Your origin server will receive Cloudflare UP addresses instead of visitor IP

Does the {title} mean the free ip.locator apis my app uses will fail thinking visitors are all Cloudflare servers?
This my 1st experience with Cloudflare,
Does Cloudflare expect me to transfer my domains over for the “free” SSL to work?

Thank you for shedding some light on this as I hope I am embarking on the right ship or should I say cloud.

title taken from the following link:

You need to set your domain’s nameservers as the ones given to you by Cloudflare

It depends on how this is being run. If it is an API from a user’s browser, then it will be fine. If it is an API call from the server based on the IP that it sees, then you will need to restore visitor IPs

I believe I did the instruction at deleted 3 NS and added 3 NS records now like so

I now notice above the changed records listing it says

Perhaps I need to click on “DELETE ZONE” or “ADD NEW RECORD” I am lost

Yes the ip.locator API runs in my app client side (browser) Thank you for reassuring me.

DELETE ZONE means it will delete everything (all records)

There is a separate screen which may be the answer for NameServer?

But I have no idea how to make changes here

Nevermind, I found (noticed) the stupid “NAMESERVERS” tab, tabs don’t look like tabs anymore :slight_smile:

I will delete those 3 first records and cross my fingers

Is there a section that says Update DNS List if there is then change the servers in that section to the ones you got from Cloudflare. From your records, it looks like you are going to want to set up Email Routing

No nothing about “Update DNS List” now the DNS tab is all about Cloudflare.
The email forward, A, and MX records are still in place, are you saying they have no effect now?

I peaked briefly at the Email Routing link your shared. The custom address expects some input can I use * to mean ? forward to this email …

sorry can’t use angle-brackets on the that last line, forum swallowed it, I meant to say
…to mean anything forward to this email address

Yeah, with Cloudflare it is called a Catch-All address


it says Allowed characters: 0-9 a-z _ .

If your domain is, I can see that it’s now using Cloudflare’s nameservers:

$ whois
$ dig

; <<>> DiG 9.16.27-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28544
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:              106     IN      A       64.xx.xx.25

However, it doesn’t appear to be proxied (orange cloud) though. If you want to use Cloudflare’s features, such as SSL amongst other things, you’ll need to proxy it. With that said, you should ensure that your origin has a valid SSL and use Full rather than Flexible.

On the Routes tab, scroll down to Catch-all address.

You don’t want a custom address. Further down the page, you want Catch all address, this acts a * as any email that aren’t found with a custom address will be sent here.

1 Like

On the Cloudflare DNS “pane” it shows “proxied”

To get the free SSL should I generate the CSR on Cloudflare using pane SSL/TLS / Origin Server / Create Certificate or should I generate the CSR on my server using

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr -subj ....

after creating the certificate I would have to install it on my apache config file.

Yesterday, when I tried the create the certificate it kept flashing the following at the bottom of the screen.

Failed to validate requested hostname * This zone is either not part of your account, or you do not have access to it. Please contact support if using a multi-user organization Code: 1010

Should I keep waiting for the “pending status” to resolve or is specific actions/steps for me take.
Thank you.

The pending status should go away on its own once Cloudflare sees that the nameserver changes have propagated and the zone is active. That pending status would be why they’re not currently being proxied even though you’ve got them set to.

For the SSL, once your zone is active on Cloudflare, you could simply use a Cloudflare origin certificate on your origin server. It won’t be valid if you directly access your origin without proxying through Cloudflare but it’s valid to secure traffic between Cloudflare and your origin though. It can be used with the Full (Strict) setting.

Looks like your zone is now active on Cloudflare:

$ dig

; <<>> DiG 9.16.27-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21511
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:              300     IN      A              300     IN      A

from this link

Is this file “origin_ca_rsa_root.pem” file the same as what is intended by SSLCertificateChainFile in the apache configuration?, in my previous registrar the certification generation process also provided a “CAChain.crt” file not sure if it is needed but the combination of all 3 files is working on another domain of mine.
I am trying to follow that pattern with like so

Yea, you can set SSLCertificateChainFile to Cloudflare’s Origin root CA. Looking at your SSLCertificateFile and SSLCertificateKeyFile though, the spaces in the filename/path as-it-is may be causing you some issues.

Yes caught that :slight_smile: soon after the reply and used underscores

I see the address in the browser switch to https but it fails saying it’s not redirecting properly.

Here is my current complete

What is your SSL setting in Cloudflare? If you’re using Cloudflare’s origin certificate, it should be Full (Strict).

If you’ve got it set to Flexible, you’ll get the redirect loop with your VirtualHost configurations. When I go to in my browser, I’m seeing a redirect from port 80 at your origin.

BTW, I could not post this yesterday, the forum said I reached my maximum of Cloudflare blessings on this forum. :rofl: :rofl: :rofl:
I also got bombarded by email I think because I tried to paste my apache config as text.

Yes Cloudflare SSL setting was somehow set to flexible, and I set it to full strict, few hours later things started working…

BTW, I appreciate immensely your guidance in all of this. :pray: I could not have done it alone.