Skip to main content

Cloudflare Setup, Proxying, and HTTPS End To End

Cloudflare is often used simultaneously for DNS, CDN, HTTPS proxying, and basic security. This makes it easy to get confused when setting it up for the first time.

This guide does not try to memorize every button in the dashboard. Instead, it focuses on where Cloudflare fits in the full chain.

Where Cloudflare Sits in the Chain

After connecting, the most common change is:

Before:
User -> Your origin

After:
User -> Cloudflare -> Your origin

So it usually plays several roles at once:

  • DNS host
  • Proxy layer
  • CDN layer
  • Outer HTTPS termination point
  • Basic security layer

Three Things To Clarify Before Connecting

  1. What exactly is your origin
  2. Whether you want to hand authoritative DNS over to Cloudflare
  3. Whether you need the Cloudflare-to-origin leg to also be encrypted

Common Connection Steps

1. Add Your Domain

Add your domain in Cloudflare.

2. Check DNS Records

Confirm:

  • Where the bare domain points
  • Where www points
  • Whether email-related records need to be preserved

3. Change Nameservers

This step is the key. In many cases, "connecting to Cloudflare" does not mean changing a single A record. It means changing the domain's nameservers to the addresses Cloudflare provides.

4. Wait For Propagation

Authoritative DNS changes do not take effect globally in an instant. Give the resolution cache time to update.

How To Understand Orange Cloud vs. Gray Cloud

The simplest explanation:

  • Orange cloud: Requests pass through Cloudflare's proxy
  • Gray cloud: DNS resolution only, no proxying

Do Not Look At Only One Leg of the HTTPS Chain

Many people only check "browser to Cloudflare is HTTPS" and miss the second leg:

Browser <-> Cloudflare <-> Origin

You should at least clarify:

  • Whether the outer leg is encrypted
  • Whether the inner leg is encrypted
  • Who provides the certificate

If you have an origin server, it is generally better to have Cloudflare use a valid certificate for the connection to the origin.

This avoids:

  • Cleartext on the middle leg
  • Confusing redirects and protocol decisions
  • The illusion that "the browser shows HTTPS, but the origin is not actually secure"

What Cloudflare Typically Lets You Do After Connection

1. CDN Caching

Makes it easier for static assets to hit at the edge.

2. HTTPS Termination and Certificate Management

Reduces some of the certificate configuration burden.

3. Basic Security Features

Such as rate limiting, WAF, and hiding origin details.

4. Traffic Observation

Helps you understand traffic volume and basic request trends.

Most Common Mistakes

1. Thinking the origin can be loosely configured after connecting to Cloudflare

It cannot. The origin still needs to correctly return status codes, cache headers, certificates, and redirects.

2. Using Flexible mode as a shortcut

It looks simpler, but it easily makes the chain and redirect logic confusing.

3. Only configuring the main domain, not www

Later, access behavior will be inconsistent.

4. Forgetting to verify old caches

After connecting, you may encounter the issue where "the origin has updated, but the edge still serves old content."

Verification Checklist After Connection

  1. Whether the domain is now managed by Cloudflare
  2. Whether both bare domain and www work as expected
  3. Whether HTTPS works correctly
  4. Whether redirect loops appear
  5. Whether assets correctly go through the proxy or hit cache
  6. Whether the direct-origin access policy matches expectations

A Practical Mindset

Cloudflare is not a platform that "automatically fixes everything about your website." It simply puts DNS, edge proxy, caching, and security capabilities in front of you.

A truly stable site still depends on:

  • A correct origin
  • Correct cache headers
  • Correct HTTPS strategy
  • Correct domain and redirect design