How to Set Up Cloudflare with Your VPS for Free DDoS Protection and CDN
Cloudflare is one of the most powerful tools available to VPS owners — and it’s free for most use cases. By routing your traffic through Cloudflare’s global network, you get DDoS protection, a CDN that caches your content close to users worldwide, SSL certificates, a WAF (Web Application Firewall), and bot mitigation — all without touching your server configuration significantly.
This guide covers setting up Cloudflare with your VPS, configuring the essential security and performance settings, and implementing the important step of locking your origin server so only Cloudflare can reach it.
What Cloudflare Provides (Free Tier)
| Feature | What it does |
|---|---|
| DDoS protection | Absorbs volumetric attacks up to 100+ Gbps at Cloudflare’s edge |
| CDN | Caches static assets in 300+ PoPs worldwide — sub-50ms latency globally |
| WAF (basic) | Blocks common web exploits (SQLi, XSS, etc.) |
| SSL/TLS | Free HTTPS between visitors and Cloudflare edge |
| Bot protection | Blocks known malicious bots and scrapers |
| Page Rules | Custom caching, redirects, and security rules per URL |
| Analytics | Traffic, threat, and performance insights |
Important note: Cloudflare sits between your visitors and your VPS. Your VPS IP address is hidden from the public internet — only Cloudflare’s IPs reach your origin server.
Step 1: Add Your Domain to Cloudflare
- Create a free account at cloudflare.com
- Click Add a Site and enter your domain
- Select the Free plan
- Cloudflare will scan your existing DNS records — review and confirm them
- Cloudflare provides two nameserver addresses (e.g.,
adam.ns.cloudflare.com) - Log in to your domain registrar and update your domain’s nameservers to Cloudflare’s
DNS propagation takes 5–24 hours. Once complete, your domain is proxied through Cloudflare. ✅
Step 2: Verify Proxy Status (Orange Cloud)
In Cloudflare DNS settings, each record has a proxy status:
- 🟠 Orange cloud (Proxied) — Traffic flows through Cloudflare. Your VPS IP is hidden. DDoS protection active.
- ⚫ Grey cloud (DNS only) — Direct connection to your VPS. No Cloudflare benefits.
Ensure your A record for the root domain (@) and www are set to Proxied.
Step 3: Configure SSL/TLS Mode
In Cloudflare dashboard → SSL/TLS → Overview, set the encryption mode:
| Mode | Description | Recommended? |
|---|---|---|
| Off | HTTP only — never use | ❌ |
| Flexible | HTTPS to Cloudflare, HTTP to origin — insecure | ❌ |
| Full | HTTPS throughout, accepts self-signed cert on origin | ⚠️ OK |
| Full (Strict) | HTTPS throughout, requires valid cert on origin | ✅ Best |
Select Full (Strict) and ensure your VPS has a valid Let’s Encrypt certificate installed.
Step 4: Enable Key Security Settings
Always Use HTTPS
SSL/TLS → Edge Certificates → Always Use HTTPS: ON
Automatically redirects all HTTP requests to HTTPS.
HSTS (HTTP Strict Transport Security)
SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) → Enable with 6-month max-age.
Minimum TLS Version
SSL/TLS → Edge Certificates → Minimum TLS Version: TLS 1.2 (blocks outdated, vulnerable clients).
Automatic HTTPS Rewrites
SSL/TLS → Edge Certificates → Automatic HTTPS Rewrites: ON — fixes mixed content warnings automatically.
Step 5: Configure Caching for Performance
Cache Level
Caching → Configuration → Caching Level: Standard — caches based on query strings as expected.
Browser Cache TTL
Set to 4 hours or more. Cloudflare instructs browsers to cache assets locally, reducing repeat requests.
Enable Cloudflare’s Polish (Image Optimization)
Speed → Optimization → Polish: Lossless or Lossy — automatically compresses images at Cloudflare’s edge.
Cache Rules for WordPress
WordPress requires special cache rules to exclude dynamic content. Create a Cache Rule:
- URL path contains
/wp-admin→ Bypass cache - Cookie contains
wordpress_logged_in→ Bypass cache - URL path contains
/wp-json→ Bypass cache
Step 6: Lock Your Origin Server to Cloudflare Only
This is the most important security step. If attackers discover your VPS IP (through DNS history, SSL cert logs, etc.), they can bypass Cloudflare and attack your server directly. Lock your VPS firewall to only accept traffic from Cloudflare’s IP ranges.
Get Cloudflare’s IP ranges
Cloudflare publishes their IP ranges at cloudflare.com/ips.
Configure UFW to allow only Cloudflare IPs
nano ~/cloudflare-ufw.sh#!/bin/bash
# Allow only Cloudflare IPs on ports 80 and 443
# Cloudflare IPv4 ranges (verify current list at cloudflare.com/ips)
CF_IPS=(
"173.245.48.0/20"
"103.21.244.0/22"
"103.22.200.0/22"
"103.31.4.0/22"
"141.101.64.0/18"
"108.162.192.0/18"
"190.93.240.0/20"
"188.114.96.0/20"
"197.234.240.0/22"
"198.41.128.0/17"
"162.158.0.0/15"
"104.16.0.0/13"
"104.24.0.0/14"
"172.64.0.0/13"
"131.0.72.0/22"
)
# Remove old web rules
sudo ufw delete allow 80/tcp 2>/dev/null
sudo ufw delete allow 443/tcp 2>/dev/null
sudo ufw delete allow 'Nginx Full' 2>/dev/null
# Allow only Cloudflare IPs
for IP in "${CF_IPS[@]}"; do
sudo ufw allow from $IP to any port 80 proto tcp
sudo ufw allow from $IP to any port 443 proto tcp
done
sudo ufw reload
echo "Cloudflare-only firewall rules applied ✅"chmod +x ~/cloudflare-ufw.sh
~/cloudflare-ufw.shRestore actual visitor IPs in Nginx logs
When Cloudflare proxies requests, your Nginx logs show Cloudflare’s IP instead of the real visitor IP. Fix this:
sudo nano /etc/nginx/conf.d/cloudflare-real-ip.confset_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
real_ip_header CF-Connecting-IP;sudo nginx -t && sudo systemctl reload nginxStep 7: Enable DDoS Protection Mode
Cloudflare’s free tier provides automatic DDoS mitigation. For additional control:
Under Attack Mode (emergency)
If your site is actively under attack: Cloudflare dashboard → Overview → Under Attack Mode: ON
This adds a 5-second JavaScript challenge for all visitors, blocking most automated attack traffic while allowing real users through.
Security Level
Security → Settings → Security Level: Medium (challenges visitors with suspicious threat scores).
Bot Fight Mode
Security → Bots → Bot Fight Mode: ON — automatically blocks known bad bots.
Step 8: Cloudflare for Subdomains (API, Mail, etc.)
Not all subdomains should be proxied through Cloudflare:
api.yourdomain.com→ Proxy if public API; DNS-only if internalmail.yourdomain.com→ Must be DNS-only (Cloudflare can’t proxy mail ports)ftp.yourdomain.com→ DNS-only (Cloudflare doesn’t proxy FTP)ssh.yourdomain.com→ DNS-only (direct connection required)
Final Thoughts
Cloudflare’s free tier delivers enterprise-grade DDoS protection, global CDN, and WAF capabilities that would cost hundreds of dollars per month from dedicated security vendors. Combined with a VPS.DO KVM VPS, you get a complete, professional web infrastructure: fast origin serving, Cloudflare’s global edge network, and a firewall that hides your server IP entirely.
Related articles:
