← All Tips/CDN
CDN

Use Cloudflare Proxies

Hide your actual server IP. If they can find your origin, they can bypass your firewall.

Why Your Server IP Is Your Weakest Link

You've set up Cloudflare. You have DDoS protection, WAF rules, rate limiting. You feel secure.

But if someone knows your origin server's real IP address, they can bypass everything. They skip Cloudflare entirely and send traffic straight to your server. All your protection becomes irrelevant.

How Origin IPs Get Exposed

  • Historical DNS records: Services like SecurityTrails and Shodan catalog DNS history. If you ever pointed your domain directly at your server before adding Cloudflare, that IP is in the database
  • Email headers: If your server sends emails, the sending IP can appear in email headers
  • Subdomains: You put your main domain through Cloudflare but left mail.yourdomain.com or staging.yourdomain.com as direct A records
  • SSL certificates: Certificate Transparency logs show every certificate ever issued for your domain — including ones issued before Cloudflare
  • Misconfigured apps: Your app returns server-identifying headers or error messages that reveal infrastructure details

What the Cloudflare Orange Cloud Actually Does

When you set a DNS record in Cloudflare with the "orange cloud" (proxied) enabled:

  1. Cloudflare gives the world two Cloudflare IPs for your domain
  2. All traffic hits Cloudflare's network first
  3. Cloudflare filters, inspects, and then forwards clean traffic to your real IP
  4. Your real IP never appears in DNS responses

Hardening Your Origin

After proxying through Cloudflare, lock down your origin server:

  1. Firewall rule: Accept HTTP/HTTPS traffic ONLY from Cloudflare IP ranges (published at cloudflare.com/ips)
  2. Cloudflare Authenticated Origin Pulls: Your server only accepts connections with Cloudflare's client certificate
  3. Audit your subdomains: Every unproxied A record is a potential IP leak

Free Tier Is Enough

Cloudflare's free plan includes:

  • DDoS mitigation
  • CDN with global edge caching
  • Basic WAF rules
  • SSL/TLS termination

There's no reason to expose your origin server directly. Proxy everything through Cloudflare and lock your firewall to their IP ranges.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
No Secrets in Git
Next →
Isolate Your Database