If you’re new to or unfamiliar with Cloudflare here are some things you should know that may affect you.
- Skunkworks recommends a firm have their own Cloudflare account in their name.
- DNS changes made in Cloudflare are near instant and have zero propagation time. This can be a big change to those accustomed to waiting several hours to see DNS changes kick in. When you make a change. It is global within seconds.
- Enabling 2FA in Cloudflare will allow mutual secure access to the Cloudflare dashboard between you (the IT provider) and Skunkworks.
- The Super Admin/Account holder (our mutual client) has full UAC.
- Cloudflare is an http proxy and will mask the origin IP of any records that has the Orange cloud icon turned on. This is part of the DDOS protection Cloudflare provides. If the cloud icon is off/grey for the record, the true IP at the other end is discoverable. Skunkworks does not reccomend using an A record of "ftp.[domainname.ca]" instead the connection should be made to the true origin IP address.
- FTP connections for the web server are disabled and SFTP is required to connect. (Port 22)
- In order to make use of Cloudflare’s free SSL for a subdomain, Enabling the http proxy (Orange cloud) is required. If Cloudflare’s assignment for a particular DNS record is DNS only (Grey cloud/http proxy off) SSL is not available.
- Cloudflare has a built in CDN that works automagically behind the scenes. Web content is cached for any resource that passes through a http proxy enabled DNS record (Orange cloud). If you need to manually flush Cloudflare’s cache from the CDN, proceed to this screen in Cloudflare’s dashboard (https://www.cloudflare.com/a/caching/[domainname.ca]), click the "Purge everything" button, and wait a few seconds before refreshing your browser. The Cloudflare plugin for Wordpress makes use of the Cloudflare account’s API key to negate this manual flush requirement.
- Cloudflare’s Firewall rules can be managed at: https://www.cloudflare.com/a/firewall/[domainname.ca]. You should whitelist known IP addresses here to prevent troubles.
- Cloudflare introduces some new custom http/https status codes for the domain that are Cloudflare specific. These include:
- 521 Error - The Server is not responding. Rebooting? Powered off? Crashed? Skunkworks will be aware of this issue for the domain's website.
- 524 Error - Timeout. The server isn’t responding. It likely needs rebooting. Skunkworks will be aware of this issue. A complete list of Cloudflare IP addresses can be found here.
CloudFlare accounts could be setup in two ways. Neither are permanent and both can be switched to the other type at any time without much difficulty.
1. Stand alone account (Shared access.)
Owned/administered by the client, and/or the client’s I.T. department and Skunkworks.
Skunkworks will require login access for any stand alone account in order to configure access control and user management features so access will need to be granted to firstname.lastname@example.org for the account.
The CloudFlare account should be created with either
A.) With an email address that will auto-forward any/all incoming emails from CloudFlare to all desired parties. (Both your firm and Skunkworks)
- Your firms email address:
- Skunkworks' email address:
B.) With the existing Google account that was created in your firm's name that both your I.T. firm and Skunkworks can log into as needed.
For most clients option B is the better/easier route.
2. Skunkworks administered (Unshared access.)
Owned and administered by Skunkworks alone.
There are 2 benefits of being administered under Skunkworks' CloudFlare account.
Benefits from the collective firewall rules pool that all of our client sites contribute towards.
When in a stand alone CloudFlare account a single website (akazone) would be limited to a maximum of 200 firewall rules. Skunkworks' CloudFlare account has significantly more rules available and is regularly maintained.
The downside of this account option is that Skunkworks cannot provide login access to a 3rd party.
When done correctly, the switch of Nameservers is seamless and causes no service disruptions.