|
# Cloudflare Setup Guide for candivista.com
|
|
|
|
This guide will help you configure Cloudflare for your application to get proper SSL certificates and better performance.
|
|
|
|
## Cloudflare Configuration Steps
|
|
|
|
### 1. DNS Configuration
|
|
In your Cloudflare dashboard:
|
|
|
|
1. **Add A Records:**
|
|
```
|
|
Type: A
|
|
Name: @
|
|
Content: 168.231.108.135
|
|
Proxy status: Proxied (orange cloud)
|
|
|
|
Type: A
|
|
Name: www
|
|
Content: 168.231.108.135
|
|
Proxy status: Proxied (orange cloud)
|
|
```
|
|
|
|
### 2. SSL/TLS Configuration
|
|
1. Go to **SSL/TLS** → **Overview**
|
|
2. Set encryption mode to **"Full (strict)"**
|
|
3. Go to **SSL/TLS** → **Edge Certificates**
|
|
4. Enable **"Always Use HTTPS"**
|
|
5. Enable **"HTTP Strict Transport Security (HSTS)"**
|
|
|
|
### 3. Security Settings
|
|
1. Go to **Security** → **Settings**
|
|
2. Set security level to **"Medium"** or **"High"**
|
|
3. Enable **"Browser Integrity Check"**
|
|
4. Go to **Security** → **WAF**
|
|
5. Enable **"Web Application Firewall"**
|
|
|
|
### 4. Performance Settings
|
|
1. Go to **Speed** → **Optimization**
|
|
2. Enable **"Auto Minify"** for CSS, HTML, and JavaScript
|
|
3. Enable **"Brotli"** compression
|
|
4. Go to **Caching** → **Configuration**
|
|
5. Set caching level to **"Standard"**
|
|
|
|
## Nginx Configuration Updates
|
|
|
|
The nginx configuration has been updated to work optimally with Cloudflare:
|
|
|
|
### ✅ Changes Made:
|
|
1. **Real IP Detection** - Added Cloudflare IP ranges
|
|
2. **SSL Optimization** - Disabled OCSP stapling (handled by Cloudflare)
|
|
3. **Security Headers** - Added Cloudflare-specific headers
|
|
4. **Rate Limiting** - Works with Cloudflare's real IP detection
|
|
|
|
## Deployment with Cloudflare
|
|
|
|
### Option 1: Use Cloudflare Environment
|
|
```bash
|
|
# Deploy with Cloudflare-optimized settings
|
|
docker-compose --env-file env.cloudflare up -d
|
|
```
|
|
|
|
### Option 2: Use Self-Signed Certificates
|
|
```bash
|
|
# Generate self-signed certificates (Cloudflare will handle SSL)
|
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
|
-keyout nginx/ssl/key.pem \
|
|
-out nginx/ssl/cert.pem \
|
|
-subj "/C=US/ST=State/L=City/O=Organization/CN=candivista.com"
|
|
|
|
# Deploy
|
|
docker-compose --env-file env.cloudflare up -d
|
|
```
|
|
|
|
## Testing Your Setup
|
|
|
|
### 1. Check DNS Propagation
|
|
```bash
|
|
# Check if domain resolves through Cloudflare
|
|
nslookup candivista.com
|
|
dig candivista.com
|
|
```
|
|
|
|
### 2. Test SSL Certificate
|
|
```bash
|
|
# Test SSL (should show Cloudflare certificate)
|
|
curl -I https://candivista.com
|
|
|
|
# Check certificate details
|
|
openssl s_client -connect candivista.com:443 -servername candivista.com
|
|
```
|
|
|
|
### 3. Test Application
|
|
```bash
|
|
# Test HTTP (should redirect to HTTPS)
|
|
curl -I http://candivista.com
|
|
|
|
# Test HTTPS
|
|
curl -I https://candivista.com
|
|
|
|
# Test health endpoint
|
|
curl https://candivista.com/health
|
|
```
|
|
|
|
## Cloudflare Benefits
|
|
|
|
### ✅ SSL/TLS
|
|
- **Free SSL certificates** from Cloudflare
|
|
- **Automatic certificate renewal**
|
|
- **Modern TLS protocols** (TLS 1.3)
|
|
- **Perfect SSL score** on SSL Labs
|
|
|
|
### ✅ Performance
|
|
- **Global CDN** - Faster loading worldwide
|
|
- **Caching** - Reduced server load
|
|
- **Compression** - Smaller file sizes
|
|
- **HTTP/2 and HTTP/3** support
|
|
|
|
### ✅ Security
|
|
- **DDoS protection**
|
|
- **Web Application Firewall (WAF)**
|
|
- **Bot protection**
|
|
- **Rate limiting**
|
|
|
|
### ✅ Monitoring
|
|
- **Analytics** - Traffic insights
|
|
- **Security events** - Attack monitoring
|
|
- **Performance metrics** - Speed optimization
|
|
|
|
## Troubleshooting
|
|
|
|
### Common Issues
|
|
|
|
1. **"Not Secure" Warning:**
|
|
- Check Cloudflare SSL/TLS settings
|
|
- Ensure "Full (strict)" mode is enabled
|
|
- Wait for DNS propagation
|
|
|
|
2. **502 Bad Gateway:**
|
|
- Check if your server is running
|
|
- Verify Cloudflare can reach your server
|
|
- Check nginx logs
|
|
|
|
3. **Slow Loading:**
|
|
- Enable Cloudflare caching
|
|
- Check compression settings
|
|
- Optimize images and assets
|
|
|
|
### Useful Commands
|
|
|
|
```bash
|
|
# Check Cloudflare IP ranges
|
|
curl -s https://www.cloudflare.com/ips-v4
|
|
|
|
# Test from Cloudflare's perspective
|
|
curl -H "CF-Connecting-IP: 1.2.3.4" https://candivista.com
|
|
|
|
# Check SSL certificate
|
|
curl -I https://candivista.com
|
|
|
|
# Monitor nginx logs
|
|
docker logs candidat-nginx -f
|
|
```
|
|
|
|
## Next Steps
|
|
|
|
1. **Configure DNS** in Cloudflare dashboard
|
|
2. **Set SSL/TLS** to "Full (strict)"
|
|
3. **Deploy application** with Cloudflare settings
|
|
4. **Test everything** works correctly
|
|
5. **Enable additional features** (caching, security, etc.)
|
|
|
|
Your application will now have:
|
|
- ✅ **Free SSL certificates**
|
|
- ✅ **Global CDN performance**
|
|
- ✅ **Enhanced security**
|
|
- ✅ **Professional setup**
|