Académique Documents
Professionnel Documents
Culture Documents
2
Welcome to a faster and safer web! Content
On behalf of the Customer Success team, we want welcome you to CloudFlare’s Getting Started
Enterprise service. At this stage, you should have been introduced to your dedi- Page 4
cated team and have scheduled an onboarding to get your sites accelerated and Security Best Practices
protected behind the CloudFlare network. Page 7
This guide was prepared by our Senior Solutions Engineers to empower you and Performance Best Practices
Page 10
your team with industry best practices and steps that you can use to tune the
CloudFlare service to fit your needs. Administrative Best Practices
Page 14
What is CloudFlare?
CloudFlare is a globally distributed HTTP(S) reverse proxy and Managed DNS pro-
vider delivered as a cloud service. Once your website is a part of the CloudFlare
network, your web traffic is routed through our intelligent global network. We au-
tomatically optimize the delivery of your web pages so your visitors get the fastest
page load times and best performance. We also block threats and limit abusive
bots and crawlers from wasting your bandwidth and server resources. The result:
CloudFlare-powered websites see a significant improvement in performance and
a decrease in spam and other attacks.
DNS
Global Anycast network
DNSSEC
Security
IP Reputatation Database
Web Application Firewall (WAF)
Complete Access Control (IP, Country, ASN)
Unlimited DDoS Mitigation
Standards + Platform
SSL (SHA2+SHA1)
IPv6
HTTP/2 + SPDY
Recommendations
• Restore the originating IPs of your users
• Incorporate CloudFlare IPs - Ratelimiting and Access Control Lists (ACL)
• Integrate API traffic properly by reducing security settings
• Configure your SSL with a Custom Certificate and Full (Strict) setting
Given CloudFlare’s position at the edge of your network, there are a few considerations that must be made to
guarantee a smooth integration with CloudFlare’s service. These steps need to occur at your origin or within
CloudFlare. They can be accomplished before or after changing your DNS and activating our proxy service. The
recommendations below will help ensure that your logs are capturing
the correct IPs of your users, that CloudFlare can access your origin
properly, and that issues with API or HTTPS traffic are prevented.
• CF-Connecting-IP
• X-Forwarded-For
• True-Client-IP (optional)
4
Integrate API traffic properly by reducing security settings
CloudFlare can easily accelerate API traffic by removing conneciton overheard; however, CloudFlare’s default
security stance can interfere with the majority of API calls. We recommend taking the following actions to
prevent any interference with your traffic once CloudFlare proxying is active.
API Instructions
CloudFlare’s Browser Integrity Check looks for common HTTP headers abused by spammers and
denies access to your page. It will also block visitors that do not have a user agent or add a non
standard user agent (also commonly used by abuse bots, crawlers, or APIs).
Quickly see the SSL certificate being served for a given IP or URI.
$echo | openssl s_client -connect www.theburritobot.com:443 | openssl x509 -noout -text
....
X509v3 Subject Alternative Name:
DNS:*.theburritobot.comsethx.com, DNS:theburritobot.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
URI:http://crl.globalsign.com/gs/gsorganizationvalg2.crl
...
6
Security Best Practices
Recommendations
• Secure origin IP addresses by proxying and increasing obfuscation
• Configure your Security Level selectively
• Activate your Web Application Firewall safely
By default, CloudFlare’s security settings are set to safe defaults that aim to avoid false positives and negative in-
fluences on your traffic. However, this is not necessarily the best security posture for every Enterprise customer.
The following steps will ensure CloudFlare is configured in a secure and safe manner.
See the difference yourself - Query a Grey Clouded and Orange-Clouded record!
$ dig greycloud.theburritobot.com @woz.ns.cloudflare.com +short
1.2.3.4 (The origin IP address)
Decrease the Security Level for non-sensitive paths or APIs to reduce false
positives
This setting can be decreased for general pages and API traffic:
1. Ensure the proper domain is selected in the upper left corner.
2. Create a Page Rule with the URL pattern of your API
i.e. www.example.com/api/*
3. Select the Security Level Setting
4. Turn Security Level to Low, Off, or Essentially Off
5. Press Save and Deploy
Security Level settings are aligned with a threat scores that IP addresses acquire with malicious
behavior on our network. A threat score above 10 is considered high and 50 is really bad.
8
Activate your Web Application Firewall safely
Your WAF is available in the Firewall Application in the Web Application
Firewell section. We will walk through these settings in reverse to ensure
that the WAF is configured as safely as possible before turning it on for
your entire domain. The goal of these initial settings is to reduce false positives and to populate the
Traffic Application with WAF events for further tuning.
First, set the OWASP ModSecurity sensitivity to High with an action of Simulate
The OWASP package is based on an anomaly score to help reduce false positives while still catching attacks. The
goal of these settings is to tune your OWASP
settings by logging any false positives.
A Simulate action simply logs an event within
our Traffic application.
Second, activate CloudFlare Specials and any platform-specific groups you use
The CloudFlare Rulesets are focused on novel, zero-day and application specific exploits. They are more specific
and do not lend themselves to false positives. Selecting CloudFlare Specials and any application-specific groups
allow you to take an adequate security posture with very few false positives. i.e. If you use a Drupal application,
that group should be activated while Joomla and Magento groups are turned Off.
Recommendations
• Activate mature Web Content Optimization (WCO) features
• Cache as much static and semi-static content as possible
• Purge the cache via API for event-driven content
• Accelerate dynamic content with Railgun
CloudFlare can accelerate all of the content you are trying to deliver to your users. By optimizing your images and
being as near as possible to your end-users, CloudFlare’s Performance suite provides the fastest experience for
your application.
Mirage - A mobile specific image optimization solution that “right-sizes” images based on the screen
resolution, lazy loads images below the fold, bundles images and asynchronously loads them after page load
to reduce the time until a mobile user can interact with a page.
Rocket Loader - Grabs all javascript and forces it to be loaded asynchronously after the page load.
This feature is powerful and aggressive, ideal for customers who can’t manage the loading order of the javas-
cript on a page.
10
Cache as much static and semi-static content as possible
We encourage you to utilize the cache for all content that is static in nature (and even almost static). By default,
CloudFlare will only cache content we can be certain is static such as images, javascript, and CSS files. Our default,
and recommended, caching mode includes query parameters in the request. Your goal should be to cache as
much as possible to utilize our globally distributed network to its fullest.
CloudFlare adds the response header “CF-Cache-Status” if attempting to cache the object. The
value of this header indicates if successful:
• MISS: Not yet in the cache or the TTL expired (i.e. cache-control max age of 0)
• HIT: Asset delivered from cache
• EXPIRED: Delivered from cache, but the next request will require revalidation
• REVALIDATED: Delivered from cache. The TTL was expired, but a “If-Modified-Since” request
to the origin indicated the asset has not changed so the version in cache is considered valid
again.
Cache on Cookie - Presents a cached page when only when we see a specific cookie, e.g., only serves a cached
page once a device type cookie has been set by the origin server.
Custom Cache Keys - Generally, objects in CloudFlare’s cache are referenced by only their URI, e.g., https://
www.example.com/logo.png. We offer the ability to create custom cache keys so that a different object is served
for the same URI based on any arbitrary request header or cookie, e.g., https://www.example.com/logo.png with
a device type cookie set to desktop would be a different object in our cache than https://www.example.com/logo.
png with device type cookie set to tablet.
12
Accelerate your dynamic content with Railgun
Web applications often render personalized, dynamic content which means that this content must be
proxied through to the origin server. Railgun is an optional feature available to Business & Enterprise
accounts that accelerates requests for this type of personalized content.Railgun is fundamentally a
de-duplicating proxy. The railgun listener is installed within the customer’s origin infrastructure so
that before a response is sent from the origin infrastructure, a binary diff is performed with the last
resource at the same URI. For example, when Bob attempts to access his shopping cart page, the application
server renders it, but before it leaves the origin datacenter, the railgun listener compares Bob’s page with Alice’s
page, and only sends the difference. Documentation
Recommendations
• Manage your brand by customizing CloudFlare pages
• Enforce 2-Factor Authentication for your entire organization
• Submit a test support ticket
CloudFlare provides a many ways to properly administer your brand presence, your account security, and your
support process. We recommend working through each of our administrative best practices to ensure your cus-
tomers and content are best served by the CloudFlare network.
1. Domain-Wide: Within the settings of each domain, you can go to the Customize application to change
the default pages for each and every page we could potentially show your users.
2. Organization-Wide : If you have many domains within your CloudFlare account and would like to
create Custom pages for all of them, you may do so within your Organization settings.
14
1 888 99 FLARE | success@cloudflare.com | www.cloudflare.com
© 2015
2016 CloudFlare Inc. All rights reserved.
The CloudFla re logo is a trademark of CloudFla re. All other company and product names may be trademar ks of the respec tive companies with which they
are associat ed.