📝 Written ● Intermediate Updated 2026-05-13

Put Cloudflare in front of any host

"Proxy through Cloudflare" is the most generally useful infrastructure trick on the internet. You hand DNS to Cloudflare. Cloudflare answers requests, terminates TLS, caches static assets, blocks bad traffic, and forwards the rest to your real server — for free.

The default mental model of a website on the open internet is: DNS resolves to your server, the user's browser connects directly to your server, your server returns the response. This works fine. It also means your server bears every request — every bot scan, every attempted exploit, every cached asset request from a user who just refreshed. Bandwidth, CPU, and attention all flow at you directly.

A reverse proxy in front changes that geometry. The user connects to the proxy. The proxy decides whether to answer from its own cache, forward to your origin server, or refuse the request entirely. Your origin server only sees the requests the proxy decides to send. This is a familiar pattern in enterprise infra ($$$, lots of vendors), but the version that matters for indie developers is Cloudflare's free tier — which provides exactly this for any domain you have, at no cost.

The benefits compound. Free TLS termination means you don't run Let's Encrypt yourself. Global edge caching means static assets load from a server near each user. Basic DDoS protection means a small-scale attack doesn't take you down. Hidden origin IP means scanners can't trivially find your server. None of it is magic — it's the standard reverse-proxy benefits with the price set to zero.

What you'll learn

The model: DNS at Cloudflare, traffic proxied through Cloudflare
Adding any domain to Cloudflare (regardless of where it's registered)
The orange-cloud icon and what it actually does
SSL/TLS mode — the one setting that matters
When proxying is the wrong choice

Step 1: The architecture

Cloudflare becomes the middleman

The data flow with Cloudflare in front:

User → Cloudflare edge → Your origin server
       (terminates TLS,
        caches static,
        filters traffic)

You add your domain to Cloudflare. Cloudflare gives you new nameservers (NSx.cloudflare.com). You change your nameservers at your registrar to point at Cloudflare's. Cloudflare becomes authoritative for your DNS — and gets the opportunity to proxy any record you mark for proxying.

This works regardless of where you bought the domain. Namecheap, Porkbun, GoDaddy — all of them let you set custom nameservers. The exception is Cloudflare Registrar itself, where it's all already wired up.

Step 2: Add the domain to Cloudflare

Free plan, takes five minutes

Sign up at cloudflare.com (the free tier is enough; "Pro" and above are for businesses with specific needs). Click Add a Site, type your domain, pick the Free plan.

Cloudflare scans your current DNS — whatever's authoritative right now — and imports the existing records. Review the imported list. Anything missing, add manually. The records you don't proxy (DKIM, SPF, custom MX) just route DNS as before; the records you do proxy (your main A or CNAME for the website) get the orange-cloud treatment.

Step 3: Change nameservers at your registrar

The cutover moment

Cloudflare gives you two nameserver hostnames (e.g., katie.ns.cloudflare.com and logan.ns.cloudflare.com). At your registrar, find the nameserver settings (every registrar has them) and replace your current nameservers with Cloudflare's two.

Propagation takes minutes to hours — Cloudflare polls and emails you when it sees your domain pointed at them. Until then, both DNS providers are serving records (your old one for resolvers that haven't updated, Cloudflare for ones that have). Make sure your records at Cloudflare match what was there before, or some users will hit the wrong place.

Don't cut over without verifying first. Before changing nameservers, query Cloudflare's NS directly (dig @logan.ns.cloudflare.com yourdomain.com) to confirm Cloudflare returns the records you expect. Catching a typo before propagation starts saves you a stressed-out hour.

Step 4: The orange cloud icon

Proxied vs. DNS-only

In Cloudflare's DNS panel, each record has an icon next to it: an orange cloud (Proxied) or a gray cloud (DNS only).

Orange cloud (Proxied): requests go through Cloudflare's edge. TLS is terminated by Cloudflare; the origin IP is hidden; caching, security, and CDN features activate. Use this for your website's records.
Gray cloud (DNS only): Cloudflare answers DNS queries but doesn't proxy. Requests go directly to your server. Use this for non-HTTP records (mail servers, SSH-only hosts, anything Cloudflare's proxy doesn't handle).

Cloudflare's proxy supports HTTP/HTTPS only. Don't proxy a record that points at SSH or a database; gray-cloud it.

Step 5: SSL/TLS mode — the one critical setting

"Full (Strict)" is what you want

Under SSL/TLS → Overview, Cloudflare offers four modes for the connection from Cloudflare to your origin:

Off: no HTTPS anywhere. Never use.
Flexible: HTTPS user-to-Cloudflare, HTTP Cloudflare-to-origin. Avoid — looks secure to the user but isn't.
Full: HTTPS end-to-end. Cloudflare doesn't verify the origin cert (so a self-signed cert works). Good for getting started fast.
Full (Strict): HTTPS end-to-end, with Cloudflare verifying the origin has a valid cert. Use this for production.

To use Full (Strict), your origin needs a real TLS cert too — either from Let's Encrypt, or use a free Cloudflare Origin Certificate (Cloudflare → SSL/TLS → Origin Server → Create Certificate). The Origin Certificate is valid for up to 15 years and is trusted only by Cloudflare, not the public — perfect for the Cloudflare-to-origin leg.

Step 6: What you get for free

The features that activate when records are orange-clouded

Free TLS. Cloudflare issues and renews certs for your domain automatically. Browsers see a valid cert from a major CA.
Global edge caching. Static assets (images, CSS, JS) cache at Cloudflare's edge near the user. Cache rules are configurable.
Basic DDoS mitigation. Cloudflare absorbs L3/L4 attacks transparently; application-layer attacks need more tuning.
Hidden origin IP. Public DNS only shows Cloudflare IPs. Scanners can't trivially target your server.
Always Online, IP rules, page rules. Various smaller features that compound.

None of these require configuration to activate — they're on by default the moment the record is orange-clouded.

Step 7: When proxying isn't right

Four legitimate reasons to gray-cloud

Non-HTTP services. SSH, FTP, mail, databases — Cloudflare's standard proxy doesn't speak these. Use Cloudflare Spectrum (paid) or gray-cloud.
Real-time / WebSocket-heavy apps. Cloudflare supports WebSockets on the free tier but the latency added by the proxy can matter for chat / gaming / collaborative editing.
Compliance constraints. Some regulated industries don't allow traffic to transit a third-party proxy. Read your compliance requirements.
Cost-sensitive bandwidth. Cloudflare's free tier is generous but has soft limits on caching for very high traffic. Specific media-heavy use cases hit them.

Don't proxy unencrypted origins for a public-facing site. If Cloudflare → origin is HTTP (Flexible SSL mode), anyone on the path between them can snoop. Cloudflare's edge → user looks secure, but the back half isn't. Always at least Full mode; ideally Full (Strict).