# Cloudflare Setup Guide for candivista.com This guide will help you configure Cloudflare for your application to get proper SSL certificates and better performance. ## Cloudflare Configuration Steps ### 1. DNS Configuration In your Cloudflare dashboard: 1. **Add A Records:** ``` Type: A Name: @ Content: 168.231.108.135 Proxy status: Proxied (orange cloud) Type: A Name: www Content: 168.231.108.135 Proxy status: Proxied (orange cloud) ``` ### 2. SSL/TLS Configuration 1. Go to **SSL/TLS** → **Overview** 2. Set encryption mode to **"Full (strict)"** 3. Go to **SSL/TLS** → **Edge Certificates** 4. Enable **"Always Use HTTPS"** 5. Enable **"HTTP Strict Transport Security (HSTS)"** ### 3. Security Settings 1. Go to **Security** → **Settings** 2. Set security level to **"Medium"** or **"High"** 3. Enable **"Browser Integrity Check"** 4. Go to **Security** → **WAF** 5. Enable **"Web Application Firewall"** ### 4. Performance Settings 1. Go to **Speed** → **Optimization** 2. Enable **"Auto Minify"** for CSS, HTML, and JavaScript 3. Enable **"Brotli"** compression 4. Go to **Caching** → **Configuration** 5. Set caching level to **"Standard"** ## Nginx Configuration Updates The nginx configuration has been updated to work optimally with Cloudflare: ### ✅ Changes Made: 1. **Real IP Detection** - Added Cloudflare IP ranges 2. **SSL Optimization** - Disabled OCSP stapling (handled by Cloudflare) 3. **Security Headers** - Added Cloudflare-specific headers 4. **Rate Limiting** - Works with Cloudflare's real IP detection ## Deployment with Cloudflare ### Option 1: Use Cloudflare Environment ```bash # Deploy with Cloudflare-optimized settings docker-compose --env-file env.cloudflare up -d ``` ### Option 2: Use Self-Signed Certificates ```bash # Generate self-signed certificates (Cloudflare will handle SSL) openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout nginx/ssl/key.pem \ -out nginx/ssl/cert.pem \ -subj "/C=US/ST=State/L=City/O=Organization/CN=candivista.com" # Deploy docker-compose --env-file env.cloudflare up -d ``` ## Testing Your Setup ### 1. Check DNS Propagation ```bash # Check if domain resolves through Cloudflare nslookup candivista.com dig candivista.com ``` ### 2. Test SSL Certificate ```bash # Test SSL (should show Cloudflare certificate) curl -I https://candivista.com # Check certificate details openssl s_client -connect candivista.com:443 -servername candivista.com ``` ### 3. Test Application ```bash # Test HTTP (should redirect to HTTPS) curl -I http://candivista.com # Test HTTPS curl -I https://candivista.com # Test health endpoint curl https://candivista.com/health ``` ## Cloudflare Benefits ### ✅ SSL/TLS - **Free SSL certificates** from Cloudflare - **Automatic certificate renewal** - **Modern TLS protocols** (TLS 1.3) - **Perfect SSL score** on SSL Labs ### ✅ Performance - **Global CDN** - Faster loading worldwide - **Caching** - Reduced server load - **Compression** - Smaller file sizes - **HTTP/2 and HTTP/3** support ### ✅ Security - **DDoS protection** - **Web Application Firewall (WAF)** - **Bot protection** - **Rate limiting** ### ✅ Monitoring - **Analytics** - Traffic insights - **Security events** - Attack monitoring - **Performance metrics** - Speed optimization ## Troubleshooting ### Common Issues 1. **"Not Secure" Warning:** - Check Cloudflare SSL/TLS settings - Ensure "Full (strict)" mode is enabled - Wait for DNS propagation 2. **502 Bad Gateway:** - Check if your server is running - Verify Cloudflare can reach your server - Check nginx logs 3. **Slow Loading:** - Enable Cloudflare caching - Check compression settings - Optimize images and assets ### Useful Commands ```bash # Check Cloudflare IP ranges curl -s https://www.cloudflare.com/ips-v4 # Test from Cloudflare's perspective curl -H "CF-Connecting-IP: 1.2.3.4" https://candivista.com # Check SSL certificate curl -I https://candivista.com # Monitor nginx logs docker logs candidat-nginx -f ``` ## Next Steps 1. **Configure DNS** in Cloudflare dashboard 2. **Set SSL/TLS** to "Full (strict)" 3. **Deploy application** with Cloudflare settings 4. **Test everything** works correctly 5. **Enable additional features** (caching, security, etc.) Your application will now have: - ✅ **Free SSL certificates** - ✅ **Global CDN performance** - ✅ **Enhanced security** - ✅ **Professional setup**