Perform the following steps to configure a domain in Cloudflare:
- Log in to ISPmanager as the User.
- Check that the domain is connected to Cloudflare. For more information please refer to the article Connect a domain to Cloudflare.
- Go to Tools → Cloudflare → Settings. In the form that will open you will see the settings of the domain from Cloudflare.
- Select a Security level:
- Under attack — this level is used when your website is under DDoS attack;
- High — challenge all of the users detected as offending in the past 14 days;
- Medium — challenge users who pose some threat;
- Low — challenge users who pose the greatest threat;
- Essentially off — challenge only the most abusive users.
- Set the Access time (sec.) to allow a user with previous negative behavior seen from hit IP address to access website during a certain period of time. When that period is over, the visitor will have to pass the challenge again.
- Set an SSL certificate for the domain to establish an encrypted link between a web server and a browser:
- Off — no secure connection between your visitor and Cloudflare, and no secure connection between Cloudflare and your web server either. This means that visitors can only view your website over HTTP;
- Self-signed — secure connection between visitors and Cloudflare, and secure connection (but not authenticated) between Cloudflare and your web server;
- Flexible — choose this option, if your origin web-server cannot accept secure (HTTPS) connections. Visitors will be able to access HTTPS, but requests to the web-server will be sent through HTTP;
- Existing — secure connection between visitors and Cloudflare, and secure and authenticated connection between Cloudflare and your web server.
- After you have enabled the option Always online, when your server goes down, Cloudflare will serve pages from its cache, so visitors still see some of the pages they are trying to visit:
- Mobile redirect — this service will automatically redirect mobile device visitors to a mobile-optimized subdomain home page. Enter the Alias for redirect and enable the optionRedirect tohomepage.
- Enable the option Developer mode to send queries directly to the server where the website is hosted. This will temporarily suspend Cloudflare's edge caching and minification features. The expiration period for Development Mode is 3 hours.
- Enable the option Email obfuscation to hide email addresses on your web page from bots while keeping them visible to humans.
- Select the checkbox Hotlink protection to ensure that other sites cannot suck up your bandwidth by building pages that use images hosted on your site. Supported images: gif, ico, jpg, jpeg, png.
- To activate the secure connection:
- Select the checkbox Automatic HTTPS rewrites to allow rewriting links to unencrypted resources from HTTP to HTTPS;
- HSTS — security policy mechanism whose primary job is to protect the websites from protocol downgrade attacks and cookie hijacking. Please note: in order to set HSTS you need to configure HTTPS to meet the HSTS policy. Disabling SSL with other methods (website Flexible SSL or removing the website from Cloudflare) can make the site inaccessible for users unless HSTS-heading hash time is over or unless HTTPS is connected again provided that the HSTS heading lifetime is "0";
- Time (sec.) — a period in seconds. Web browsers will cache and enforce HSTS policy for the duration of this value;
- Enable subdomains — applies HSTS policy to every host in a domain;
- No sniff — add the “X-Content-Type-Options: nosniff” option to the header. It prevents browsers (Internet Explorer и Google Chrome) from doing MIME-type sniffing.
14. Use TLS 1.3 that optimizes performance and hardens the security of encrypted connections. However, this protocol is not supported by old versions of browsers.
15. Enable the option SSE to hide sensitive content on your website from suspicious visitors. You will need to wrap the content with the tags
16. Enable the IPv6 support and the corresponding gateway.
17. Click on Ok. to save the changes in Cloudflare.