Cloudflare DNS for RunCloud (Security & Performance)

Cloudflare DNS for RunCloud (Security & Performance)

Cloudflare DNS is one of best DNS providers in the world. It offers free accounts so everyone can not only manage their domain names, but also benefit from the additional security and performance enabled by their integrated features. In this article, we will share some tips to enable you to use Cloudflare with RunCloud and improve your server and web application’s security and performance.

What is Domain Name System (DNS)?

Domain Name Servers (DNS) are the Internet’s equivalent of a phone book. They maintain a directory of domain names and translate them to IP addresses. They are important so that you do not need to memorize a domain’s IP address, a string of numbers, for every website you wish to visit. Essentially, “runcloud.io” is far easier to remember than 45.56.94.252.

Most domain name registrars include DNS management tools with their domain registration service. In addition, there are also free DNS services available if your domain registrar does not include DNS hosting, or if you prefer to manage your DNS elsewhere.

Cloudflare, the Best DNS for Everyone

Cloudflare is a U.S. company that provides DNS services, a Content Delivery Network (CDN), DDoS protection, and other Internet security services.

Cloudflare DNS is one of the top 3 domain name services in the world and the fastest performance DNS provider. With Cloudflare, DNS updates only take a few seconds, so no more waiting for DNS propagation that could take up to 48 hours with other services.

Best of all, Cloudflare is available for absolutely everyone. You can sign up for a free Cloudflare account, and benefit from extra add security and performance features with no extra cost.

Using Cloudflare on RunCloud

RunCloud offers you an easy way to manage your server and web application. You still need a DNS service to resolve your domain name to your RunCloud managed server’s IP address and load your web application.

The following are some tips for RunCloud customers who are using Cloudflare’s DNS service for their servers:

1. Restore visitor’s real IP addresses

Cloudflare acts as a proxy to your RunCloud server, thus all visitors will appear from Cloudflare IP addresses. This is a hindrance to visitor tracking or identifying attackers.

In order to restore a visitor’s IP address, we need to retrieve the visitor’s originating IP address in the HTTP header from all Cloudflare’s IP addresses.

Login to your RunCloud server by SSH as root. Then, edit /etc/nginx-rc/main-extra.conf :

# nano /etc/nginx-rc/main-extra.conf

Add the following lines in the file:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header X-Forwarded-For;

Make sure you check your NGINX configuration files syntax for errors after editing them:

# nginx-rc -t

Then, reload the NGINX service:

# systemctl reload nginx-rc

Now your visitors will be shown with their real IP addresses.

2. Stop Cloudflare’s HTTPS redirect loop

If you are combining Cloudflare Flexible SSL option and SSL (Let’s Encrypt or Custom SSL) on your Web Application, it can cause a redirect loops, causing the browser to display “The page isn’t redirecting properly’ or “ERR_TOO_MANY_REDIRECTS”.

The solution would be using Cloudflare Full SSL or Full (Strict) SSL. Or, use only the Cloudflare SSL and remove the RunCloud generated SSL certificate from your Web Application’s Management panel in the RunCloud dashboard.

3. Protect Your Web Application using CloudFlare Page Rules

Cloudflare offers Page Rules to control your Cloudflare settings by URL. It is useful to add custom settings to certain web paths, for example you may wish to set higher security on your application login page. The following are the Page Rules to protect a WordPress application’s login page and admin panel:

Protect WordPress login page

cloudflare dns for runcloud

URL: domain.tld/wp-login.php*

Page Rule Settings:

  • Browser Integrity Check: On
  • Security Level: I’m Under Attack
  • Cache Level: Bypass

Protect WordPress admin panel

cloudflare dns for runcloud

URL: domain.tld/wp-admin*

Page Rule Settings:

  • Browser Integrity Check: On
  • Security Level: I’m Under Attack
  • Cache Level: Bypass

Cloudflare “I’m Under Attack” mode adds an additional set of protections to a site to stop potentially malicious HTTP traffic from being passed to your server. When activated, your visitor will receive an interstitial page for about 5 seconds while Cloudflare check to make sure it is a legitimate human visitor.

4. Improve Web Performance

By default, Cloudflare only caches specific static file types and not HTML and other resources. You can use the Cache Everything mode in a Page Rule to achieve maximum performance by caching other non-static file extensions (full page cache).

cloudflare dns for runcloud

URL: domain.tld/*

Page Rule Settings:

  • Cache Level: Cache Everything
  • Edge Cache TTL: 2 hours

“Cache Everything” will cache whole web page contents on Cloudflare. The “Edge Cache TTL” controls the refetch time, setting how often Cloudflare checks the origin server for updated content. 2 hours means Cloudflare will check for updates for Cache Everything’s cache every 2 hours.

Now you know some Cloudflare tips to improve your RunCloud server’s security and performance. Are you a Cloudflare user? What is your best tip? Please share in the comment.

5 responses to “Cloudflare DNS for RunCloud (Security & Performance)”

  1. Arnold says:

    Ubuntu is good, while CentOS and Debian are also fantastic distro. Are these two distros on your planning board?

  2. Lakewood says:

    The full page cache doesn’t work very well for dynamic content such as ecommerce stores or sites that have restricted content for logged in visitors.

  3. Jeff Cleverly says:

    In the cases of eCommerce stores, you can set page rules for pages with dynamic content such as the cart page, checkout and account pages. Same with pages with restricted content. It takes a little more work when you want to have a ‘dynamic’ cart section shown througout the site.

  4. Philip churchill says:

    What page rules would you apply for pages with dynamic content such as the cart page, checkout and account pages? Can you go through the settings please.

    • Jeff Cleverly says:

      For any of the dynamic pages, just turn the page caching off in the CloudFlare page rules – set cache to bypass. For a standard WooCommerce install that would be the cart page, the checkout page, and the my-account page.

Leave a Reply

Your email address will not be published. Required fields are marked *