Enterprise Best Practices

Solutions for optimizing your CloudFlare service

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 1

 Go-Live Checklist

Maximize your new, active domains with these steps!

Managing your purchase

• Restore the Originating IP Addresses of your customers (Pg. 4)
• Incorporate CloudFlare IPs in ACLs and whitelists (Pg. 4)
• Properly handle API traffic through CloudFlare (Pg. 5)
• Manage your brand by customizing CloudFlare pages (Pg. 14)

Securing your web application

• Secure origin IPs by proxying through CloudFlare (Pg. 7)
• Customize Security settings to best fit your application (Pg. 8)
• Protect from Layer 7 attacks by activating our WAF (Pg. 9)

Speeding up your content

• Improve speeds with our Web Content Optimization (Pg. 10)
• Serve as much content as possible from global cache (Pg. 11)
• Confirm cache status with our cache headers (Pg. 11)

2
 Welcome to a faster and safer web! Content

On behalf of the Customer Success team, we want welcome you to CloudFlare’s Getting Started
Enterprise service. At this stage, you should have been introduced to your dedi- Page 4
cated team and have scheduled an onboarding to get your sites accelerated and Security Best Practices
protected behind the CloudFlare network. Page 7

This guide was prepared by our Senior Solutions Engineers to empower you and Performance Best Practices
Page 10
your team with industry best practices and steps that you can use to tune the
CloudFlare service to fit your needs. Administrative Best Practices
Page 14

What is CloudFlare?
CloudFlare is a globally distributed HTTP(S) reverse proxy and Managed DNS pro-
vider delivered as a cloud service. Once your website is a part of the CloudFlare
network, your web traffic is routed through our intelligent global network. We au-
tomatically optimize the delivery of your web pages so your visitors get the fastest
page load times and best performance. We also block threats and limit abusive
bots and crawlers from wasting your bandwidth and server resources. The result:
CloudFlare-powered websites see a significant improvement in performance and
a decrease in spam and other attacks.

DNS
Global Anycast network
DNSSEC

Security
IP Reputatation Database
Web Application Firewall (WAF)
Complete Access Control (IP, Country, ASN)
Unlimited DDoS Mitigation

Performance & Availability

Content Distribution Network (CDN)
Web Content Optimization (WCO)
Dynamic Content Acceleration

Standards + Platform
SSL (SHA2+SHA1)
IPv6
HTTP/2 + SPDY

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 3

 Getting Started

Recommendations
• Restore the originating IPs of your users
• Incorporate CloudFlare IPs - Ratelimiting and Access Control Lists (ACL)
• Integrate API traffic properly by reducing security settings
• Configure your SSL with a Custom Certificate and Full (Strict) setting

Given CloudFlare’s position at the edge of your network, there are a few considerations that must be made to
guarantee a smooth integration with CloudFlare’s service. These steps need to occur at your origin or within
CloudFlare. They can be accomplished before or after changing your DNS and activating our proxy service. The
recommendations below will help ensure that your logs are capturing
the correct IPs of your users, that CloudFlare can access your origin
properly, and that issues with API or HTTPS traffic are prevented.

Restore the originating IPs of your users

We need to make sure that CloudFlare is not populating your logs with
our IPs. As a reverse proxy, we provide the originating IP in the follow-
ing headers:

• CF-Connecting-IP
• X-Forwarded-For
• True-Client-IP (optional)

We’ve provided a variety of tools and instructions in our Knowledge

Base that allow you to restore user IPs for a variety of common infra-
structures.
• Knowledge Base Index
• Apache
• Windows IIS
• NGINX

Incorporating CloudFlare IPs

There are two steps you should take to ensure a smooth integration:

1. Remove any ratelimiting of CloudFlare IP addresses.

2. Allow only CloudFlare IPs and trusted parties in your ACL.

Our IP ranges are available online and always up-to-date at

www.cloudflare.com/ips

4
 Integrate API traffic properly by reducing security settings
CloudFlare can easily accelerate API traffic by removing conneciton overheard; however, CloudFlare’s default
security stance can interfere with the majority of API calls. We recommend taking the following actions to
prevent any interference with your traffic once CloudFlare proxying is active.

Turn Security Features Off Selectively

Security settings can be turned off specifically for your API traffic in the Page Rule application:
1. Ensure the proper domain is selected in the upper left
2. Create a Page Rule with the URL pattern of your API
i.e. api.example.com/*
3. Select and add the following settings:
4. Find Security and select Off
5. Turn Security Level to Low, Essentially Off, or Off
6. Turn Browser Integrity Check to Off
7. Press ‘Save and Deploy’

Alternatively, turn Off Browser Integrity Check Globally

The global setting is available within the Firewall Application:
1. Ensure the proper domain is selected in the upper left
2. Select the Firewall application
3. Select the Web Application Firewall section
4. Scroll to the bottom of the page
5. Select OFF

API Instructions

? What does the Browser Integrity Check do?

CloudFlare’s Browser Integrity Check looks for common HTTP headers abused by spammers and
denies access to your page. It will also block visitors that do not have a user agent or add a non
standard user agent (also commonly used by abuse bots, crawlers, or APIs).

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 5

 Configure your SSL Settings
CloudFlare provides a few options for encrypting your traffic. As a reverse proxy, we close TLS
connections at our datacenters and create a new TLS connection with your origin. SSL Termina-
tion at CloudFlare can use either a custom certificate that you upload to your account, a wildcard
certificate that is provisioned on your behalf by CloudFlare, or both!

Upload a Custom SSL certificate

When creating an Enterprise domain, you can upload your public and private key. Uploading your own
certificate allows you to immediately ensure capatability with encrypted traffic and maintain control over
the certificate type ( e.g., An Extended Validation (EV) certificate). Please note that if you choose to upload a
custom cert you are responsible for managing that cert (e.g. tracking expiration dates).

Alternatively, utilize CloudFlare’s Provisioned certificate

CloudFlare has partnered with Comodo and GlobalSign to provide domain wildcard certificates for each
of our customers. To make this process as easy as possible, GlobalSign utilizes an HTML Tag Validation
process which will occur when the root domain or the www subdomain is orange-clouded. Comodo certifi-
cates will validate when your DNS has changed to CloudFlare — this can be done prior to orange-clouding
your DNS records. Manual verification is sometimes required when using these certificates. Your Solutions
Engineer will inform you of the additional steps required.

Explore a Keyless SSL configuration

By leveraging our Keyless SSL technology, customers are able to maintain their private key while still en-
abling CloudFlare to complete TLS connections. Keyless SSL allows an
increased security posture around private keys and identification while
still leveraging the CloudFlare service. This option is considered by many
of our financial clients.

Change SSL Setting to Full (Strict)

A Full (Strict) setting is most common for our Enterprise customers. A Full
(Strict) setting requires a valid, Certificate Authority (CA) signed SSL cer-
tificate installed on your web server. The expiration date must be in the
future, and the certificate must have a matching Host Name or Subject
Alternative Name (SAN).

$ Terminal Test Drive

Quickly see the SSL certificate being served for a given IP or URI.
$echo | openssl s_client -connect www.theburritobot.com:443 | openssl x509 -noout -text
....
X509v3 Subject Alternative Name:
DNS:*.theburritobot.comsethx.com, DNS:theburritobot.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
URI:http://crl.globalsign.com/gs/gsorganizationvalg2.crl
...

6
 Security Best Practices

Recommendations
• Secure origin IP addresses by proxying and increasing obfuscation
• Configure your Security Level selectively
• Activate your Web Application Firewall safely

By default, CloudFlare’s security settings are set to safe defaults that aim to avoid false positives and negative in-
fluences on your traffic. However, this is not necessarily the best security posture for every Enterprise customer.
The following steps will ensure CloudFlare is configured in a secure and safe manner.

Secure Origin IP Addresses

Orange-Cloud all DNS Records for HTTP(S) traffic from your origin
When a subdomain is orange-clouded within our DNS application, CloudFlare will actively proxy that
traffic by responding with CloudFlare IP addresses. These addresses cause the client to connect to
CloudFlare first and obscure the origin IP address. To improve the security of your origin IP address,
all HTTP(s) traffic should be orange-clouded.

$ Terminal Test Drive

See the difference yourself - Query a Grey Clouded and Orange-Clouded record!
$ dig greycloud.theburritobot.com @woz.ns.cloudflare.com +short
1.2.3.4 (The origin IP address)

$ dig orangecloud.theburritobot.com @woz.ns.cloudflare.com +short

104.16.22.6 , 104.16.23.6 (CloudFlare IP addresses)

Obscure Grey Clouded origin records with non-standard names

Any records that cannot be proxied through CloudFlare but still utilize your origin IP — such as FTP — can still be
secured with additional obfuscation. If you require a record to your origin that cannot be proxied by CloudFlare,
use a non-standard name for this record. For example, instead of ftp.example.com use [random word or-ran-
dom characters].example.com — this will make dictionary scans of your DNS less likely to expose your origin IP
addreses.

Separate IP ranges for HTTP and non-HTTP traffic if possible

Some customers will use separate IP ranges for HTTP and non-HTTP traffic, allowing them to orange-cloud all
records pointing to their HTTP IP range and obscuring all non-HTTP traffic with a different IP subnet.

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 7

Configure your Security Level selectively
Your Security Level sets the sensitivity to our IP Reputation Database. CloudFlare sees over 1 billion unique IPs
every month from more than 4 million websites. This allows CloudFlare to quickly and automatically determine
malicious actors and prevent them from reaching your webassets. You can easily configure your Security Level by
URI to heighten security where necessary and decrease it where appropriate to prevent any negative interactions
or false positives.

Increase the Security Level for Sensitive Areas to High

This setting can be increased for administration pages or login pages to reduce brute-force attempts
by add a Page Rule.
1. Ensure the proper domain is selected in the upper left corner
2. Create a Page Rule with the URL pattern of your API
i.e. www.example.com/wp-login
3. Select the Securty Level’ Setting
4. Mark the setting as High
5. Press ‘Save and Deploy’

Decrease the Security Level for non-sensitive paths or APIs to reduce false
positives
This setting can be decreased for general pages and API traffic:
1. Ensure the proper domain is selected in the upper left corner.
2. Create a Page Rule with the URL pattern of your API
i.e. www.example.com/api/*
3. Select the Security Level Setting
4. Turn Security Level to Low, Off, or Essentially Off
5. Press Save and Deploy

Alternatively, utilize the Medium Security Level setting globally

Medium has a very low false positive rate ( 1 in 50 million) and is recommend as a starting point for
all customers. The global setting is available in the Firewall Application.
1. Ensure the proper domain is selected in the upper left corner.
2. Select the FireWall application.
3. Click the Options within the Security Level module.
4. Select Medium.

? What do Security Level settings mean?

Security Level settings are aligned with a threat scores that IP addresses acquire with malicious
behavior on our network. A threat score above 10 is considered high and 50 is really bad.

• HIGH -- Threat scores greater than 0 will be challenged.

• MEDIUM -- Treat scores greater than 14 will be challenged.
• LOW -- Threat scores greater than 24 will be challenged.
• ESSENTIALLY OFF -- Threat scores greater than 49 will be challenged.
• OFF - Enterprise customers can remove this security feature entirely.

8
 Activate your Web Application Firewall safely
Your WAF is available in the Firewall Application in the Web Application
Firewell section. We will walk through these settings in reverse to ensure
that the WAF is configured as safely as possible before turning it on for
your entire domain. The goal of these initial settings is to reduce false positives and to populate the
Traffic Application with WAF events for further tuning.

First, set the OWASP ModSecurity sensitivity to High with an action of Simulate
The OWASP package is based on an anomaly score to help reduce false positives while still catching attacks. The
goal of these settings is to tune your OWASP
settings by logging any false positives.
A Simulate action simply logs an event within
our Traffic application.

Second, activate CloudFlare Specials and any platform-specific groups you use
The CloudFlare Rulesets are focused on novel, zero-day and application specific exploits. They are more specific
and do not lend themselves to false positives. Selecting CloudFlare Specials and any application-specific groups
allow you to take an adequate security posture with very few false positives. i.e. If you use a Drupal application,
that group should be activated while Joomla and Magento groups are turned Off.

Finally, turn your WAF On with the Global Setting

Now that your Package-level settings are configured safely, you can now turn on the global, domain-wide WAF.
Specific Paths, such as API endpoints, can turn the WAF off completely using a Page Rule. This can ensure you are
protected while not interfering with legimate requests.

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 9

 Performance Best Practices

Recommendations
• Activate mature Web Content Optimization (WCO) features
• Cache as much static and semi-static content as possible
• Purge the cache via API for event-driven content
• Accelerate dynamic content with Railgun

CloudFlare can accelerate all of the content you are trying to deliver to your users. By optimizing your images and
being as near as possible to your end-users, CloudFlare’s Performance suite provides the fastest experience for
your application.

Activate Web Content Optimization (WCO) Features

All our WCO tools live within the Speed application. This group of features speeds up content
by delivering it more intelligently. CloudFlare offers a suite of WCO features some of which are
client-side (implemented in the browser using javascript) or edge side (performed at CloudFlare’s
edge before content leaves a CloudFlare datacenter)

Enable Polish for image compression

Polish offers compression rates up to 30-40% with either lossy or lossless compression. Polish should always be
enabled in the lossless, ‘Basic’ mode, and even lossy for the majority of web applications.

Enable Minification for HTML and CSS

Auto-Minify removes comments and formatting meant for humans which leads to improved load times.
Minification can be safely enabled for HTML and CSS. For Javascript, please make certain that line endings are
denoted with a semicolon.

Test Mirage and Rocket Loader with your system

CloudFlare can even accelerate your content using Client-side tools such as Mirage and Rocket Loader. These
features are currently in Beta, and we recommend testing them carefully before turning them on for production
traffic. To test Mirage or Rocket Loader, you can enable them for specific pages or subdomains with page rules.

Mirage - A mobile specific image optimization solution that “right-sizes” images based on the screen
resolution, lazy loads images below the fold, bundles images and asynchronously loads them after page load
to reduce the time until a mobile user can interact with a page.

Rocket Loader - Grabs all javascript and forces it to be loaded asynchronously after the page load.
This feature is powerful and aggressive, ideal for customers who can’t manage the loading order of the javas-
cript on a page.

10
 Cache as much static and semi-static content as possible
We encourage you to utilize the cache for all content that is static in nature (and even almost static). By default,
CloudFlare will only cache content we can be certain is static such as images, javascript, and CSS files. Our default,
and recommended, caching mode includes query parameters in the request. Your goal should be to cache as
much as possible to utilize our globally distributed network to its fullest.

Enable Cache Everything for static HTML webpages

This can be turned on for each Path in the Page Rule application.
1. Ensure the proper domain is selected in the Upper left corner.
2. Create a Page Rule with the URL pattern of your static HTML
i.e. www.example.com/static-html/*
3. Set Caching to ‘Cache Everything’
4. Set Edge and Browser TTLs
7. Press ‘Save and Deploy’

Utilize conservative TTLs (Time-to-Lives) for content that changes occasionally

If content rarely changes, you can set a conservative TTL to utilize our cache as much as possible. A good way to
tell if your TTLs may need to be adjusted is by watching your Status Codes in our Analytics App for an abundance
of 304 requests. If you have a high percetange of re-validation requests, you could likely increase
the TTLs of your content without negatively impacting your customers. This will use our cache
more effectively and increase performance since you’’ll revalidate less often.

? How do I tell if items are being cached?

CloudFlare adds the response header “CF-Cache-Status” if attempting to cache the object. The
value of this header indicates if successful:
• MISS: Not yet in the cache or the TTL expired (i.e. cache-control max age of 0)
• HIT: Asset delivered from cache
• EXPIRED: Delivered from cache, but the next request will require revalidation
• REVALIDATED: Delivered from cache. The TTL was expired, but a “If-Modified-Since” request
to the origin indicated the asset has not changed so the version in cache is considered valid
again.

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 11

Purge the cache via API for event-driven content
For example, Everytime a new post is added to your blog, you could easily purge the CloudFlare cache
using an API command. It is very common to see event-driven content, and we make it easy to ensure
no stale content is reaching your users. The necessary commands are listed below to purge the cache
immediately across our entire global network either via our Caching Application or via the API.

Purge the cache for individual files

Purging individuals objects is a great way to maintain your cache-hit ratio while still ensuring certain objects are
re-validated in our cache. API Documentation

Purge the cache by Cache-Tag

Cache-Tags allow you to define buckets of content that you wish to purge all together. This is an excellent way to
combine objects that are commonly changed together. So an HTML blog post, for example, and all of its image
content could be tagged together. Mobile-only content could also be bundled using cache-tags to purge every-
thing when you push a new update to your mobile domain.

Purge the cache globally

You also have the option to force our entire cache to revalidate. This allows you to reset all of the objects stored
in our cache to ensure every request will return to the origin.

Purge the cache by Page Rule

Page Rules allow you to effectively purge the entire cache by a basic regular expression. These let you
utilize a pre-defined Page Rule and re-validating all hits against that Page Rule.

Advanced Enterprise Caching Features

Bypass Cache Cookie - The ability, configured in a page rule, to serve a cached object unless we see a cookie
of a specific name, e.g., serve a cached version of the homepage unless we see a SessionID cookie indicating the
customer is logged in and therefore should be presented personalized content.

Cache on Cookie - Presents a cached page when only when we see a specific cookie, e.g., only serves a cached
page once a device type cookie has been set by the origin server.

Custom Cache Keys - Generally, objects in CloudFlare’s cache are referenced by only their URI, e.g., https://
www.example.com/logo.png. We offer the ability to create custom cache keys so that a different object is served
for the same URI based on any arbitrary request header or cookie, e.g., https://www.example.com/logo.png with
a device type cookie set to desktop would be a different object in our cache than https://www.example.com/logo.
png with device type cookie set to tablet.

12
 Accelerate your dynamic content with Railgun
Web applications often render personalized, dynamic content which means that this content must be
proxied through to the origin server. Railgun is an optional feature available to Business & Enterprise
accounts that accelerates requests for this type of personalized content.Railgun is fundamentally a
de-duplicating proxy. The railgun listener is installed within the customer’s origin infrastructure so
that before a response is sent from the origin infrastructure, a binary diff is performed with the last
resource at the same URI. For example, when Bob attempts to access his shopping cart page, the application
server renders it, but before it leaves the origin datacenter, the railgun listener compares Bob’s page with Alice’s
page, and only sends the difference. Documentation

Railgun Best Practices

Consider high-availability (HA) configuration
As CloudFlare will fall back to HTTP in the event railgun fails, a high
availability solution is generally not required. If high availability is a pre-
ferred solution, all railgun instances should be placed behind a layer 3
load-balancer and registered with the same activation code as seen in
the diagram. If configured in an active/active configuration, Railguns
should share memcache to improved cache hit rate. If configured in
an active/passive configuration, Railguns can have independent mem-
caches.

Railgun should be outside of a load-balancer if possible

The railgun listener (stand-alone or cluster) should logically sit outside
of the load balancer allowing requests for all application servers to flow
through the same railgun instance increasing the cache hit ratio.

Keep Railgun near the origin

The railgun listener should be less than 5 milliseconds from your
application server.

Railgun can easily be created within AWS

We’ve provided a link to some excellent documenation from our
friends at AWS.

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 13

 Administrative Best Practices

Recommendations
• Manage your brand by customizing CloudFlare pages
• Enforce 2-Factor Authentication for your entire organization
• Submit a test support ticket

CloudFlare provides a many ways to properly administer your brand presence, your account security, and your
support process. We recommend working through each of our administrative best practices to ensure your cus-
tomers and content are best served by the CloudFlare network.

Manage your brand by customizing CloudFlare pages

CloudFlare has to occasionally show content to your end-users. This can include security challenge
pages, block pages, and error pages. All of this content can be customized by you to ensure a consis-
tent branding experience for your customers.
There are two ways to customize CloudFlare’s pages:

1. Domain-Wide: Within the settings of each domain, you can go to the Customize application to change
the default pages for each and every page we could potentially show your users.

2. Organization-Wide : If you have many domains within your CloudFlare account and would like to
create Custom pages for all of them, you may do so within your Organization settings.

Enforce 2-factor authentication across your entire organization

CloudFlare allows you to enforce 2-Factor Authentication. This extra element of security can prevent authorized
access of your CloudFlare console.
1. First, go to the upper right hand corner and select your Organization Settings
2. From the main Organization Page, you’ll see Enforce 2-Factor Authentication

Submit a test ticket with our support team

Feel free to write a quick note to our support team to test our support workflow. There are two easy ways to
submit a ticket.
1. Email entsupport@cloudflare.com
2. Search our knowledge base and create a ticket at support.cloudflare.com

14
 1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com

© 2015
2016 CloudFlare Inc. All rights reserved.
The CloudFla re logo is a trademark of CloudFla re. All other company and product names may be trademar ks of the respec tive companies with which they
are associat ed.

1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com 15