CloudFlare for personalized application

Hi there!

I’m not using CloudFlare, nor do I have a website yet, but I would like to know some information regards setup CF with my website if I’ll decide to do so.

I’m building personalized application(for logged in users only) on top of MERN stack, so the only public(for everyone) page that will be provided is the main root of my domain, all the rest will be personalized.

I would like to know how can I(am I? I’m currently able to use the free plan only) make my app more secure with CF. I was hoping to secure it with your anti-ddos feature.

I’m asking this, due the fact that the app will deliver personalized content only. Therefor I’m confused regards masking IP and caching and would love to get some clarification regards this, as I’m obviously don’t want to cache personalized content with CDN for obvious reasons. Unfortunatly, I couldn’t find any relevant information regards this

Any info will be valuable for me, thank you.

Cloudflare’s default configuration does not cache HTML. That’s usually where content personalization happens. Only static files are cached:

As Cloudflare is a transparent reverse proxy/CDN, if your site works over HTTPS, Cloudflare can almost always successfully proxy it (exceptions are rare).

You said the public page is on the main root of your domain. Where is the rest? I only ask because Cloudflare doesn’t support proxying (protection and optimization) for wildcard DNS entries. They have to be specific subdomains set to :orange: (Proxied).

Static files like images, right? So, images are also part of personalized content.

My site will work only via HTTPs protocol.

I’m currently developing my app and can adjust it as I want at the moment. I can use a subdomain(less attractive at my POV), or at specific URL location(say, example.com/app). So, I guess if I’ll set it via subdomain or via special destination(example.com/app) both ways will go, right?

Again, regards using CF as reverse proxy. My primary goal is to use CF as anti-ddos tool(on free plan). But if I’ll use someway to baypass the personalized content(for html, images or whatelse), I will espouse my real server’s IP - that’s what I understood from reading about CF. And a potential attacker can use that to target my server’s real IP for ddos. This alone makes no sense to use CF in the first place.

But perhaps(probably) I don’t get this correctly? Will love to be proved wrong about this.

Are you saying the same Image URL will serve different images depending on the user?

No, of course not. So if user1 is using image1.jpg as part of personalized content and then it will be cached, it won’t be available to everyone else, but only for the same user1? How come?

Let me just explain how I’m planning to use my setup, perhaps it will navigate us to the right direction.

I’m planning to use MERN stack: react on frontend, node.js and mongo on backend, on VPS(probably linode, but not really sure yet) with docker containers(probably).

So what and how exactly should I set with CF in order to benefit from its anti-ddos free service? Set the DNS to point to CF, make sure to select orange clouds near my A, AAAA or CNAME records, but not FTP and email. Is that it, or should I disable caching for javascript(because of react)? Will this mask my IP and apply the anti-ddos?

Thanks for trying to help me out, sdayman, I appreciate that.

There’s really not much happening with Cloudflare: Caching content, and limiting requests. There’s some optimization.

Ultimately, you don’t need to use any of the caching or optimization features. You can just use the security features. That should be a good start.

You’re correct that your IP address will be exposed for FTP and email. I don’t have an FTP hostname, as I use SSH straight to the origin IP address. If you have access to firewall settings on your server, you can limit your exposure by limiting HTTP/S requests to cloudflare.com/ips, and leave Email ports open to the public. And SSH port open for your personal IP address(es).

But I thought that only if I cache my resources I can mask an IP? Isn’t that true?

So you’re suggesting that I will not select the "orange cloud"s at all, for any records? Because if I do select them, I will force caching(for static files, including *.js). And set my server’s rule to provide access via CF’s IPs only. Am I getting all this correctly?

If so, that will diffidently provide some benefits, but on the opposite side, it will have disadvantage I won’t be able to resolve whatsoever: some ddos happens from CF IPs(CF is very known for that to be honest), so they will be able to make brute force attacks and whats not, without me being able to block them, because if I will, I will block part of potential users accessing my site(because it’s part of the same CF IPs).

Cloudflare is a reverse proxy. You can mask your IP address, and have Cloudflare do virtually nothing to your content (no caching, security, optimization, etc) with certain settings and page rules.

No. Set it to :orange:, and turn off unwanted settings.

At least for Ports 80 and 443. You need to keep email ports completely open.

Ignorance is no substitute for knowledge. DDoS attacks come from outside Cloudflare. People who attribute a DDoS with Cloudflare IP addresses don’t understand how reverse proxies work.

What do you suggest I should turn off exactly, please? JavaScript via page rules? Is there anything else I should turn off or do(you mentioned something about settings along with the page rules)?

Got it, thanks.

Exactly? It’s up to you. But start with a Page Rule:
Match: example.com/*
Settings: Start with Caching (Bypass) and Auto Minify (OFF/Unchecked), Rocket Loader (OFF)

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.