What Cloudflare CDN Does and Why It Matters

Cloudflare acts as a reverse proxy between your server and the people visiting your website. When configured correctly, it routes all traffic through Cloudflare's global network of edge servers, which cache static assets like images, CSS files, and JavaScript close to your visitors. This means someone in Edinburgh gets served content from a nearby European server rather than waiting for a round trip to your origin server in a different data centre.

The practical result is lower latency, reduced bandwidth load on your origin server, and built-in DDoS protection without extra hardware or expensive enterprise contracts. For small businesses and personal projects in the UK, this level of infrastructure used to require significant investment. Cloudflare makes it accessible through a free tier that covers the essentials well.

How Cloudflare Routes Traffic

When you add your domain to Cloudflare, you update your domain's DNS settings at your registrar to point to Cloudflare's nameservers instead of your hosting provider's defaults. From that point, Cloudflare becomes the intermediary for all traffic to your domain.

Requests hit a Cloudflare edge server first. If the requested content is already cached at that location, it is served directly without touching your origin server at all. If the content is not cached, Cloudflare fetches it from your origin, serves it to the visitor, and stores a copy at the edge for future requests.

Static assets such as images, stylesheets, scripts, and font files are cached across Cloudflare's global network. Dynamic content like personalised HTML pages or API responses still passes through to your origin server, but Cloudflare can accelerate even this traffic using features like Argo Smart Routing on paid plans, which routes requests through less congested network paths.

Adding Your Domain to Cloudflare

The setup process starts at cloudflare.com where you create an account and add your domain. Cloudflare automatically fetches your current DNS records from your registrar, which saves time and reduces the risk of accidentally losing records during the transition.

Review the imported records carefully. Your basic configuration should include records similar to these:

Type    Name    Content              Proxy status
A       @       YOUR_SERVER_IP       Proxied
A       www     YOUR_SERVER_IP       Proxied
MX      @       mail.yourdomain.com  DNS only

For subdomains that should not go through Cloudflare's proxy, such as mail server entries, cPanel access URLs, or API endpoints that need direct connections, set the proxy status to DNS only. This keeps those services working normally while your main website and static assets benefit from Cloudflare's caching and protection.

After reviewing your records, update your domain's nameservers at your registrar to the addresses Cloudflare provides. DNS propagation typically completes within a few hours but can take up to 48 hours in some cases. During this window, some visitors may still reach your server directly while others route through Cloudflare.

Setting Up SSL and TLS Encryption

Cloudflare provides SSL certificates at the edge at no cost and can terminate the encrypted connection there. Your origin server can also have its own certificate. This gives you several SSL modes to choose from depending on your setup.

  • Off: No encryption between visitor and Cloudflare. Not recommended for any site that handles user data.
  • Flexible: Visitor to Cloudflare uses HTTPS, but Cloudflare to your origin server uses plain HTTP. This works if your server does not have SSL configured, but it leaves a gap in encryption.
  • Full: Both legs of the connection use HTTPS. Your server must have an SSL certificate installed, even if it is self-signed.
  • Full (strict): Same as Full, but Cloudflare validates that your origin certificate is issued by a trusted certificate authority. This is the recommended setting.

Setting the mode to Full (strict) gives you the strongest security. Your origin server needs a valid certificate from a trusted provider like Let's Encrypt, which offers free certificates and integrates well with most web servers.

# Install Let's Encrypt and generate a certificate for Nginx
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# After installation, certbot configures Nginx automatically
# and sets up automatic renewal

After generating your certificate, confirm that Cloudflare's SSL mode is set to Full (strict) in the SSL/TLS section of your dashboard. Your visitors see Cloudflare's trusted certificate, while your origin server also communicates over HTTPS with a validated certificate.

Configuring Cache Behaviour for Static Assets

Cloudflare caches static assets by default, but the default behaviour may not match your specific needs. You can adjust what gets cached and for how long in the Caching section of the dashboard.

In Caching > Configuration, set the Cache TTL for both edge cache and browser cache. For most websites, a TTL of one month works well for images, CSS, and JavaScript files that change infrequently. Longer TTLs reduce origin requests further but mean updates take longer to appear for visitors who already have cached copies.

# Example Cloudflare Page Rule for caching static assets
# Pattern: yourdomain.com/static/*
# Setting: Cache Level = Cache Everything
# Edge Cache TTL: 1 month
# Browser Cache TTL: 1 month

If your site uses a content management system like WordPress, exclude the admin area and logged-in user pages from caching. Serving cached pages to authenticated users breaks login functionality and can expose private content.

# Page Rule to bypass cache for WordPress admin
# Pattern: yourdomain.com/wp-admin/*
# Setting: Bypass cache
# Setting: Disable apps
# Setting: Disable performance features

Consider how this fits with your broader website performance strategy. A CDN reduces load times for static files, but overall site speed depends on how your web server handles dynamic requests, how efficiently your code runs, and whether your database queries are optimised. These topics often come up when reviewing a website's performance baseline, which is why many site owners start with a practical review before making configuration changes.

Purging Cache After Updates

When you update your site, cached content may become stale. Cloudflare offers several ways to clear cached data manually or automatically.

To purge everything at once through the Cloudflare API:

# Purge all cached content
curl -X POST "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/purge_cache" \
     -H "Authorization: Bearer YOUR_API_KEY" \
     -H "Content-Type: application/json" \
     -d '{"purge_everything": true}'

To purge specific URLs instead of the entire cache:

# Purge specific files
curl -X POST "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/purge_cache" \
     -H "Authorization: Bearer YOUR_API_KEY" \
     -H "Content-Type: application/json" \
     -d '{"files": ["https://yourdomain.com/images/hero.webp", "https://yourdomain.com/css/style.css"]}'

Rather than purging manually after every update, automate this process where possible. The official Cloudflare plugin for WordPress handles cache purging automatically when you publish or edit content. For custom sites, add cache purge calls to your deployment scripts so the CDN reflects your latest changes as soon as the deployment completes.

DDoS Protection and Security Settings

Cloudflare's DDoS protection activates automatically for all proxied domains. When the system detects unusual traffic patterns consistent with an attack, it challenges or rate-limits suspicious requests while allowing legitimate visitors through. The free tier includes this baseline protection, while paid plans offer more sophisticated rule sets and faster response during larger attacks.

Configure additional settings in the Cloudflare dashboard to strengthen your security posture:

Security > Settings:
  Security Level: High (blocks visitors with suspicious behaviour patterns)
  I'm Under Attack Mode: Enable temporarily if you are experiencing an active attack

Security > WAF:
  Enable managed rulesets to block common attack vectors
  Review rules periodically and adjust as needed for your traffic patterns

SSL/TLS > Edge Certificates:
  Enable TLS 1.3 for improved security and performance
  Set Minimum TLS version to 1.2
  Enable "Always Use HTTPS" to redirect HTTP requests automatically

Security depends on more than any single configuration. Keeping your origin server updated, limiting SSH access, using strong authentication, and monitoring logs all play a role in maintaining a defensible setup. If you are looking at server-level hardening alongside CDN configuration, a separate review of your SSH and HTTP protection settings can complement the Cloudflare layer well.

Cloudflare Workers for Custom Request Handling

Cloudflare Workers let you run JavaScript functions at the edge without touching your origin server. This opens up possibilities for redirecting old URLs after a site restructure, serving different content based on visitor location, implementing simple authentication checks, or adding custom headers before requests reach your server.

Here is a basic example that redirects visitors from an old URL structure to a new one:

// Worker: redirect old article URLs to new blog structure
addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const url = new URL(request.url)

  // Check if the request matches the old URL pattern
  if (url.pathname.startsWith('/old-articles/')) {
    const newPath = url.pathname.replace('/old-articles/', '/blog/')
    const newUrl = new URL(newPath, request.url)
    return Response.redirect(newUrl.toString(), 301)
  }

  // Pass through any request that does not match
  return fetch(request)
}

Workers are billed per request beyond the free tier limits. They are a powerful tool for developers who want custom routing logic without running additional infrastructure. For most static sites or small business websites, the caching and security features of the standard Cloudflare setup cover the essential needs without requiring Worker scripts.

Performance Features Worth Enabling

Beyond caching, Cloudflare includes several settings that can reduce page load times with minimal configuration effort.

Auto Minify removes unnecessary whitespace, line breaks, and comments from HTML, CSS, and JavaScript files. Enable this under Speed > Optimization > Content Optimization. The reduction in file size speeds up transfers without changing how the code behaves in the browser.

Brotli compression is enabled by default on Cloudflare's edge servers. It compresses data more efficiently than the older gzip standard, which means smaller file transfers for your visitors and less bandwidth consumed on your origin server.

Image optimisation through the Polish feature (available on paid plans) automatically recompresses and converts images served through Cloudflare. If your site serves unoptimised JPEGs or PNGs, Polish can convert them to WebP or AVIF formats automatically based on what the visitor's browser supports, reducing image sizes significantly without visible quality loss in most cases.

# Speed > Polish settings
# Enable Polish to automatically optimise images
# "Lossy" mode provides maximum size reduction
# "Lossless" mode preserves original quality

Argo Smart Routing is a paid feature that routes traffic through Cloudflare's private network rather than the public internet. This avoids congested public routes and can noticeably improve response times for dynamic content, particularly for visitors located far from your origin server.

These performance features work together with your web server configuration. If you are running Nginx and want to understand how traffic flows from the CDN to your backend servers, looking into how Nginx handles load distribution and upstream connections can help you get the most out of your setup.

Common Mistakes to Avoid

A few configuration errors come up repeatedly when setting up Cloudflare for the first time.

  • Setting SSL to Flexible permanently: This leaves your origin server communicating over unencrypted HTTP, which creates a security gap. Move to Full (strict) once your origin has a valid certificate.
  • Proxying services that need direct IP access: Mailing systems, remote desktop services, and some admin panels may break if their DNS points through Cloudflare's proxy. Keep those records as DNS only.
  • Setting cache TTLs too long on frequently updated pages: If your homepage changes daily but has a one-month cache TTL, visitors may see stale content. Match TTLs to how often your content actually changes.
  • Forgetting to purge cache after deployments: Updating your site but leaving the CDN serving old cached files means your visitors do not see the changes. Automate cache purging as part of your deployment process.
  • Enabling I'm Under Attack Mode permanently: This setting adds a JavaScript challenge page for all visitors, which significantly slows down legitimate traffic. Use it temporarily during an active attack only.

Putting It All Together

Setting up Cloudflare involves connecting your domain, configuring encryption, defining what to cache, and adjusting security settings to match your traffic patterns. Each step is straightforward on its own, but the configuration choices interact with each other. An SSL setting affects what gets cached. A caching rule affects when visitors see updates. A security setting affects who can access your site.

Taking a methodical approach helps. Set up the basics first, verify that traffic routes through Cloudflare correctly, confirm SSL works for both edge and origin, then move on to caching rules and security hardening. Test each stage before adding the next layer of complexity.

If your website runs on multiple servers or you expect significant traffic growth, it is worth reviewing how your backend infrastructure handles requests from the CDN. Understanding how Nginx manages upstream connections and distributes load across your servers can help you configure timeouts, keepalive settings, and buffering correctly.

For most personal portfolios and small business websites, the free Cloudflare tier provides enough features to meaningfully improve load times and add a layer of protection against common attacks. The effort involved in initial setup pays off in faster pages for your visitors and less worry about bandwidth bills or basic DDoS attempts.

If you have reviewed your current setup and identified areas where the configuration could be tightened or optimised, you can get in touch with details of your hosting environment, your domain registrar, and the specific improvements you want to explore.