloudflare developer docs for registrar transfer instructions. Domain transfer completion depends on your current domain providers response time. A transfer takes up to fifteen days. The domain transfer process consists of the following steps:

receipt of verification codes,

release of the domain, and

additional confirmation emails.

Customers that recently renewed their domain do not lose time added to their expiration upon domain transfer. ICANN requires a domain transfer to extend the expiration date by at least one year. A domain that transfers on October 10, 2019 but expires March 10, 2020 acquires a new expiration of March 10, 2021.If a domain expires at the current registrar and is renewed within 45 days before transferring to Cloudflare, the registry (the owner of the TLD) can restrict the addition of an extra year.

Renew domains via Cloudflare RegistrarOnce your domain is transferred to Cloudflare Registrar, the domain is renewable via Cloudflare. To renew a Cloudflare Registrar domain:

Within the Cloudflare Overview app, Click Manage domain under Domain Registration.

Under the Registration feature, click Add years. You can only select the number of years you are eligible to renew, up to the maximum of 10 years.

Under Renew for, select the number of years for renewal.

Click Renew.

Domains are renewable at any time. Additional years are always added to the current expiration date regardless of when the renewal takes place. You are billed the number of renewal years times the renewal fee for that TLD. For example, a 5-year renewal of a .com domain currently costs $40.15 ($8.03 X 5 years).Clicking Renew for shows the Expires on and Renews on dates. Expires on is the date the domain expires and Renews on is the date the domain automatically renews. A status of Renewal Pending indicates the renewal is processing. Once the domain renews, the status will change back to Active.WHOIS information can differ between Cloudflares dashboard and ICANN. ICANN whois is not authoritative and can experience delays. Cloudflare recommends checking the Verisign WHOIS.

Renew domains automaticallyCloudflare domain registration is set to automatically renew by default. Automatic renewals are 1 year renewals initiated by Cloudflare on behalf of the customer. Only domains that have Auto Renew set to On are automatically renewed. Manual renewal is possible at any time even if Auto Renew is enabled.Cloudflare automatically renews domains 30 days prior to the expiration date. If the automatic renewal fails, you are notified via email. Cloudflare makes two additional attempts to process the renewal. If all attempts fail, the customer must manually renew the domain.Understand renewal notificationThe following domain expiration notices are sent to the email address used to register the domain:

A monthly email listing all domains set to automatically renew within the next 45 days.

A weekly email listing all domains expiring in approximately one months time.

A daily email listing all domains expiring in 7 days.

An email one day after the domain expires.

Per Cloudflares expired domains policy, a domain registration is canceled unless renewed before the registration period. Domains are not immediately deleted from your Cloudflare account upon expiration. Instead, expired domain registrations have a Redemption Grace Period (RGP) of 30 days. During the RGP, Cloudflare blocks attempted transfers of an expired domain. Cloudflare does not charge additional fees for domains reregistered during the RGP.Related resources

Contact our abuse team

Contact Cloudflare Support

Domain transfer costs and FAQs

Cloudflare Registrar supported TLDs

Introducing Cloudflare Registrar: Domain Registration You Can Love

Cloudflare Registrar: what happens when you register a domain?

Cloudflares default configuration only allows proxying of HTTP traffic and will break mail traffic.Troubleshooting tipsConsult with your mail administrator or mail provider to ensure you have valid DNS record content.

If you are following thebest practices for MX recordson Cloudflare mentioned below and still have issues sending or receiving mail, follow these troubleshooting steps:Are DNSrecords missing?Contact your mail administrator to confirm the DNS records for your domain are correct. Refer to our guide on managing DNS records in Cloudflare if you need assistance to add or edit DNS records.Cloudflare support is unable to modify DNS records within your account.

Do not proxy mail-related DNS records to Cloudflare.If you have anMX recordof mail.domain.com, then theA recordfor mail.domain.commust have a grey-cloud icon next to the DNSA recordas demonstrated in our support guide for managing DNS records in Cloudflare.Contact your mail provider for assistance.If your email does not work shortly after editing DNS records, contact your mail administrator or mail provider for further assistance in troubleshooting so that data about the issue can be provided to Cloudflare support.Best practices for MX records on Cloudflare

Follow these guidelines to ensure successful delivery of your mail traffic:

Grey-cloud your mail-related DNS records so mail trafficisn'tproxied throughCloudflare.

Use separate IP addresses for mail traffic and HTTP/HTTPS traffic. Cloudflare recommends using non-contiguous IPs from different IP ranges.

Since mail traffic cannot be proxied throughCloudflare by default, you will expose your origin web servers IP address. Information on your origin IP address would allow attackers to bypass Cloudflare security features and attack your web server directly.

Dont configure MX records for a root domain that is proxied throughCloudflare.

Many hosting companies specify the root domain name in the content of the MX record. When using Cloudflares DNS, specify a subdomain such as mail.example.com in the content of the MX record and create a separate A record in Cloudflare for mail.example.comto point to the IP address of your mail server.

Having an MX record for a root domain proxied through Cloudflare will reveal your origin web servers IP address to potential attackers. See Why do I have a dc-######### subdomain? for further details.

Page Rules trigger certain actions whenever a request matches one of the URL patterns you define. Learn to create and edit page rules and understand the different settings available.

This article formerly appeared under the titles Page Rules Tutorial and Is There a Page Rules Tutorial?

Overview

Before getting started

Create a page rule

Edit a page rule

Understand wildcard matching and referencing

Summary of Page Rules Settings

Additional details

Related resources

Overview

You can define a page rule to trigger one or more actions whenever a certain URL pattern is matched. The Page Rules app is available in the Cloudflare dashboard.

Page Rules require an "Orange Clouded" DNS record for your page rule to work.Page Rules won't apply to hostnames that don't exist in DNS or aren't being directed to Cloudflare.

The default number of allowed page rules depends on the domain plan as shown below.

Plan

Page rules allowed

Free

3

Pro

20

Business

50

Enterprise

100

You can purchase additional rules (up to a maximum of 100) for domains in the Free, Pro, and Business plans.

Before getting started

It is important to understand two basic Page Rules behaviors:

Only the highest priority matching page rule takes effect on a request.

Page rules are prioritized in descending order in the Cloudflare dashboard, with the highest priority rule at the top.

Cloudflare recommends ordering your rules from most specific to least specific.

A page rule matches a URL pattern based on the following format (comprised of four segments):

<scheme>://<hostname><:port>/<path>

An example URL with these four segments looks like:

https://www.example.com:443/image.png

The scheme and port segments are optional. If omitted, scheme matches both http:// and https:// protocols. If no port is specified, the rule will match all ports.

Finally, you can disable a page rule at any time. While a rule is disabled, actionswon'ttrigger but the rule still appears in the Page Rules app, is editable, and counts against the number of rules allowed for your domain. The Save as Draft option creates a page rule that is disabled by default.

Create a page rule

The steps to create a page rule are:

1. Log in to the Cloudflare dashboard.

2. Select the domain where you want to add the page rule.

3. Click the Page Rules app.

4. Under Page Rules, click Create Page Rule. The Create Page Rule for <your domain> dialog opens.

5. Under If the URL matches, enter the URL or URL pattern that should match the rule. Learn more about wildcard matching

6. Next, under Then the settings are: click +Add a Setting and select the desired setting from the dropdown. You can include more than one setting per rule. Learn more about settings in the summary below.

7. In the Order dropdown, specify the desired order: First, Last or Custom.

8. To save, click one of the following options:

Save as Draft to save the rule and leave it disabled.

Save and Deploy to save the rule and enable it immediately.

Consult Recommended Page Rules to Consider for ideas about the types of page rules you can create.

Edit a page rule

To modify an existing rule:

1. Log in to the Cloudflare dashboard.

2. Select the domain where you want to edit your page rule.

3. Click the Page Rules app.

4. Under Page Rules, locate the rule to edit..

5. Proceed to make the necessary changes, as follows:

To enable or disable a rule, click the On/Off toggle.

To modify the URL pattern, settings, and order, click the Edit button (wrench icon). In the dialog, enter the information youd like to change.

To remove a rule, click the Delete button (x icon) and confirm by clicking OK in the Confirm dialog.

Understand wildcard matching and referencing

You can use the asterisk (*) in any URL segment to match certain patterns. For example,

example.com/t*st

Would match:

example.com/test

example.com/toast

example.com/trust

Helpful tips

To match both http and https, just write example.com. It is not necessary to write *.example.com.

To match every page on a domain, write example.com/*. Just writing example.comwon'twork.

Referencing wildcard matches

You can reference a matched wildcard later using the $X syntax. X indicates the index of a glob pattern. As such, $1 represents the first wildcard match, $2 the second wildcard match, and so on.

This is specifically useful with the Forwarding URL setting. For example:

You could forward:

http://*.example.com/*

to:

http://example.com/images/$1/$2.jpg

This rule would match:

http://cloud.example.com/flare.jpg

which ends up being forwarded to:

http://example.com/images/cloud/flare.jpg

To use a literal $ character in the forwarding URL, escape it by adding a backslash (\) in front: \$.

Avoid creating a redirect where the domain points to itself as the destination. This can cause an infinite redirect error and your site cannot be served to visitors.

Summary of Page Rules Settings

Settings control the action Cloudflare takes once a request matches the URL pattern defined in a page rule. You can use settings to enable and disable multiple Cloudflare features across several of the dashboard apps. Note that:

Some settings require a Pro, Business or Enterprise domain plan.

You can specify more than one setting to apply when the rule triggers.

Ports 80, 443, and 8080 are the only ports where Cloudflare Caching is available.

Below is the full list of settings available, presented in the order that they appear in the Cloudflare Page Rules UI.

Setting

Description

Plans

Always Online

Turn on or off theAlways Onlinefeature of theCloudflare Cachingapp. Learn more.

Disable this for sections of your site that should never return cached data, such as APIs or payment/cart pages.

All

Always Use HTTPS

Turn on or off theAlways Use HTTPSfeature of the Edge Certificates tab in theCloudflare SSL/TLSapp. If enabled, anyhttp://URL is converted tohttps://through a 301 redirect.

If this option does not appear, you do not have an activeEdge Certificate.

All

Auto Minify

Indicate which file extensions to minify automatically. Learn more.

All

Automatic HTTPS Rewrites

Turn on or off theCloudflare Automatic HTTPS Rewritesfeature of the Edge Certificates tab inCloudflare SSL/TLSapp. Learn more.

All

Browser Cache TTL

Control how long resources cached by client browsers remain valid. Learn more.

All

Browser Integrity Check

Inspect the visitor's browser for headers commonly associated with spammers and certain bots. Learn more.

All

Bypass Cache on Cookie

Bypass Cache and fetch resources from the origin server if a regular expression matches against a cookie name present in the request.

If you add both this setting and the enterprise-onlyCache On Cookiesetting to the same page rule,Cache On Cookietakes precedence overBypass Cache on Cookie.

See Additional details below to learn about limited regular expression support.

Business

Enterprise

Cache By Device Type

Separate cached content based on the visitors device type. Learn more.

Enterprise

Cache Deception Armor

Protect from web cache deception attacks while still allowing static assets to be cached. This setting verifies that the URL's extension matches the returnedContent-Type. Learn more.

All

Cache Key

Also referred to asCustom Cache Key.

Control specifically what variables to include when deciding which resources to cache. This allows customers to determine what to cache based on something other than just the URL. Learn more.

To enable custom cache keys in your domain, file a request with Cloudflare Support.

Enterprise

Cache Level

Apply custom caching based on the option selected: Bypass- Cloudflare does not cache.

No Query String -Delivers resources from cache when there is no query string.

Ignore Query String - Delivers the same resource to everyone independent of the query string.

Standard - Caches all static content that has a query string.

Cache Everything - Treats all content as static and caches all file types beyond the Cloudflare default cached content. Respects cache headers from the origin web server unless Edge Cache TTL is also set in the Page Rule. Whencombined with anEdge Cache TTL> 0,Cache Everythingremoves cookies from the origin web server response.

All

Cache on Cookie

Apply theCache Everythingoption (Cache Levelsetting) based on a regular expression match against a cookie name.

If you add both this setting andBypass Cache on Cookieto the same page rule,Cache On Cookietakes precedence overBypass Cache on Cookie.

Enterprise

Disable Apps

Turn off all activeCloudflare Apps.

All

Disable Performance

Turn off:

Auto Minify

Rocket Loader

Mirage

Polish

All

Disable Railgun

Turn off theRailgunfeature of the CloudflareSpeedapp.

Business

Enterprise

Disable Security

Turn off:

Email Obfuscation

Rate Limiting

Scrape Shield

Server Side Excludes

URL (Zone) Lockdown

WAF

All

Edge Cache TTL

Specify how long to cache a resource in the Cloudflare edge network.Edge Cache TTL only takes effect when included as a setting in a Page Rule that also sets Cache Level to Cache Everything. Edge Cache TTL isn't visible in response headers. The minimum Edge Cache TTL depends on plan type:

Free - 2 hoursPro - 1 hourBusiness - 30 minutesEnterprise - 1 second

All

Email Obfuscation

Turn on or off theCloudflare Email Obfuscationfeature of theCloudflare Scrape Shieldapp. Learn more.

All

Forwarding URL

Redirects one URL to another using anHTTP 301/302 redirect.See Understand wildcard matching and referencing above.

All

Host Header Override

Apply a specific host header. Learn more.

Enterprise

IP Geolocation Header

Cloudflare adds aCF-IPCountryHTTP header containing the country code that corresponds to the visitor.

All

Mirage

Turn on or offCloudflare Mirageof the CloudflareSpeedapp. Learn more.

Pro

Business

Enterprise

Opportunistic Encryption

Turn on or off theCloudflare Opportunistic Encryptionfeature of the Edge Certificates tab in the CloudflareSSL/TLSapp. Learn more.

All

Origin Cache Control

Deprecated. Origin Cache Control is enabled by default and cannot be disabled.

All

Origin Error Page Pass-thru

Turn on or off Cloudflare error pages generated from issues sent from the origin server. If enabled, this setting triggers error pages issued by the origin.

Enterprise

Polish

Apply options from thePolishfeature of the CloudflareSpeedapp. Learn more.

Pro

Business

Enterprise

Query String Sort

Turn on or off the reordering of query strings. When query strings have the same structure, caching improves. Learn more.

Enterprise

Resolve Override

Change the origin address to the value specified in this setting. Learn more.

Enterprise

Respect Strong ETags

Turn on or off byte-for-byte equivalency checks between the Cloudflare cache and the origin server. Learn more.

Enterprise

Response Buffering

Turn on or off whether Cloudflare should wait for an entire file from the origin server before forwarding it to the site visitor. By default, Cloudflare sends packets to the client as they arrive from the origin server.

Enterprise

Rocket Loader

Turn on or offCloudflare Rocket Loaderinthe CloudflareSpeedapp. Learn more.

All

Security Level

Control options for theSecurity Levelfeature from the CloudflareFirewallapp. Learn more.

All

Server Side Excludes

Turn on or off theServer Side Excludesfeature of the CloudflareScrape Shieldapp. Learn more.

All

SSL

Control options for theSSLfeature of the Edge Certificates tab in the CloudflareSSL/TLSapp. Learn more.

All

True Client IP Header

Turn on or off theTrue-Client-IP Headerfeature of the CloudflareNetworkapp. Learn more.

Enterprise

Web Application Firewall

Turn on or off yourWeb Application Firewallrules as defined in theCloudflare Firewallapp. Learn more. Learn more.

Individual WAF rules cannot be enabled or disabled via page rules.

Pro

Business

Enterprise

Additional details

Bypass Cache on Cookie setting

This setting is available to business and enterprise customers.

The Bypass Cache on Cookie setting supports basic regular expressions (regex) as follows:

A pipe operator (represented by |) to match multiple cookies using OR boolean logic. For example, bypass=.*|PHPSESSID=.* would bypass the cache if either a cookie called bypass or PHPSESSID were set, regardless of the cookie's value.

The wildcard operator (represented by .*), such that a rule value of t.*st= would match both a cookie called test and one called teeest.

Limitations include:

150 chars per cookie regex

12 wildcards per cookie regex

1 wildcard in between each | in the cookie regex

To learn how to configure Bypass Cache on Cookie with a variety of platforms, review these articles:

Caching Anonymous Page Views with WordPress or WooCommerce

Caching Anonymous Page Views with Magento 1 and Magento 2

How do I cache static HTML?

Note: If you add both this setting and the enterprise-only Cache On Cookie setting to the same page rule, Cache On Cookie takes precedence over Bypass Cache on Cookie.

Related resources

Recommended Page Rules to Consider

What subdomains are appropriate for orange/grey clouds?

How do I use Cache Everything with Cloudflare?

How do I cache static HTML?

Offline error message when updating or accessing the admin section of my content management system

HTTP/2 Server Push allows a website to push content to a browser, without having to wait for the HTML of one page to render first. In conjunction with the concurrency support built into HTTP/2, Server Push is able to dramatically reduce the amount of requests needed to load your website.

installed and set-up on your site

Cloudflare supports HTTP/2 Server Push and it can be enabled for stylesheets and scripts usingCloudflares WordPress plugin.In order to utilise this feature, you must first ensure you have the Cloudflare WordPress plugin .

Once the plugin is installed, you can enable HTTP/2 Server Push simply by adding the following configuration code to your wp-config.php file:

define('CLOUDFLARE_HTTP2_SERVER_PUSH_ACTIVE', true);

You should insert this line above where it says "/* That's all, stop editing! Happy blogging. */", like follows:

You should then start to see requests coming in which are initiated through Server Push, for example, in theNetworktab ofChromeDevelopment Tools you should see some asserts have "Push" as the initiator:

It is possible to cache theHTML ofa WordPress site at Cloudflare's Edge using a feature known as "Bypass Cache on Cookie". This can dramatically improve the speed of your website and reduce server load; in cases where the HTML is cached Cloudflare will not need to make a roundtrip to your web server. In order to utilise this feature, please see the article: Caching Static HTML with WordPress/WooCommerce.

Cloudflare is able to proxy HTTP traffic of any website, including WordPress sites with third-party performance plugins installed, however please note thatthese plugins are installed at your own risk.

Cloudflare classifies the threats that it blocks or challenges. To help you understand more about your sites traffic, the Type of Threats Mitigated metric on the analytics page measures threats blocked or challenged by the following categories:

Bad browser:The source of the request was not legitimate or the request itself was malicious. Users would see a 1010 error page in their browser.

Cloudflare's Browser Integrity Check looks for common HTTP headers abused most commonly by spammers and denies them access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent (also commonly used by bots, crawlers, or visitors).

Learn more about the Browser Integrity Check here.

Blocked hotlink: "Hotlink Protection" ensures that other sites cannot use your bandwidth by building pages that link to images hosted on your origin server. This feature can be turned on and off by Cloudflares customers.

Learn more about Hotlink Protection here.

Human challenged: Visitors were presented with a CAPTCHA challenge page and failed to pass.

Note: A CAPTCHA page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly, the request is blocked.

Browser challenge: A bot gave an invalid answer to the JavaScript challenge (in most cases this won't happen, bots typically do not respond to the challenge at all, so "failed" JavaScript challenges would not get logged).

Note: During a JavaScript challenge you will be shown an interstitial page for about five seconds while Cloudflare performs a series of mathematical challenges to make sure it is a legitimate human visitor.

Bad IP:A request that came from an IP address that is not trusted by Cloudflare based on the Threat Score.

Cloudflare uses Threat Scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the Threat Score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity. Site owners may override the Threat Score at any time using Cloudflare's security settings.

Country block: Requests from countries that were blocked based on the user configuration set within the Firewall app.

Learn more about blocking countries using the Firewall app here.

IP block (user): Requests from specific IP addresses that were blocked based on the user configuration set within the Firewall app.

Learn more about blocking IPs using the Firewall app here.

IP range block (/16): A /16 IP range that was blocked based on the user configuration set within the Firewall app.

Learn more about blocking IPs using the Firewall app here.

IP range block (/24): A /24 IP range that was blocked based on the user configuration set within the Firewall app.

Learn more about blocking IPs using the Firewall app here.

New CAPTCHA (user):Challenge based on user configurations set for visitors IP in either the WAF or the Firewall app.

Learn more about challenging visitors using the WAF here.

Captcha error: Requests made by a bot that failed to pass the challenge.

Note: A CAPTCHA page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly, the request is blocked.

Bot Request:Request that came from a bot.

Unclassified: Unclassified threats comprises a number of automatic blocks that are not related to the Browser Integrity Challenge (Bad Browser).These threats usually relate to Hotlink Protection, and other actions that happen on the edge based on the composition of the request (and not its content).

Unclassified means a number of conditions under which we group common threats related to Hotlink protection as well as certain cases of IP reputation and specific requests that are blocked at the Cloudflare edge before reaching your servers.

Overview

Status Codes analytics by data center is exclusive to the enterprise level of service.

Status Codes metrics in the Cloudflare dashboard Analytics app provide customers with a deeper insight into the distribution of errors that are occurring on their website per data center. A data center facility where Cloudflare runs its servers that make up our edge network. You can find a list of all of Cloudflare data centers here.

HTTP status codes that we see in a response passing through our edge are displayed in analytics. These codes can be split into three groups: edge network errors, origin errors and '52x errors'.

Errors that originate from our edge servers -such as 502, 503, and 504 with 'Cloudflare'- are not reported as part of the error analytics. However, errors such as 52x, can inform you about problems with your server.

Users may also see 100x errors which are not reported. These will be displayed as either 403 or 409 (edge) errors.

Edge Network errors

400 - Bad Request intercepted at the Cloudflare Edge (e.g. missing or bad HTTP header)

403* - Security functionality (e.g.Web Application Firewall, Browser Integrity Check, CAPTCHAs, and most 1xxx error codes)

409* - DNS errors typically in the form of 1000 or 1001 error code

413 - File size upload exceeded the maximum size allowed (configured under the Speed app)

444 - Used by Nginx to indicate that the server has returned no information to the client, and closed the connection. This error code is internal to Nginx and isnot returned to the client.

499 - Used by Nginx to indicate when a connection has been closed by the client while the server is still processing its request, making the server unable to send a status code back.

Origin errors

400 - Origin rejected the request due to bad, or unsupported syntax sent by the application.

404 - Only if the origin triggered a 404 response for a request.

4xx

50x

503 errors

We do count 503 errors from your origin that are passed as a response from the edge, though in this version 503 errors from the edge have multiple potential sources.

Your origin server had a 503. We received this from the origin and the status code was in the response from the on the edge

Cloudflare detected malicious Layer 7 traffic and automatically issued a JS challenge that blocked the request

IUAM This also logs every blocked request

Websocket rate-limit error

52x errors

520 - This is essentially a "catch-all" response for when the origin server returns something unexpected, or something that is not tolerated/cannot be interpreted by our edge (i.e. protocol violation or empty response).

522 - Our edge could not establish a TCP connection to the origin server.

523 -Origin server is unreachable (e.g. the origin IP changed but DNS was not updated, or due to network issues between our edge and the origin).

524 - Our edge established a TCP connection, but the origin did not reply with a HTTP response before the connection timed out.

Status codes

The status codes section shows:

The error code returned in the response

The time-stamp for the "bucket" you selected

The total count of that specific error code for that time-stamp

The % of total requests that serves that error

The top 5 colos (data-centers) where we served that error by count

You can filter out specific error(s) by selecting one or more in the legend. Once you select an error it will be greyed out in the drop-down menu, and the error will no longer display as part of the graph.

In this example, by clicking on 404 in the legend we removed it from being displayed in the UI.

Rate Limiting Analytics displaysthe number of requests that were blocked because they matched a rule. For requests exceeding this limit, Cloudflare Rate Limiting issues a 429 error.

Overview

You can view rate limiting analytics in the Analytics app of the Cloudflare dashboard. To see theRate Limitinganalytics panel in the UI, you might need to scroll down.

The graph shows traffic that matched the rule for both simulated and blocked requests. The solid line indicates all matched requests (e.g., both blocked and simulated), while the dotted line shows blocked requests.

Enterprise customers can see a breakdown of blocked requests per location in their status code analytics view. A status of 429 indicates that a rule blocked a request, but it also includes 429 errors from the origin server, if the origin returns them. This happens when the origin server applies its own rate limiting rules.

Customers who have turned on Argo Smart Routingcan see the benefit Argo is delivering for their site and visitors with two different views in the Analytics app in the dashboard.

1) A global histogram showing performance with and without Argo.The blueand orangeseries represent the before and after TTFB in locations where Argo found a Smart Route.A shift of the bars to the left represents a reduction in TTFB.

TTFB measures the delay between Cloudflare sending a request to your server and receiving the first byte in response. TTFB includes network transit time (which Smart Routing optimizes) and processing time on your server (which Argo has no effect on).

Traffic App

2) A map view showing how performance is improved from each Cloudflare PoP receiving traffic from their site.

Data will be shown for requests originating at any colo with at least 500 requests to origin that have been Smart Routed in the past 48 hours. This is to ensure we have seen enough requests to reach statistical significance and present high fidelity data to users. If insufficient data is available in all colos, we'll display a message to this effect (an updated message includes the percentage we are Smart Routing).

As an example, say a site has 1000 requests to the edge, 300 of which are cache hits and 700 of which go to the origin. If those 700 are distributed equally between 3 colos, we will not have sufficient data to display a chart. If all 700 of those requests to origin originated at the same colo, we will display charts. In our analysis, the vast majority of customers with Argo enabled meet this bar.

Not yet an Argo customer? Enable today on your .

What is a subrequest?

Zone analytics

Worker analytics

FAQ:

Cloudflare Workers allows you to run JavaScript from Cloudflares 150+ data centers. Learn more about Workers here !

What is a subrequest?

With a no-op Worker (a Worker that simply proxies traffic by passing on the original client request to the origin and proxying the response) running on a particular route, the request to the origin is counted as a subrequest, separate from initial client to edge request. Thus, unless the Worker responds with a static response and never hits an origin, the eyeball edge request, and edge origin request will each be counted separately towards the request or bandwidth count in Analytics. Subrequests are not included in the Requests or Bandwidth graphs of the CloudflareAnalytics app.

Zone analytics

In the dashboard, the numbers in zone analytics reflect visitor traffic. That is, the number of requests shown in zone analytics (under the Analytics tabs in the dashboard) is the number of requests that were served to the client.

Similarly, the bandwidth is counted based on the bandwidth that is sent to the client, and status codes reflect the status codes that were served back to the client (so if a subrequest received a 500, but you respond with a 200, a 200 will be shown in the status codes breakdown).

Worker analytics

For a breakdown of subrequest traffic (origin facing traffic), you may go to the CloudflareAnalytics app and click on the Workers tab. Under the Workers tab, below the Service Workers panel, you will see a Subrequests breakdown by count, Bandwidth and Status Codes. This will help you spot and debug errors at your origin (such as spikes in 500s), and identify your cache-hit ratio to help you understand traffic going to your origin.

FAQ:

Whydon'tI see any analytics for Workers?

If you are not currently using Workers (dont have Workers deployed on any routes or filters), we will not have any information to show you.

If your Worker sends a static response back to the client without ever calling fetch() to an origin, you are not making any subrequests, thus, all traffic will be shown in zone Analytics

Whycan'tI see any subrequests prior to 2018-08-16 22:00 UTC?

While youcan'tget subrequest information prior to this date, you will still be able to get this information about the client-facing traffic in the Analytics tab. If you are on our Enterprise plan, you may still get data for previous dates from our Cloudflare Logs.

Will this impact billing?

No, billing for Workers is based on requests that go through a Worker.

Why am I seeing such a high cache hit ratio?

Requests served by a Worker always show as cached. For an accurate cache hit ratio on subrequests, see theSubrequests graph in the Analytics app under theWorkersanalytics tab.

With Custom Nameservers, a domain can use Cloudflare DNS without using the host names of Cloudflare-assigned Nameservers.

Overview

Cloudflare domains on Business or Enterpriseplans can set Custom Nameserversat Cloudflare.

By default, Custom Nameservers only apply to the specific Cloudflare domain where they are configured.

It is possible for Cloudflare domains to use the Custom Nameserversconfigured for a different domain. However, those domains require an Enterprise planand a request must be sent to Cloudflare Support detailing which Custom Nameservers to apply.

Configure Custom Nameservers

Steps to add Custom Nameservers:

Log into the Cloudflare dashboard.

Ensure the website you want to update is selected.

Click the DNSapp.

Scroll down to Custom Nameservers.

Click Add Custom Nameserversand enter nameserver hostnames. (e.g. ns1, ns2, ns3).

Cloudflare will assign IPv4 and IPv6 to your nameservers.

Add the Custom Nameservers and IP addresses to your domain registrars DNS as glue (A or AAAA) records.

Failure to add the Cloudflare Custom Nameservers and IPs as glue records before updating your nameserver (NS) records will cause all DNS lookups for your domain to fail.

Update the nameservers at your registrar to point to the Custom Nameservers.

Related articles

Cloudflare Plans

Glue Records (RFC 1912 Section 2.3)

Learn more about how billing for Cloudflare Load Balancing is calculated.

Cloudflare Load Balancing pricing

Cloudflare Load Balancing billing

Load Balancing billable usage

Billing for Enterprise customers

Cloudflare Load Balancing pricing

Customers with China network access should not use the Load Balancer or HTTP 530 errors will occur.

Cloudflare Load Balancing subscriptions begin at$5 - $50 per month, depending on your selectedsubscription options.

You can configure Load Balancing to fit your specific requirements based on the number of origins, health check frequency, the number of regions checked from, and geo-routing.

The $5 subscription allows you to configure 2 origins, 60-second health checks, and checks from one(1) region: ideal for straightforward load balancing or failover.

Cloudflare Load Balancing billing

When enabled, Cloudflare Load Balancing is billed at the account level. In addition to the monthly subscription, we will count the number of DNS requests ("queries") for each configured Load Balancer, per month. The first 500,000 queries, shared across all Load Balancers in your account, are free: additional usage beyond this is charged at 50 cents per 500,000 queries, rounded up to the next 500k queries.

For example:

81,451 DNS queries = subscription + $0 in usage.

511,881 DNS queries = subscription + $0.50 in usage

2,994,155 DNS queries = subscription + $2.50 in usage

Note that the first500,000 queries are based on all active Load Balancers in your account, not per site (domain), as Load Balancers can be shared across sites by configuring a CNAME record.

Load Balancing billable usage

Usage is counted as authoritative DNS queries against Cloudflare's name servers for each of the Load Balanced hostnames you have configured.

You can reduce the number of authoritative DNS queries by configuring your Load Balancer as "proxied" (orange cloud) for your HTTP(S) services, which will set the external DNS TTL to 5 minutes, maintain failover performance equivalent with very short DNS TTLs. Read more about the benefits of proxied (orange cloud) vs. unproxied (grey cloud).

Billing for Enterprise customers

Enterprise customers are billed based on discussions with the Cloudflare Enterprise Sales team. Enterprise customers also have access to additional features, including:

Running healthchecks from every Cloudflare datacenter (for increased failover granularity)

Per-data center steering (override the origins a specific location should use, and in which order)

Five-second health check intervals

Support for more than 20 origin servers

Cloudflare Enterprise Support (including 24x7 email, phone, and a namedSolutions Engineer)

An origin pull happens whenever Cloudflare is unable to serve content from our network cache. Cloudflare enables origin pulls that are authenticated through a certificate validation process.

Overview

Browser to Cloudflare

Cloudflare to Origin Server

TLS Handshake

Installing on Apache and NGINX

Origin Pull Certificate

Overview

Cloudflare sits on the network between end-user web browsers and website origin servers. Traffic goes from the web browser to Cloudflare. Cloudflare fulfills the request from cache whenever. Otherwise, it goes back to the origin web server in a second connection. This type of request is called an origin pull.

Browser to Cloudflare

The link between end-user web browsers and Cloudflarebenefits from strong security technology -- strong ciphers, SSL with automatically provisioned certificates, and the public CA infrastructure which maps certificates to domain names. Browsers validate the server certificate to ensure they're communicating with the correct web server.

Cloudflare to Origin Server

Authenticated Origin Pulls let origin web servers strongly validate that a web request is coming from Cloudflare. We use TLS client certificate authentication, a featuresupported by most web servers, and present a Cloudflare certificate when establishing a connection between Cloudflare and the origin server. By validating this certificate in origin server configuration, access can be limited to Cloudflare connections.

Authenticated Origin Pulls is particularly important when taking advantage of the Cloudflare Web Application Firewall (WAF) security features. By using Authenticated Origin Pulls with a restricted-to-Cloudflare configuration, websites can be sure all traffic has been processed by a state of the art Web Application Firewall.

Once Authenticated Origin Pulls are enforced by your origin server, any HTTPS requests outside of Cloudflare to your origin will fail including those to gray clouded records on Cloudflare.

TLS Handshake

Without Authenticated Origin Pulls, the TLS session between Cloudflare and the origin looks like:

origin-pull-ca.pem

With Authenticated Origin Pulls, connections look like:

Installing on Apache and NGINX

Currently, the Authenticated Origin Pulls feature is incompatible with Railgun.

Click below to expand instructions for configuring TLS Authenticated Origin Pulls for either NGINX or Apache origin web servers:

Setting up Apache to use TLS Authenticated Origin Pulls

For authenticated origin pulls to work, use Full SSL in the Cloudflare SSL/TLS app, and update the origin web server SSL configuration. Download origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in/path/to/origin-pull-ca.pem

Then add these lines to the SSL configuration for your origin web server:

SSLVerifyClient requireSSLVerifyDepth 1SSLCACertificateFile /path/to/origin-pull-ca.pem

Setting up NGINX to use TLS Authenticated Origin Pulls

For authenticated origin pulls to work, use Full SSL in the Cloudflare SSL/TLS app, and update the origin web server SSL configuration. Download and place the certificate in a file on your origin web server, for example in/etc/nginx/certs/cloudflare.crt

Then add these lines to the SSL configuration for your origin web server:

ssl_client_certificate /etc/nginx/certs/cloudflare.crt;

ssl_verify_client on;

Origin Pull Certificate

Cloudflare uses the following certificate authority to sign certificates for the Authenticated Origin Pull service:

Identify, monitor, and mitigate automated requests with Cloudflare Bot Management, a mitigation solution based on machine learning. Bot Management is currently in beta and available to customers in the Enterprise plan.

About Cloudflare Bot Management

Differences between Bot Management and other Cloudflare bot mitigation tools

Activating Bot Management

Frequent Bot Management questions

Related resources

About Cloudflare Bot ManagementWith Cloudflare Bot Management, you can identify and mitigate scrapers and automated requests. This solution complements other Cloudflare Firewall products, including Web Application Firewall (WAF), Rate Limiting, and IP Reputation Database. Bot Management is able to detect and block bad bots without needing JavaScript injection. Bot Management takes advantage of machine learning across tens of millions of Internet properties proxied by Cloudflare and assigns a score to every request. Cloudflare's dynamic firewall rules can then match against malicious bot requests whenever the request's score falls below a specific threshold.Key Cloudflare Bot Management benefits include:

A large training set that yields more accurate bot identification: Our training set comprises millions of requests made against several million Internet properties.

Decisions made at the edge reduce latency and result in faster performance: Since such a large number of requests traveling through the Cloudflare network get their score updated, we push the machine learning results to our edge. This way, requests can be evaluated at the edge instead of the origin. This reduces latency and prevents uncached requests from impacting server CPU at the origin.

Many different attack vectors can lead to compromised protection. Denial of service attacks, poor access controls, and SQL injection can aggravate bot-based attacks. To guard against these, security teams can design comprehensive protection with less training and context switching, using Cloudflare's consolidated firewall solution, which includes bot management.Bot Management is a beta product available to customers in the Enterprise plan. Contact your Cloudflare account team to enable Bot Management for your site. Non-Enterprise customers can enable Bot Fight Mode.

Differences between Bot Management and other Cloudflare bot mitigation toolsCloudflareBot Managementfocuses on explicit bot mitigation as compared to our current WAF and rate limiting solutions.Currently, Bot Managementfocuses on mitigating:

Credential and credit card stuffing,

content scraping, and

other types of deception including: spam, registration, marketing, and ad-click fraud.

Bot management detects and blocks bad bots based on the following mitigation methods:Machine learning (ML)By applying ML across millions of Internet properties, Cloudflare creates a reliable bot score that can be used to create rules for blocking requests based on the likelihood that they might come from a bot.Behavioral analysis (BA)Behavioral analytics detect and block abnormal requests based on HTTP sessions. This approach is user-agent agnostic and identifies potential bots based on actual metrics.JavaScript injectionIf you prefer additional independent protections, you can apply JavaScript inspection to suspicious traffic, but it's not required.You can combine or use the above methods separately.The most notable advantages ofBot Managementover the standard Cloudflare solution are:

More reliable bot identification based on a large training set, and

faster performance with decisions made closer to the client.

Activating Bot ManagementOnce enabled for your Enterprise domain, you can enable Bot Management as follows:

Log in to the Cloudflare dashboard.

Click the Firewall app.

Click the Settings tab.

Scroll down to Bot Management, then toggle the feature to On.

After you have activated Bot Management:

The following Cloudflare Firewall Rules become available for use:

cf.bot_management.score - The score Bot Management generates for the request (1 to 99).

cf.bot_management.verified_bot - A boolean value that is true if the request comes from a good bot (whitelisted by Cloudflare), and

cf.bot_management.static_resource - An identifier to match file extensions for many types of static resources.

The header Cf-Client-Trust-Score becomes available via Cloudflare Workers.

The Cloudflare bot management _cf_bm cookie is set on your website to help with score improvement.

Cloudflare Firewall Rules Frequent Bot Management questionsI enabled Bot Management in Log/Simulate mode. What data should I look for?We recommend that you study the logged data and analyze if any of the information logged resembles your office IPs, your monitoring service, your favorite Python script, etc. White list them if necessary.How does machine learning work?Supervised machine learning takes certain variables (X) like gender and age and predicts another variable (Y) like income. In Cloudflare Bot Management, the X variables are request features, while the Y variable represents the probability of solving a Captcha based on X values. We use data from millions of requests and re-train the system on a periodic basis. You can learn about this data from your own request logs such as Cloudflare Logpull and Logpush as well as the Firewall API.What is the difference between the threat score and bot management score?The difference is significant:

Threat score (cf.threat_score) is what Cloudflare uses to determine IP Reputation. It goes from 0 (good) to 100 (bad).

Bot management score (cf.bot_management.score) is what Cloudflare uses in Bot Management to measure if the request is from a human or a script. The scores range from 1 (bot) to 99 (human). Lower scores indicate the request came from a script, API service, or an automated agent. Higher scores indicate that the request came from a human using a standard desktop or mobile web browser.

Requests from "good bots" also get a low Bot Management score, but can be whitelisted in a Firewall Rule using the Verified Bot field. The Verified Bot field in Firewall Rules refers to a "good bots" whitelist used to avoid blocking friendly verified bots such as common search crawlers and monitoring tools.

These fields are available via Cloudflare Firewall Rules.What iscf.bot_management.verified_bot?A request's cf.bot_management.verified_botvalue is a boolean indicating whether such request comes from a Cloudflare white listed bot.Cloudflare has built a white list of good, automated bots, e.g. Google Search Engine, Pingdom, and more. This white list is large based on reverse DNS verification, meaning that the IPs we whitelist really match the requesting service. In addition to this, Cloudflare uses multiple validation methods including ASN blocks and public lists. If none of these validation types are available for a customer, we use internal Cloudflare data and machine learning to identify legitimate IP addresses from good bots.I run agoodbot and want for it to be added to the white list (cf.bot_management.verified_bot). What should I do?To be added to the Cloudflare white list, please submit this online application.Related resources

Stop the Bots: Practical Lessons in Machine Learning (Cloudflare Blog)

Cloudflare Bot Fight Mode

(Developers Documentation)

Overview

With tens of millions of sites on the internet using Wordpress, many WordPress sites have decided to use Cloudflare to make their site faster with our free CDN and to make the site more secure with our security. Since we get a lot of questions about WordPress online and in our support channel, as well as a lot of common areas of confusion, well cover recommended first steps in an easy to read article. All of these steps take very little time to do complete, and any WordPress user should be able to do most of the steps in a few minutes or less.

The article starts from the perspective that you have already followed the process to create your Cloudflare account and added your website to Cloudflare. You can also learn more in Cloudflare 101 section.

Step #0 - Preparing the Server

If you have control of your web server, here are some tweaks that will make your life a little easier, if you wantdon'thave control of your web server feel free to skip this section.

On an Apache server, it is a great idea to install the latest version of Mod_Cloudflare. This will ensure that Cloudflare works transparently by ensuring your IP Address is logged correctly in both Apache logs and web applications. In addition to this, Mod_Cloudflare will now also ensure that Flexible SSL will work transparently. In order to install Mod_Cloudflare please see our resources page: https://www.cloudflare.com/resources-downloads/

In addition to this, be sure not to rate limit or block Cloudflare IPs, you can find a list of Cloudflare IPs here: https://www.cloudflare.com/ips/

Step #1 - Install the WordPress Plugin

The official Cloudflareplugin for WordPressallows you to ensure your site is running optimally on the WordPress platform: https://wordpress.org/plugins/cloudflare/

In order to install this plugin you will first need to login to your WordPress dashboard, go to the plugins section, search for Cloudflare, and and install the WordPress plugin.

Speed Up WordPress and Improve Performance

After the plugin has been installed click the Activate Plugin button. You can then go ahead and configure the plugin by going to Settings and clicking the Cloudflare menu option:

You will then be greeted by the login page where you can now enter in your credentials:

In order to find your API key, you can look in the drop down in the top right corner of your Cloudflare dashboard and click My Profile, the API key options will be under the Account > API Key section.

You will find the Global API Key panel on that Page:

Once you have entered your Global API key into the WordPress dashboard, click Save API Credentials and were good to go.

Step #2 - Load Optimized Defaults

You can now enable the Optimized Defaults in the WordPress plugin so Cloudflare works optimally on your platform. You can do this by clicking the Apply button next to this setting.

Automatic Cache Purge will allow you to automatically flush the Cloudflare Cache when your WordPress site appearance is updated, you should enable this too.

Next Steps

After following these steps, you can now go ahead and improve your security and performance by customizing your Cloudflare configuration.

Hardening WordPress Security

Caching Anonymous Page Views with WordPress or WooCommerce

Learn about the tools Cloudflare offers to protect your domains, URLs, and directories.

Overview

Cloudflare Access

IP Access Rules

Security Level

Zone (URL) Lockdown

Forwarding URL

User-Agent Blocking Rules

Rate Limiting

Custom WAF Rule

Token Authentication

Related Resources

Overview

Cloudflare offers a number of tools for protecting your site against specified volumes of traffic, certain groups of requesters, and specific requesting IPs. There is a specific order in which security tools trigger:

IP Access Rules

Firewall Rules

Zone Lockdown

User Agent Blocking

WAF

Below is a list of security features with details on how to set them up.

Cloudflare Access

Cloudflare Access adds an authentication page in front of an application youdon'twant to be publicly accessible. It is a perimeter-less access control solution for cloud and on-premise applications.

Read more about Getting Started with Cloudflare Access.

IP Access Rules

IP Access Rules allow you to control access for specific IP addresses, IP ranges, countries, ASNs, and certain CIDR blocks. This is best used when you want to control traffic for these specific elements. Available actions to affect incoming requests are Whitelist, Block, Challenge (Captcha), or JavaScript Challenge (IUAM challenge).

For example, if you are already restoring visitor IPs using the mod_cloudflare plugin and you notice that a particular IP is causing malicious requests; you can block that user via IP address.

Security Level

The Security Level setting allows you to control your sites tolerance to potentially malicious IPs by responding to requesting IPs having certain IP-reputation levels with Captcha challenges. You select a Challenge Passage, which controls how long a user that has passed the Captcha challenge may continue freely browsing your site before being challenged again.

For example, if you are a new website owner who would like to prevent bot IPs from attacking your site, you might set a Medium or High Security level and lower Challenge Passage 5 to 30 minutes to ensure that Cloudflare is constantly protecting your site.

If you are an experienced website administrator and proxy implementer who is confident in their security settings, you might set an Essentially Off or Low Security level and higherChallenge Passage for a week, month, or even year, to provide a less obtrusive experience for your users.

Zone (URL) Lockdown

Only available for Pro, Business, and Enterprise plans.

Zone (URL) Lockdown allows you to specify a list of one or more IP addresses or networks that arethe only IPs allowedto access a domain, subdomain, or URL. This does not whitelist IPs, it defineswhat is allowed, and rejects everything else.Zone Lockdown supports:

Specific sub-domains,allowing you to, for example, allow IP 1.2.3.4 to access domain foo.example.com and allow IP 5.6.7.8 to access domain bar.example.com, but not necessarily allow the vice versa.

Specific URLs, enabling you to, for example, allow IP 1.2.3.4 to access the directory example.com/foo/* and allow IP 5.6.7.8 to access the directory example.com/bar/*, but not allow the opposite.

This is useful when you need more granularity in your access rules since with theIP Firewall, you can only either apply the block to all sub-domains of the current domain or all domains on your account, and you can not specify URIs.

Forwarding URL

Forwarding URL allows you to prevent access to (1) URLs, (2) a certain request scheme (HTTP or HTTPS), (3) file type, (4) sub-domain, or (5) directory, by redirecting users away from these this content to some "safe" location.

Example uses for each of these would be:

Prevent access to the specific URL

example.com/puppies.jpg: Redirect example.com/puppies.jpg to https://example.com/safe/location

Prevent access to the HTTP version

example.com/puppies.jpg: Redirecthttp://example.com/puppies.jpg to https://example.com/puppies.jpg

Prevent access to the .jpg file type

Redirect example.com/*.jpg to https://example.com/safe/location

Prevent access to your www sub-domain

www.example.com/*:Redirect www.example.com/puppies.jpg tohttps://example.com/puppies.jpg.Alternatively, to prevent access to any sub-domain you can use a wildcard: Redirect *.example.com/puppies.jpg to https://example.com/puppies.jpg.

Prevent access to the directory path

/foo/bar/: Redirectexample.com/foo/bar/* to https://example.com/safe/location

User-Agent Blocking Rules

User-Agent Blocking allows you to action any preferred User-Agent string. This works similarly to Zone (URL) Lockdown as described above except this block examines the incoming User-Agent string rather than the IP. You can also choose how to handle a matching request with the same list of actions as you have in the IP Firewall (Block, JS Challenge, Captcha Challenge, and Whitelist). Note that User-Agent blocking applies to your entire zone, so you cannot specify sub-domains as you can with Zone Lockdowns.

This tool is useful for blocking any User-Agent strings that you deem suspicious and works great in conjunction with the Browser Integrity Check feature.

Rate Limiting

Rate Limiting allows you to control volumes of traffic for your entire site, specific URL, and any directory, for a given interval of time.

When Protect My Login, a pre-configuration of Rate Limiting is enabled, it will mitigate brute force login attacks.This is useful because login pages tend to not be cacheable and vulnerable as DDOS attack vectors.

For example, if there are manyuncacheable resources in your /foo/bar/ directory and want to also mitigate DDOS attacks to your origin server, enabling Rate Limiting could ensure that no one can exceed traffic rates of 1000 requests per minute to that directory and that any violating IP gets blocked.

Custom WAF Rule

Only available forBusiness and Enterprise plans.

You can request a Custom WAF rule to be created for any traffic logic that you are unable to implement at the edge using the tools in your Cloudflare account by default, such as all of the above.

This is recommended in order to base traffic logic on:

Virtually any HTTP header in the request.

IP ranges.

Hostname

Regex

Validation of byte rangesto prevent binary data from being transferred through the URI for, example.

Checking for empty strings anywhere in request.

Integer comparisons (greater than, less than, greater than/equal to, less than/equal to, and equal to).

Token Authentication

Only available for Business and Enterprise plans.

Token Authentication allows you to restrict access to documents, files, and media to selected users without requiring registration. This can be used to protect paid/restricted content from leeching and non-authorized sharing. Token Authentication can be easily implemented using the Cloudflare Web Application Firewall (WAF) and requires a Business level subscription or higher.

Read more about How to setup Token Authentication.

Related Resources

Configuring IP Access Rules

Configuring URL forwarding or redirects with Cloudflare Page Rules

What does Cloudflare's Security Level mean?

Getting started with Cloudflare Access

Zone (URL) Lockdown developer documentation

User-Agent Blocking rules

Cloudflare Rate Limiting

Custom WAF rule

How to setup Token Authentication

Understand which Cloudflare SSLoptions encrypt HTTPS traffic between Cloudflare and the origin web server.

Overview

The SSLsection of the Cloudflare SSL/TLSapp contains several options that determine whether Cloudflare securely connects to your origin web server. After reviewing the description of each SSLoption, refer to our list of recommended SSL options depending on your origin web server SSL configuration:

Off

Flexible

Full

Full(strict)

Strict (SSL-Only Origin Pull)

Offdisables HTTPS for your site visitors whereas Full(Strict)provides the most traffic security end-to-end.

If your origin web server either redirects HTTP traffic to HTTPS or HTTPS traffic to HTTP, redirect loop errors can occur for website visitors.

Off

Troubleshooting 526 errors

Off disables secure HTTPS connections between both visitors and Cloudflare and between Cloudflare and your origin web server. Visitors can only view your website over HTTP. Any connections attempted via HTTPS result in a HTTP 301 redirect to unencrypted HTTP.

Setting SSLto Offhides the Onion Routing and Always Use HTTPS settings in the Edge Certificates tab of the Cloudflare SSL/TLS app.

Flexible

The FlexibleSSLoption allows a secure HTTPS connection between your visitor and Cloudflare, but forces Cloudflare to connect to your origin web server over unencrypted HTTP. An SSL certificate is not required on your origin web server and your visitors will still see the site as being HTTPS enabled.

Flexibleis not recommended if your website contains sensitive information. Use Flexibleonly as a last resort if you are unable to setup SSL at your origin web server.

Full

Fullensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your web server.

The Full SSLoption does not validate SSL certificate authenticity at the origin. A self-signed certificate is allowed at the origin web server.

To avoid 525 errors, before enabling Full SSLoption, configure your origin web server to allow HTTPS connections on port 443 and present either a self-signed SSL certificate, a Cloudflare Origin CA certificate, or a valid certificate purchased from a Certificate Authority.

Full (strict)

Full (strict)ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your origin web server. Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

The Full (strict) SSLoption checks for SSL certificate validity at the origin web server. A self-signed certificate cannot be used. A Cloudflare Origin CA certificate or valid certificate purchased from a Certificate Authority is required to avoid 526 errors.

Strict (SSL-Only Origin Pull)

Strict (SSL-Only Origin Pull) is only available for Enterprise zones.

Strict (SSL-Only Origin Pull)instructs Cloudflare's network to always connect to your origin web server usingSSL/TLS encryption (HTTPS). The SSL certificate presented by the origin web server must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

Additionally,Strict (SSL-Only Origin Pull) instructsCloudflare to utilize Authenticated Origin Pulls.

Related resources

Learn

End-to-end HTTPS with Cloudflare - Part 1: conceptual overview

End-to-end HTTPS with Cloudflare - Part 2: SSL certificates

Troubleshoot

My SSL isn't working. Why not?

Resolving redirect loop errors

Troubleshooting 525 errors

If you signed up through Cloudflare Hosting partner's panel option, do the following to remove that connection to the hosting provider:

1. Login to the Cloudflare account that is associated with your signup through the hosting partner.

2. Select the domain from your account list.

3. In the Overview app, go to the Advanced section.

4. Scroll down to Advanced Actions located in the vertical list of links on the right side of the UI

5. Click

6. Click Confirm.

Learn the differences between Cloudflare's Caching Level options.OverviewCloudflares CDN caches static content according to these levels:

No Query String: Delivers resources from cache when there is no query string. Example URL: example.com/pic.jpg

Ignore Query String: Delivers the same resource to everyone independent of the query string. Example URL: example.com/pic.jpg?ignore=this-query-string

Standard (Default): Delivers a different resource each time the query string changes. Example URL: example.com/pic.jpg?with=query

Adjust theCaching Levelvia the CloudflareCachingapp.

Ignore Query String only disregards the query string for static file extensions. For example, Cloudflare serves the style.css resource to requests for either style.css?this or style.css?that

Cloudflare's data sources will help reduce the number of bad bots and crawlers hitting your site automatically (not all). If you would like to place a block of your own for a bad bot or crawler, you can block them by IP in your Firewall app.

In addition, customers that are on a paid plan can look at turning on Cloudflare's Web Application Firewall (WAF) to further help reduce the threat of bad bots and crawlers that don't follow good behavior guidelines.

Overview

When a request is handled by Railgun, Cloudflare inserts a header with diagnostic information to track how the protocol is doing. If you want to see these headers, you'll need to use a browser that supports examining header information.

View Railgun header in browser

Google Chrome: View > Developer > Developer Tools menu. You can also install Cloudflare's Claire extension.

Safari: Develop > Show Web Inspector menu

Firefox: Install Firebug

Microsoft Internet Explorer: You can use a tool like Fiddler

When you are looking for the header information, you should be seeing Cloudflare headers like the following in the response:

cf-railgun: e95b1c46e0 0.02 0.037872 0030 9878

cf-ray: 478149ad1570291

The CF-Railgun header has up to five codes separated by a space. In order, these codes and their corresponding values from the example ofcf-railgun: e95b1c46e0 0.02 0.037872 0030 9878 listed above are:

Railgun Request ID:e95b1c46e0 (internal process number that allows us to track what connection handled a request )

Compression Ratio: 0.02 (the size of the response after Railgun's delta compression expressed as a percentage)

Origin Processing Time: 0.037872 (that Railgun waits for the origin web server to generate the page)

Railgun Flags: 0030 (how a request was processed)

Version Number: 9878 (indicates the version of the Railgun Listener software on the origin server's network)

The number one reason that a Page Rule isn't working, such as URL forwarding, is that the Page Rule you created is on a record that is not proxied by Cloudflare in your DNS settings.

Example: You have a Page Rule that redirects a subdomain (subdomain.yoursitename.com) back to your root domain (yoursitename.com). If you do not have that record proxied in your DNS settings for the subdomain record (orange cloud), Cloudflare's proxy is not running over the record and a Page Rule will not work because it is going direct to your server.

Also see: Page Rules tutorial

Overview

Cloudflare uses a Multi-Factor Authentication (MFA) method for increased account security. MFA prevents customer account takeovers when attackers gain unauthorized access to an account due to an exposed or easily guessed password.

Cloudflare will challenge any login attempt if the user provides the correct credentials from an unrecognized IP address.

Securing user access with two-factor authentication

Cloudflare challenges the login by sending a one time code that expires in 30 minutes to the email we have on file for the account. Once the correct code is provided through the dashboard, that IP will be recorded and further login attempts from that IP address won't be challenged for 90 days.

By checking remember this computer, that device/browser will not receive MFA challenges for up to 14 days. After 14 days, Cloudflare will begin checking the IP address again for logins from that device/browser.

Email MFA can only be disabled by enabling two-factor authentication.

Troubleshooting MFA

Cloudflare emails are sometimes flagged as spam by the recipient's email service. If you are expecting an authentication token, you should check the spam folder for any Cloudflare emails and configure a filter to allow Cloudflare emails [email protected].

Other times emails are rejected by the recipient email service. Cloudflare will try again but after a few attempts it will flag your email address and no further emails will be sent.

If after ensuring your email service is not flagging Cloudflare you still do not receive an email, contact Cloudflare Support.

Related Resources

Learn how the Cloudflare billing policy applies to the domains, plans, and add-on services associated with your account.

Overview

Upgrade or downgrade Cloudflare paid plans

Billing and payment for Enterprise plans

Approved payment methods

Related resources

Overview

The terms subscription and add-on service are used interchangeably in this support guide.

Cloudflare plans and add-on services are billed every 30 days for each domain in your account.

Cloudflare also collects sales tax as governed by local laws. Sales taxes are computed based on the nine (9) digit postal code of either the shipping or billing address on file for your Cloudflare account where applicable.

If you are a US-based customer, you can file for sales tax exemption.

Cloudflare issues a separate invoice for plans and subscriptions (or add-on services) for every domain added to a Cloudflare account.

Subdomains do not count as billable domains.

For example, if test1.com and test2.com are added to the same Cloudflare account and upgraded to the Pro plan, you will receive an invoice with two $20 charges. Subdomains such as blog.test1.com or blog.test2.com will not be included as billable domains.

The date you initiate a paid plan or add-on service will be both the start of your billing period and your invoice date. For example, If you upgrade your plan on January 10, all future plan charges will be billed on the 10th of every month.

When ordering a paid plan, subscription, or add-on service, you must agree to the following:

By clicking "Enable" you agree that you are purchasing a continuous month-to-month subscription which will automatically renew, and that the price of your selected subscription plan level and/or add on(s) will be billed to your designated payment method monthly as a recurring charge, unless you cancel your subscription(s), through your account dashboard, before the beginning of your next monthly billing period.

You will be billed for the full monthly period in which you cancel and no refunds will be given.By purchasing a subscription, you agree to a minimum one month purchase obligation. [emphasis added]

For more information on renewal terms and cancellation please review the Cloudflare Terms of Use.

Upgrade or downgrade Cloudflare paid plans

Upgrade to a higher-priced Cloudflare paid plan

If your domain is on a paid plan (for example, Pro) and you upgrade to a higher-priced plan (for example, Business),

Your invoice will reflect the prorated cost of the higher-tiered plan, until the end of your billing cycle.

Cloudflare credits the prorated cost of the lower-priced plan, until the end of the billing cycle.

At the beginning of the next billing cycle, your invoice will reflect the full cost of the higher-priced plan.

For example, if your billing date is January 1, but you upgrade from Pro to Business, on January 15,

Your invoice will reflect the prorated Business plan rate for the period of use January 15 - January 30 ($100).

Cloudflare credits the prorated Pro plan cost from January 1 - January 15 ($10).

Your invoice for the billing period of January 1 - January 30 in the amount of $110 will appear in the Cloudflare dashboard on January 31.

Account credits are automatically added to your account and can only be used on recurring monthly charges for Cloudflare plans or add-on services. Your monthly invoice lists any credits.

Downgrade from a higher-price Cloudflare plan

If your domain is on a paid plan (for example, Business) and you downgrade to a lower-priced plan (for example, Pro),

Your plan type is immediately downgraded and the higher-tiered Cloudflare plan features are disabled.

Cloudflare credits the prorated cost for the higher-tiered plan, until the end of the billing cycle.

Your invoice will reflect the charge for both plans, the prorated credit, and the account credit balance available for the next billing cycle.

For example, if your billing date is February 1, but you downgrade to Pro from the Business plan on February 15,

You immediately lose the Business plan features.

You receive a credit of $100 to your Cloudflare account for the period of use from February 1 - February 15.

Your plan charges for the month of March will decrease to $20. Your account credit will be applied to the Pro plan charges.

In this case, your next out of pocket payment will be required in five (5) months.

Billing and payment for Enterprise plans

Enterprise customers work with the Cloudflare account team to customize a plan and service contract to best suit their needs. The Cloudflare accounting team receives and processes Enterprise plan charges.

Enterprise account owners receive invoices directly from the Cloudflare accounting team.

Approved payment methods

Cloudflare only accepts VISA, MasterCard, American Express, Discover, and Paypal. No other payment methods (for example, Union Pay or Maestro) are possible at this time.

Enterprise customers can use ACH payments or checks for Cloudflare plans and subscriptions.

Please ensure that you're using a valid payment method before changing your plan type or enabling subscriptions.

Gift cards and pre-payment cards may not be accepted for payment as they are not associated with a billing address.

Related resources

Cloudflare Self-Serve Subscription Agreement

Understanding Cloudflare Invoices

Understanding Cloudflare sales tax

Learn how to cache HTML files withWordPress and WooCommerce.

Overview

Customers in all Cloudflare plans can configure caching HTML files. However, Business and Enterprise customers can bypass HTML caching when a cookie is sent with a request Bypass Cache on Cookie setting using CloudflarePage Rules.

This allows for static HTML to be cached at our edge, with no need for it to be regenerated from request to request.

Enterprise Cloudflare customers can use Custom Cache Keys to take their performance further, contact your Customer Success Manager for more details.

Prerequisites

Before starting - be sure that Cloudflare is set to respect Cache-Control headers from your origin web server; otherwise, you may find Cache-Control headers are overridden by Cloudflare with the value set in the Browser Cache Expiration option. To set the Respect Existing Headers option,

1. Log into your Cloudflare account.

2. Click theCachingapp.

3.Scroll down to Browser Cache Expiration,and select the Respect Existing Headers value:

Automatic Cache Management feature of the Cloudflare WordPress plugin

Cache Static HTML with Cloudflare Page Rules

1. Log in to your Cloudflare account

2. Next, click the Create Page Rule to set-up static HTML caching on our site.

3. Set the page ruleto match your WordPress installation path. If your site is at https://www.example.com, the rule would be https://www.example.com.

In the example here, WordPress is running on https://junade.com, so the Page Rule should match https://junade.com/*.

4. Set additional Page Rules to cache static HTML:

Cache Everythinginstructs Cloudflare to cache static HTML.

When the Bypass Cache on Cookie rule matches the criteria you set, Cloudflare won't cache HTML ( whilst static images and other files will still be cached ). Depending on whether you're using raw WordPress, or WooCommerce, you should use one of the configurations below:

WordPress (native)

wp-.*|wordpress.*|comment_.*

WordPress with WooCommerce

wp-.*|wordpress.*|comment_.*|woocommerce_.*

Finally, setting Edge Cache TTL will define the maximum period of time Cloudflare should keep cached files before getting them back from the origin web server. Even after setting a long Edge Cache TTL time, you canstill manually clear the cache or use our WordPress plugin to automatically manage cache purging.

5. Click Save and Deployto finish.

Additionally, by using the, you are able to automatically purge the cache for your site after your site changes (i.e. changing/customizing your theme or editing, deleting or creating a post, attachment or page).

Resolve the most common questions and issues when adding a new domain to Cloudflare.OverviewBelow are the most common customer questions and issues experienced when adding new domains to Cloudflare. If you are experiencing issues not mentioned below, the Cloudflare Community and Cloudflare Help Center are great ways to find quick answers.Questions

Why do I see Cloudflare's IPs in my origin web server logs?

Why doesnt my CNAME record resolve?

Why is my site served over HTTP instead of HTTPS?

Why is my Cloudflare Universal SSL certificate not active?

Issues

SSL errors in appear in my browser

I see 525 or 526 errors or redirect loops

SSL isn't working for my second-level subdomain (i.e. dev.www.example.com )

Why is my site content not properly rendering? Why do I see mixed content errors?

My domains email stopped working

Why was my domain deleted from Cloudflare?

Related resources

SSL FAQ

DNS FAQ

Understanding the Cloudflare dashboard

Gathering information to troubleshoot site issues

Contacting Cloudflare support

Learn more about how Cloudflare Rate Limiting billing is calculated.Cloudflare Rate Limiting pricingEnterprise customers are charged a fixed rate as specified in their contract. All other plans are billed based on usage, which is reflected in the monthly subscription invoice.The first 10,000 billable requests across all your websites are free. You will then be charged $0.05 per 10,000 requests thereafter. Rate Limiting rules in Simulate mode do not count as billable requests.

For example, if you had a total of 35,000 good/allowed requests matching any rate-limiting rule:

1 - 10,000 are free.

10,001 - 20,000 cost $0.05

20,001 - 30,000 cost $0.05

30,001 - 35,000 cost $0.05 (billing is not prorated if you only use a portion of the 10,000 requests paid for)

You will be charged $0.15 in total for Rate Limiting on your next billing date. The charge will appear as a line item on your invoice and will list the total number of requests billed.Note that the first 10,000 requests are across all sites on your account, rather than receiving 10,000 free requests per site: if you have one site with 20,000 requests and another with 30,000, your bill will be $0.20 for the 50,000 total requests, not $0.15.Rate Limiting billable usageRate Limiting is billed based on the number of good (not blocked) requests that match your defined rules across all your websites. Each request is only counted once so you will not be double charged if a request matches multiple rules.For example, given a rule that matches example.com/ratelimit/* and blocks clients that send over 30 requests per minute:

Client A sends 20,000 requests toexample.com/ratelimit/foo at a rate of 10 requests per minute. All requests are allowed.

Client B sends 90,000 requests to example.com/ratelimit/bar, usually at a rate of 10 requests per minute, but with bursts over 30 requests per minute. 60,000 of their requests are blocked during the bursts, and 30,000 are allowed when their request rate is lower.

Client C sends 20,000 requests to example.com/elsewhere at a rate of 40 requests per minute. While this exceeds the threshold, it doesn't match the rule path, so all 20,000 requests are allowed.

In this example, 50,000 (30,000 + 20,000) requests are billable: clients A and B both sent requests that matched the rule, but some of client B's request were blocked, and those blocked requests were not billed. In total, the cost is (50,000 - 10,000) * $0.05 = $0.20.

Client

Request URL

Requests

Outcome

Monthly Cost

A

example.com/ratelimit/foo

20,000 at 10 req/min

URL pattern matches but threshold is not exceeded. All requests pass

through.

(2-1)*$0.05 = $0.05

Only charge for 10,000 requests because the first 10,000 allowed do not incur any cost.

B

example.com/ratelimit/bar

90,000:

60,000 at 30 req/min +30,000 under 30 req/min

URL pattern matches. Rule blocks 60,000 and allows 30,000 requests.

3*$0.05 = $0.15

C

example.com/elsewhere

20,000 at 40 req/min

URL pattern doesn't match. Rule doesn't apply. All requests pass

through.

$0.00

Total to bill:

$0.20

Learn how to configure Cloudflare to meet PCI scan requirements and understand what mitigations Cloudflare has in place for earlier versions of TLS/SSL.

Overview

Recommended Cloudflare SSL configurations for PCI compliance

Cloudflare mitigations against known TLS vulnerabilities

Related resources

Overview

Cloudflare maintains PCI DSS Level 1 compliance and has been PCI compliant since 2014.Cloudflare does not manage PCI compliance for your site. However, Cloudflare assists in meeting your PCI DSS requirementsvia use of our Web Application Firewall (WAF) that allows domains on Pro, Business, and Enterprise plans to meet PCI requirement 6.6. Cloudflare is audited annually by a third-party Qualified Security Assessor (QSA).

Both TLS 1.0 and TLS 1.1 are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic.

PCI standards recommend using TLS 1.2. Below, you can review our list of recommended Cloudflare SSL configurations for PCI compliance.The PCI Security Standards Council provides an overview of the Data Security Standards and tools to assist you in validating your PCI compliance.

Also see what mitigations Cloudflare implements against vulnerabilities for TLS 1.0 and 1.1.

Recommended Cloudflare SSL configurations for PCI compliance

For Free, Business and Enterprise domains:

Set the Minimum TLS Versionto TLS 1.2 or newer

For Pro domains:

Purchase a Dedicated SSL certificate or upgrade to a Business plan and upload a Custom SSL certificate

Disable Universal SSL

Set the Minimum TLS Versionto TLS 1.2 or newer

Set Minimum TLS Version to 1.2

To configure your Cloudflare domain to only allow connections using TLS 1.2 or newer protocols:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account for the domain.

3. Ensure the proper domain is selected.

4. Click on the Cloudflare SSL/TLSapp.

5. Click the Edge Certificates tab.

5. Scroll to the Minimum TLS Version section.

6. Select TLS 1.2.

Cloudflare mitigations against known TLS vulnerabilities

There are several mitigations Cloudflare performs against known vulnerabilities for TLS versions prior to 1.2. For example, Cloudflare does not support:

Header compression in TLS

Header compression in SPDY 3.1

RC4

SSL 3.0

Renegotiation with clients

DHE ciphersuites

Export-grade ciphers

Cloudflare supports TLS_FALLBACK_SCSV.

Cloudflare mitigations protect against several attacks:

CRIME

BREACH

POODLE

RC4 Cryptographic Weaknesses

SSL Renegotiation Attack

Protocol Downgrade Attacks

FREAK

LogJam

3DES is disabled entirely for TLS 1.1 and 1.2 and Cloudflare implements mitigations for TLS 1.0

Cloudflare provides additional mitigations for:

Heartbleed

Lucky Thirteen

CCS injection vulnerability

Cloudflare haspatched all servers against these vulnerabilities. Also, the Cloudflare WAF has rules to mitigate several of these vulnerabilities including Heartbleed and ShellShock.

PCI scan warnings are often the result of a false positive. If a PCI scan failure or reported vulnerability relates to the use of Cloudflare services, review the list below of common false positives and recommended configuration adjustments. Documentation about a specific false positive allows your QSA orApproved Scanning Vendor (ASV) to remove the false positive from their vulnerability report. Either inform your auditor of these common false positives or take the recommended actions below:

HTTP/2 and HTTP/1.1 Cleartext Detection (Paid Plans Only)

Use Cloudflare WAF rule 100015 to restrict connections to only port 80 and 443 if you aren't using other open Cloudflare ports. You can find WAF rule 100015 in the Cloudflare UI for your domain:

Click the Cloudflare Firewallapp.

Click theManaged Rulestab.

Click Advancedunder the Cloudflare Managed Rulessection..

Enter 100015 in the search field and click Search.

Set the Modeof rule 100015 to Block.

Once enabled, the additional Cloudflare ports are still open, but no data is sent to those ports as the WAF blocks the request with an HTTP 403 response.

Return Of Bleichenbacher's Oracle Threat (ROBOT)

Security scans that note the presence of ROBOT while on Cloudflare are a false positive. Cloudflare checks padding in real time and swaps to a random session key if the padding is incorrect.

Web Application Cookies Not Marked Secure

The Cloudflare cfduid cookie is used for security purposes and cannot be disabled. The cfduidcookie doesn't contain any confidential or sensitive information and is used to note whether a user has passed javascript challenges such as used by Under Attack Mode.

Sweet32 (CVE-2016-2183)

A vulnerability in the use of the Triple DES (3DES) encryption algorithm in the Transport Layer Security (TLS) protocol. Sweet32 is currently a proof of concept attack, there are no known examples of this in the wild. Cloudflare has manually mitigated the vulnerability for TLS 1.0 in the following manner:

attacker must collect 32GB of data from a single TLS session

Cloudflare forces new TLS 1.0 session keys on the affected 3DES cipher well before 32GB of data is collected

If you are seeing errors about Sweet32 (CVE-2016-2183) in your PCI scans, set Minimum TLS Version to 1.2.

Related resources

Cloudflare SSL cipher, browser, and protocol support

Using Minimum TLS Version in Cloudflare SSL/TLS

Learn best practices to secure your Cloudflare-enabled site from DDoS attacks.

Overview

After joining Cloudflare, ensure your site is fully prepared for possible DDoS attacks via the recommendations below.

Proxy your DNS records to Cloudflare

Attackers attempt to identify your origin IP address to directly attack your origin web server without Cloudflares protections. Hide your origin IP address from direct attack by proxying traffic to Cloudflare.

Set your DNS records for maximum protection via the following steps:

Enable the Cloudflare proxy (orange-cloud) on all possible DNS records.

Remove DNS records used for FTP or SSH and instead use your origin IP to directly perform FTP or SSH requests. Alternatively, proxy FTP and SSH via Cloudflare Spectrum.

Grey-cloud A, AAAA, or CNAME records corresponding to your mail server andensure your mail server uses a different IP range and address than your origin web servers.

Remove wildcard records within Free, Pro, or Business domains because they expose your origin IP address. Cloudflare only protects wildcard records for domains on Enterprise plans.

Do not limit or throttle requests from Cloudflare IPs

Once you proxy traffic to Cloudflare, connections to your origin web server come from Cloudflares IP addresses. Therefore, it is important that your origin web server whitelists Cloudflare IPs and explicitly blocks traffic not from Cloudflare or your trusted partner, vendor, or application IP addresses.

Restore original visitor IPs in your origin server logs

To see the real IPs behind an attack, restore the original visitor IPs in your origin server logs. Otherwise, all traffic lists Cloudflares IPs in your logs. Cloudflare always includes the original visitor IP address in the request, as an HTTP header. Inform your hosting provider that you use a reverse proxy and that all traffic will come from Cloudflares IPs when looking at current connections.

Change server IP addresses after moving site to Cloudflare

Cloudflare hides your origin server IP addresses for traffic you proxy to Cloudflare. As an extra security precaution, we recommend contacting your hosting provider and requesting new origin server IPs.

This task may incur a charge, so discuss with your hosting provider based on the risk of attack to your site.

Utilize Rate Limiting to prevent brute force and Layer 7 DDoS attacks

To thwart attacks disguised as normal HTTP requests, Rate Limiting allows website administrators to specify fine-grained thresholds on the load they expect their web server to receive. With one simple click, setup basic rate limiting to protect your login pages from brute force attacks.

Cloudflare Free, Pro, and Business plans include 10,000 free requests per month. Refer to our guide on Cloudflare Rate Limiting for further details.

Related resources

Understanding Cloudflare DDOS protection

Responding to DDoS attacks

What is a DDoS attack?

Learn how Cloudflare protects against DDoS attacks and how to identify if your website is under attack.

Overview

Determine if you are under DDoS attack

Is Cloudflare attacking me?

Related resources

Overview

A Distributed Denial of Service attack (DDoS) seeks to make an online service unavailable to its end users. For all plan types, Cloudflare provides unmetered mitigation of DDoS attacks including DNS attacks, and network Layer 3, 4, and 7 attacks. Cloudflare does not bill by attack size and does not have a cap on attack size, type, or duration.

Cloudflare's network is built to automatically monitor and mitigate large DDoS attacks. Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets require additional manual response to DDoS attack.

Learn more about Famous DDoS Attacks and DDoS at the Cloudflare Learning Center. You can also review DDoS case studies in the related resources section at the end of this article.

Determine if you are under DDoS attack

Common signs that you are under DDoS attack include:

Your site is offline or slow to respond to requests.

There are unexpected spikes in the graph of Requests Through Cloudflareor Bandwidthin your Cloudflare Analyticsapp.

There are strange requests in your origin web server logs thatdon'tmatch normal visitor behavior.

If you are currently under DDoS attack, refer to our guide on responding to a DDoS attack

Is Cloudflare attacking me?

There are two common scenarios where Cloudflare is falsely perceived to attack your site:

Unless you restore the original visitor IP addresses, Cloudflare IP addresses appear in your server logs for all proxied requests.

The attacker is spoofing Cloudflare's IPs. Cloudflare only sends traffic to your origin web server over a few specific ports unless you use Cloudflare Spectrum.

Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from Cloudflare IP addresses. In contrast, if you see connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflares network.

If an attacker is directly targeting your origin web server, request your hosting provider change your origin IPs and update the IP information in your Cloudflare DNSapp. Confirm all possible DNS records are orange-clouded and that your name servers still point to Cloudflare (unless using a CNAME setup )before changing your origin IP.

Related resources

Responding to DDoS attacks

Best Practices: DDoS preventative measures

Using Cloudflare Logs to investigate DDoS traffic (Enterprise Only)

What is a DDoS attack?

How DNS Amplification Attacks Work

Case Studies:

How to Launch a 65Gbps DDoS, and How to Stop One

Ceasefires Don't End Cyberwars

Reflections on reflection (attacks)

Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS

Memcrashed - Major amplification attacks from UDP port 11211

The real cause of large DDoS - IP Spoofing