cloudflare.pdf

Full Transcript

CLOUDFLARE
Cloudare acts as an intermediary/proxy between a
client and a server. Cloudare caches static content
or your site, subsequently lowering the number o
requests to our servers while allowing visitors to
access your site.

Cloudare is a global network designed to make
everything you connect to the Internet secure,
private, ast, and reliable.
Because o how Cloudare works, all trac to your
origin server will appear to be coming rom
Cloudare IP addresses.
 Advantages o Cloudare

Site Perormance Improvement : Cloudare has
proxy servers located throughout the world. Proxy
servers are located closer to your visitors, which
means they will likely see page load speed
improvements as the cached content is delivered rom
the closest caching box instead o directly o our
server.

Alerting Visitors o Inected Computers :
Cloudare alerts human visitors that have an inected
computer that they need to take action to clean up
the malware or virus on their machine. The visitor can
enter a CAPTCHA to gain access to your site.
 Advantages o Cloudare
( Contd.. )

Spam Comments Protection : Cloudare
leverages data rom third-party resources to reduce
the number o spam comments on your site.

Oine Browsing Mode : In the event that the
server is unavailable, visitors should still be able to
access your site since Cloudare serves the visitor
a page rom its cache.

New Site Stats : You have good tools to evaluate
human trac coming to your site.
 Add site to Cloudare

Step 1 — Add site in Cloudare
1. Log in to the Cloudare dashboard
2. In the top navigation bar, click Add site.
3. Enter your website’s root domain
(example.com) and then click Add Site.
4. Update all necessary DNS records to enable
Cloudare or your domain.
5. Check nameservers.
6. When you have nished the Quick Start Guide,
click Finish.
 Add site to Cloudare ( Contd.. )

Step 2 — Update nameservers
Beore your domain can begin using Cloudare or
DNS resolution, you need to update your
nameservers at your registrar.
Once you have added a domain (also known as a
zone) to Cloudare, that domain will receive two
assigned authoritative nameservers.
Login to the domain registrar account and replace
with Cloudare’s nameservers.
Wait 24 hours while your registrar updates your
nameservers. You will receive an email when your
site is active on Cloudare.
Log in to the Cloudare dashboard and make sure
 Purge cache

You can purge cached resources by single-
le , all cached content, or other options.

1. Purge by single-le (by URL)
2. Purge everything
Purge by single-le (by URL)
1. Log in to your Cloudare dashboard and select
your account and domain.
2. Select Caching > Conguration.
3. Under Purge Cache, select Custom Purge. The
Custom Purge window appears.
4. Under Purge by, select URL.
5. Enter the appropriate value(s) in the text eld
using the ormat shown in the example.
6. Perorm any additional instructions to complete
the orm.
7. Review your entries.
8. Select Purge.
 Purge everything

1. Log in to your Cloudare dashboard and
select your account and domain.
2. Select Caching > Conguration.
3. Under Purge Cache, select Purge
Everything. A warning window appears.
4. I you agree, select Purge Everything.
 SSL/TLS Encryption modes

The encryption modes listed below control the scheme
(http:// or https://) that Cloudare uses to connect to your
origin web server and how SSL certicates presented by
your origin will be validated.

Available encryption modes
1. O (no encryption)
2. Flexible
3. Full
4. Full (strict)
5. Strict (SSL-Only Origin Pull)
Of - SSL/TLS encryption modes

Setting your encryption mode to O (not
recommended) redirects any HTTPS request to
plaintext HTTP.

Limitations :
1. Leaves your visitors and your application
vulnerable to attacks
2. Will be marked as “not secure” by Chrome and
other browsers, reducing visitor trust.
3. Will be penalized in SEO rankings.
Flexible - SSL/TLS encryption modes

Setting your encryption mode to Flexible makes your
site partially secure. Cloudare allows HTTPS
connections between your visitor and Cloudare, but
all connections between Cloudare and your origin
are made through HTTP.

Limitations :
1. Flexible mode is only supported or HTTPS
connections on port 443 (deault port). Other ports
using HTTPS will all back to Full mode.
2. I your application contains sensitive inormation
(personalized data, user login), use Full or Full
(Strict) modes instead.
 Full - SSL/TLS encryption modes

When you set your encryption mode to Full,
Cloudare allows HTTPS connections between your
visitor and Cloudare and makes connections to the
origin using the scheme requested by the visitor. I
your visitor uses http, then Cloudare connects to the
origin using plaintext HTTP and vice versa.

Limitations :
1. The certicate presented by the origin will not be
validated in any way. It can be expired, sel-signed, or
not even have a matching CN/SAN entry or the
hostname requested.
2. Without using Full (strict), a malicious party could
technically hijack the connection and present their
 Full (strict) - SSL/TLS encryption
modes
When you set your encryption mode to Full
(strict), Cloudare does everything in Full mode
but also enorces more stringent requirements or
origin certicates.

Limitations :
Depending on your origin conguration, you may
have to adjust settings to avoid Mixed Content
errors or redirect loops.
Strict (SSL-Only Origin Pull) - SSL/TLS encryption
modes

Connections to the origin will always be made
using SSL/TLS, regardless o the scheme
requested by the visitor. The certicate presented
by the origin will be validated the same as with
Full (strict) mode.

Limitations :
Depending on your origin conguration, you may
have to adjust settings to avoid Mixed Content
errors or redirect loops.
Troubleshooting Cloudare errors

Error 502 bad gateway or error 504 gateway
timeout

Error 520: web server returns an unknown error

Error 521: web server is down

Error 524: a timeout occurred

Error 525: SSL handshake ailed
Error 502 bad gateway or error 504 gateway
timeout
 Error 502 bad gateway or error 504 gateway
timeout ( Contd.. )

Cloudare returns an Cloudare-branded HTTP 502 or 504
error when your origin web server responds with a
standard HTTP 502 bad gateway or 504 gateway timeout
error.

Resolution
Contact your hosting provider to troubleshoot these
common causes at your origin web server:
1. Ensure the origin server responds to requests or the
hostname and domain within the visitor’s URL that
generated the 502 or 504 error.
2. Investigate excessive server loads, crashes, or
network ailures.
3. Identiy applications or services that timed out or were
Error 520: web server returns an unknown
error

Error 520 occurs when the origin server returns an
empty, unknown, or unexpected response to
Cloudare.

Resolution
Contact your hosting provider or site
administrator and request a review o your origin web
server error logs or crashes and to check or these
common causes:
1. Origin web server application crashes
2. Cloudare IPs not allowed at your origin
3. Headers exceeding 16 KB (typically due to too
 Error 521: web server is down

Error 521 occurs when the origin web server reuses
connections rom Cloudare. The two most common
causes o 521 errors are:
1. Ofined origin web server application
2. Blocked Cloudare requests

Resolution
1. Ensure your origin web server is responsive
2. Review origin web server error logs to identiy web
server application crashes or outages.
3. Conrm Cloudare IP addresses are not blocked or
rate limited
4. Allow all Cloudare IP ranges in your origin web
 Error 524: a timeout occurred

Error 524 indicates that Cloudare successully
connected to the origin web server, but the origin
did not provide an HTTP response beore the
deault 100 second connection timed out. This can
happen i the origin server is simply taking too long
because it has too much work to do or because the
server is struggling or resources and cannot return
any data in time.

Resolution
Contact your hosting provider to exclude the
ollowing common causes at your origin web
server:
1. A long-running process on the origin web server.
Error 525: SSL handshake ailed

525 errors indicate that the SSL handshake between
Cloudare and the origin web server ailed. Error 525 occurs
when these two conditions are true:
1. The SSL handshake ails between Cloudare and the origin
web server, and
2. Full or Full (Strict) SSL is set in the Overview tab o your
Cloudare SSL/TLS app.

Resolution
Contact your hosting provider to exclude the ollowing
common causes at your origin web server:
1. No valid SSL certicate installed
2. Port 443 (or other custom secure port) is not open
 Limitations o Cloudare

1. Cloudare may aect internal statistic programs
that read directly rom Apache logs.

2. Cloudare caches static content rom your site.
While this reduces the load on your server, it
means that i you make a change to an existing
static le, like an image, there may be a delay
beore the change appears. While you are updating
your site, you can put Cloudare in Development
Mode, so changes appear immediately.
Thank You!

24