Cloudflare Setup & Configuration

We set up DNS records with correct proxy status — orange cloud for HTTP services, grey cloud for mail servers and non-HTTP protocols. CNAME flattening at the zone apex eliminates the 'can't CNAME the root domain' problem. SSL mode gets set to Full (Strict) with origin certificates — not Flexible, which leaves your origin traffic unencrypted. Authenticated origin pulls prevent bypassing Cloudflare.

Cache rules target static assets with aggressive TTLs while bypassing caching for authenticated content. We configure Tiered Caching to reduce origin requests, Polish for automatic image optimization, and Argo Smart Routing for improved latency to your origin. Cache invalidation integrates with your deployment pipeline — new deploys purge stale content automatically. Typical result: 60-80% origin request reduction.

Managed WAF rulesets get enabled with exceptions for your application's legitimate patterns. Custom rules block known bad patterns — credential stuffing paths, scanner fingerprints, and suspicious query strings. Rate limiting rules protect authentication endpoints and APIs. Bot management separates legitimate crawlers from scrapers. We tune rules iteratively to minimize false positives while maintaining protection.

Internal tools (admin panels, staging environments, monitoring dashboards) get protected by Cloudflare Access — identity-aware proxy with SSO integration. No VPN needed. Access policies enforce MFA, device posture, and IP restrictions. Tunnel (cloudflared) connects your origin to Cloudflare without opening inbound ports. You get a zero-trust architecture without the complexity of a full ZTNA deployment.