Setting up CDN only - impact to existing site?

I currently use my own host for my website with a cpanel backend. All I want Cloudflare for currently is it’s CDN. Do I need to update my nameservers for this, and if I do that, do I have any impact to my existing stuff such as SSL, mail servers, etc. that are all currently managed in cpanel in my backend?

Apologies if this is a newbish question, I don’t really know what I’m doing here other than wanting to ensure I don’t mess up my current stuff while getting the speed benefits of a CDN from Cloudflare.

I wanted to add some more info here.

GoDaddy is where my domain is registered and I updated the nameservers to point to my current host. Once I did that over a year ago, I go to my cpanel for that host and adjust DNS settings and have set up MX for mail, and other records.

Changing my nameservers to Cloudflare to leverage their CDN makes me worry about all the records I’ve had in my cpanel, my email in the panel (horde or whatever the default built in mail provider is), etc.

Yes.

You’ll need to export your DNS records, then import them into Cloudflare. When you add your domain here, don’t opt for the auto-DNS scan, since you’ll be able to import an accurate list if records.

Only the DNS records for your website should be :orange: Proxied. That’s probably just the “A” records for example.com and www.example.com.

Mail should be on its own hostname, like mail.example.com, because you can’t :orange: Proxy email traffic.

Hopefully, cpanel for your domain name is also on its own hostname, because cPanel ports usually can’t be proxied.

1 Like

That depends on how you currently obtain certificates for your services, but this will probably require additional configuration.
My recommendation would be to set up DNS challenges with certbot and certbot-dns-cloudflare.

Otherwise, you can use Cloudflare rules to make paths starting with /.well-known/acme-challenge/ available via http and disable the firewall and cache and other features for this path, but this also exposes your origin to attacks.

1 Like

You’ll need to export your DNS records, then import them into Cloudflare. When you add your domain here, don’t opt for the auto-DNS scan, since you’ll be able to import an accurate list if records.

Okay thank you, I can do that no problem.

Only the DNS records for your website should be :orange: Proxied. That’s probably just the “A” records for example.com and www.example.com .

My DNS records have A, MX, TXT, CNAME, and SRV. Some of the CNAME go to a zendesk setup I have for a subdomain for the shop on my website. This is where I’m a bit confused as I would prefer to not screw my site up, my mail, shop, etc. by missing something. I don’t know enough about DNS to resolve it on my own, unfortunately.

Mail should be on its own hostname, like mail.example.com , because you can’t :orange: Proxy email traffic.

That makes sense and I’m facepalming a bit. I have a CNAME for the subdomain (mail.<my-domain>.com) and then there is a MX record to <my-domain>.com too that was there from default cpanel records.

Hopefully, cpanel for your domain name is also on its own hostname, because cPanel ports usually can’t be proxied.

I access cpanel at <my-domain>.com:<port>

That depends on how you currently obtain certificates for your services, but this will probably require additional configuration.

I’m using Let’s Encrypt which is built into cpanel for auto issuing/renewal with a click of a button.

As I said, just the website itself should be :orange: Proxied. All those other subdomains should be :grey: DNS Only.

That’s going to be a problem, because cPanel usually doesn’t use one of these ports:

If it’s just you using cPanel, you could add your server’s IP address to your computer’s local Hosts file, then you’ll go direct. Not a great workaround. Putting cPanel on its own hostname would be best.

Also, if anything gets weird, you can always toggle the affected hostname to :grey: DNS Only while you pause to figure it out. Let us know if you hit any snags.

First, thank you for your patience and help here, VERY much appreciate it!

As I said, just the website itself should be :orange: Proxied. All those other subdomains should be :grey: DNS Only.

Got it, so import A records only, leave the rest in cPanel, and it should be fine?

Putting cPanel on its own hostname would be best.

Anything to consider here in terms of messing up existing stuff? I mean I can make a subdomain or something for this I guess, but host file editing wouldn’t be ideal as I have multiple devices I own and access the site/cpanel through for admin.

Also, if anything gets weird, you can always toggle the affected hostname to :grey: DNS Only while you pause to figure it out. Let us know if you hit any snags.

I assume this is a CF setting in the dashboard? I only want the CDN benefits for now, though anything else on the free tier is fine I guess too. By the name, I assume it’s a setting I can toggle to make it only do the CDN and nothing else? :thinking:

That’s going to be a problem, because cPanel usually doesn’t use one of these ports:

Sorry for the double post, can’t find a way to edit my posts here…

I actually just re-read that doc and my HTTPS port for cPanel IS on the list! So maybe this is a non-issue?

You’ll need all your records here, since you’ll be using Cloudflare DNS.

Yes.

Cloudflare isn’t a typical CDN. It routes all your traffic through, since it’s a reverse proxy, but the CDN portion will cache static files without having to change the URL.

1 Like

If you want to keep using this, you’ll need to configure some Cloudflare Rules (Configuration Rule, Cache Rule, WAF Rule) to make sure Cloudflare does not interfere with the challenge path in any way.

1 Like

If you want to keep using this, you’ll need to configure some Cloudflare Rules (Configuration Rule, Cache Rule, WAF Rule) to make sure Cloudflare does not interfere with the challenge path in any way.

Any docs you can suggest? This is a bit above my knowledge

You’ll want to create the following rules in Cloudflare:

WAF Rule:

URI Path
contains
/.well-known/acme-challenge/
then take action 
skip
(select all options)

Cache Rule:

URI Path
starts with
/.well-known/acme-challenge/
then
bypass cache

Configuration Rule:

URI Path
starts with
/.well-known/acme-challenge/
then
Browser Integrity Check - **Off**
Security Level - **Essentially Off**
SSL - **Off**

That should do the trick.

1 Like

Can you explain these a bit? Would love to learn versus just copy/pasting, though blind trust is fine for me right now, haha.

I assume this would be something I set up AFTER setting the NS stuff right (the other active convo I have going in this thread)?

Okay to confirm a final time before I make this swap (and thank you again for your patience here):

I’ll need the SRV, TXT, CNAME, A, MX, etc?

Therefore I export all of those from cpanel now. I enter them all manually into Cloudflare. Then I go to GoDaddy and update my NS to point to the Cloudflare ones.

Wait and see, then verify nothing is down, email works, etc?

Yes. ALL of them.

If GoDaddy is your domain registrar, then it’s this:

1 Like

That seems to have worked!

I believe I got it all working! Thank you!

1 Like

Shoot, unfortunately, I’m having an issue with my mail now. I’m seeing the following records that MAY be the reason, but I’d love some insight.

CNAME mail <my-domain>.com Proxied Auto

This record has an error triangle next to it stating: “This record exposes the IP address used in the A record on <my-domain>.com, which you have proxied through Cloudflare.”

Do I just turn off proxy on that?

The other item I see that may be an issue is I have a couple A Records pointing to IP Addresses which include the A Record for my domain, A record for webmail and A record for webmail.<subdomain>

I also have this record with the same warning trianlge next to it:

MX <my-domain>.com <my-domain>.com DNS only 5 min

Cloudflare will not proxy email. Right now, it’s pointing to a proxied record, and that won’t work. So that CNAME record should be an A record instead, and have it point to the same IP address as example.com.

You’ll probably still see that warning, since email has to expose its server IP address. Unfortunately, your host uses the same server for email as it does for websites.

That’s not right, either. The MX record for example.com should point to mail.example.com