Preface

In the previous tutorial (see article:Home Data Center Series CF Tutorial (I) CF related introduction and its benefits to personal webmasters), I introduced the main features provided by cloudflare (hereinafter referred to as CF) and its solutions (Free plan). However, based on the introduction in the previous article, you may feel confused: for example, with so many features, which parts of the CF console should be configured? And is there a sequence in which these features take effect?

So in this article, I plan to introduce the priority of each specific technical node in the overall CF solution in the entire CF traffic sequence, as well as the main functions it provides and the corresponding configuration location in the CF console.

CF flow sequence

What is a flow sequence?

The overall solution of CF is composed of a series of technical nodes. Before the access request is sent to the source server, these technical nodes of CF will process the access request according to the pre-defined hit determination priority order. This hit determination priority order is the traffic sequence, as shown in the following figure:

Note 1: It should be noted that this priority is the hit judgment priority. Once a node function in the traffic sequence is hit and processed normally (the so-called normal processing does not include termination-type behaviors, such as blocking, discarding, redirecting, etc.), it will continue to be handed over to the next functional module for judgment in the order of the traffic sequence.
Note 2: After being processed by all the node technology modules in the above traffic sequence, if the request is still legitimate and needs to access the origin server, CF will pass the request to the origin server (back to the origin).
Note 3: After the source server responds, the response data will be returned to the client through the relevant node processing modules (such as cache, content optimization).

Prerequisite: Domain name hosted in CF

Before we officially start, please meet the prerequisite: host your domain name on CF. If your domain name is hosted on other domain name providers, you need to migrate the domain name to CF first, which usually takes about 5 days.

Note: For the specific steps of migrating domain names to CF, please refer to my other article:Home data center series uses domestic cloud host to obtain CF for free to achieve fast access to domestic sites from abroad.

1. DDOS protection

CF's DDoS protection feature is a critical security service designed to protect websites and networks from distributed denial of service (DDoS) attacks. DDoS attacks overwhelm target servers with large amounts of false traffic, causing service disruptions. CF provides comprehensive DDoS protection to ensure website availability and performance.

A brief description of CF DDoS protection features is as follows:

1. Automatic detection and mitigation:
   • describe: CF uses advanced algorithms and machine learning models to monitor traffic in real time and automatically detect abnormal traffic patterns.
   • use: Once a DDoS attack is detected, CF will immediately take mitigation measures to filter out malicious traffic and ensure that normal traffic is not affected.
2. Global Anycast Network:
   • describe: CF relies on its huge Anycast network to distribute traffic in more than 200 data centers around the world.
   • use: Absorb and disperse attack traffic through a distributed network to prevent single point failure and network congestion.
3. Multi-layered protection:
   • describe: Provides comprehensive protection for the application layer (L7), transport layer (L4) and network layer (L3).
   • use: Protect websites, applications, and entire network infrastructure from DDoS attacks of all sizes and complexity.
4. Custom rules:
   • describe: Administrators can configure custom protection rules based on specific needs.
   • use: Set refined protection strategies for specific traffic patterns or attack types to further enhance security.
5. Real-time monitoring and reporting:
   • describe: CF provides detailed traffic monitoring and attack reports to help administrators understand attack details and mitigation effects.
   • use: Timely adjust and optimize security policies through visual monitoring tools and reports.

I personally think this is the most valuable free feature provided by CF. It only needs simple configuration to achieve unlimited protection against conventional DDOS attacks, and the interception rate can reach 99%. However, even if there are only 1% left, it is very easy to kill the source station without other protections. After all, the cloud hosts used by most people are not very good (except for the rich who buy expensive cloud hosts with good performance), so this is one of the reasons why I recommend home data centers.

For a detailed introduction to CF DDoS attacks and a configuration tutorial on CF DDoS attack protection, see:Home Data Center Series CloudFlare Tutorial (V) DDoS Attack Introduction and CF DDoS Protection Configuration Tutorial.

URL Rewriting

Note: URL rewriting refers to the process of converting the original URL requested by the user into another URL. It is usually used on the server side and handled by the web server or application framework (to be precise, it is done by the software module on the server, such as Apache's mod_rewrite module, Nginx's rewrite directive, and the URL rewriting function built into the application framework).

Here, URL rewriting is done by CF, and when it reaches the source server, it is the rewritten URL.

The main purposes of URL rewriting include:

1. Improve user experience: By using concise, readable URLs, you can make it easier for users to remember and understand the structure of your site. For example, rewrite example.com/product.php?id=123 to example.com/product/123.
2. SEO Optimization: Search engines prefer URLs that are clear, concise, and contain keywords. By rewriting URLs, you can make URLs more descriptive, thereby improving search engine rankings.
3. safety：By hiding the internal structure and parameters, the security of the website can be improved. For example, the actual request path and parameters are hidden to avoid leaking sensitive information.
4. URL Normalization: Solve the problem of duplicate content caused by different URLs pointing to the same content. For example,example.comandwww.example.comRewrite uniformly into one form.
5. Simplified routing: In web applications, URL rewriting makes it easier to handle complex routing and parameter passing. For example, in an MVC framework, you can rewrite requests to specific controllers and actions.
6. If the browser does not support cookies or the user blocks allCookies, you cansessionIdAdd tourlSent to the server (or load balancing device) is supportedsessionA very reliable method.

Page Rules

CF's page rules are a feature used to manage and optimize specific URLs or paths. Through page rules, users can set different behaviors and optimization strategies for specific pages or paths on their website, thereby improving performance, security, and user experience (Note: Free plans only support 3 page rules).

Here are some common page rule uses:

1. Redirect URL: You can redirect a specific URL to another URL. For example, redirect an old page to a new page, or redirect a URL without "www" to a URL with "www".
2. Cache settings：You can set a cache policy for a specific page or path to improve loading speed. For example, you can set the cache time for static resources (such as images, CSS, JavaScript).
3. SSL/TLS Settings: You can force SSL/TLS to be enabled or disabled for specific pages or paths. For example, you can force HTTP requests to be redirected to HTTPS to ensure that the page is transmitted over a secure connection.
4. Firewall rules: You can set access controls for specific pages or paths. For example, you can restrict access to specific countries or IP addresses, or enable specific security protections (such as DDoS protection).
5. Page Optimization: You can enable or disable specific optimization features for specific pages or paths. For example, you can enable automatic compression, optimize image loading, or disable certain performance optimizations to ensure that the page renders correctly.
6. Custom HTTP Headers: You can set custom HTTP headers for specific pages or paths. For example, you can set a Content Security Policy header to enhance the security of the page.
7. Bandwidth savings: You can set bandwidth limits for specific pages or paths. For example, you can limit the download speed of large files to avoid taking up too much bandwidth.

Note 1: CF announced the abolition of page rules some time ago. The reason is that many functional options in page rules can be completed in other subsequent technical nodes, such as redirection, caching, etc., but now it has been restored. I personally feel that it is because page rules have their own characteristics and are opposed to their abolition by many users. We will talk about this when we talk about page rules separately.

Note 2: Page rules have a high priority, but there are only a few of them (only 3 in the Free plan). So if you can use subsequent special features with lower priority, such as redirection and Cache Rules, try not to use page rules to complete it.

Origin Rules

CF's Origin Rules are a feature used to adjust and optimize access requests before they reach the origin server. Specific actions are performed based on specific attributes of the request (such as URL path, HTTP header, etc.) to enhance the performance, security, and flexibility of the website.

However, in the Free plan, the only function that Origin Rules can achieve is to modify the access port when returning to the origin server:

And it can only be used when the source server uses a public IP to build a website. When I used the public IP of my home broadband to build a website, I used this function to change the back-to-source port to a non-standard port because there were no ports 80 and 443. However, after using the tunnel function, I no longer need this function (the tunnel function can arbitrarily specify the service port and host on the source server).

Cache Rules

CF's Cache Rules allow users to customize how to cache website content to improve performance and reduce the load on the origin server. By setting cache rules, users can more precisely control which content is cached, how long it is cached, and when to refresh the cache.

By properly configuring cache rules, you can achieve the following effects:
• Improve performance: Through caching rules, the load on the source server can be significantly reduced and the loading speed of content can be improved.
• Flexible control: You can precisely control which content is cached, how long it is cached, and when the cache is refreshed based on actual needs.
• Reduce costs: Reduces the bandwidth consumption and number of processing requests of the source server, thereby reducing operating costs.

Common uses of Cache Rules are as follows:

1. Setting the cache level: Define cache policies, such as "Standard cache", "No cache", "Cache static content only", etc.
2. Custom cache TTL (Time to Live): Set the cache validity period for specific content. For example, you can set a longer cache time for static resources (such as images, CSS, JavaScript), and a shorter cache time for dynamic content (such as HTML pages).
3. Bypassing the cache: Set specific URLs or paths to not be cached to ensure that the content is updated in real time. For example, login pages or shopping cart pages are usually not suitable for caching.
4. Cache Keyword: Use query parameters, cookies, or other headers to determine caching strategy. For example, you can cache different versions of a page based on the user's language preference.
5. Cache rule trigger conditions: Set conditions based on URL path, file extension, query parameters, etc. to trigger specific caching rules.

For detailed introduction and configuration tutorial of Cache Rules, see:Home Data Center Series CloudFlare Tutorial (VI) CF Cache Rules Function Introduction and Detailed Configuration Tutorial

Note: The previous page rules can also configure cache rules for a certain URL. In fact, there is a certain degree of repetition. Because there are only three page rules, I have the need to set cache rules later, so I have transferred them to Cache Rules to implement them.

Configuration Rules

CF's Configuration Rules allow users to dynamically apply different configuration settings based on the specific conditions of the access request. Through configuration rules, users can apply customized settings for specific paths, URLs, HTTP methods, etc. without affecting the entire website, thereby improving performance, security, and flexibility.

Common uses of Configuration Rules are as follows:

1. Security Settings: Apply different security policies based on specific conditions of the request (such as source IP, country, HTTP method, etc.). For example, enable or disable WAF (Web Application Firewall), DDoS protection, etc. for a specific path.
2. Performance Optimization: Apply different performance optimization settings to specific pages or resources. For example, enable or disable automatic compression, image optimization, etc.
3. Traffic Management：Adjust traffic management policies based on specific conditions of requests. For example, enable load balancing and intelligent routing for users in a specific region.
4. User experience optimization: Apply different user experience optimization settings based on user device type, browser, etc. For example, provide a simplified version of the page for mobile device users.

Compared with Origin Rules, which can only be used for access ports of back-to-origin requests, configuration Rules can achieve much more functions for access requests, such as:

For example, when I configure the access host name to contain "tangwudi.com" and not equal to "blog.tangwudi.com", I set the SSL encryption mode to "strict" (the default value is full), just set it as follows:

Redirection rules

CF's redirection rules allow users to redirect requests to different URLs based on custom conditions. Through redirection rules, users can flexibly manage website traffic, optimize user experience, and ensure the effectiveness of SEO.

Some common uses of redirect rules are as follows:

1. HTTP to HTTPS redirection: Ensure that all traffic is transmitted over a secure HTTPS connection.
2. Domain Redirection: Redirect the domain name without www to the domain name with www, or vice versa, to ensure URL consistency.
3. Page Migration: When the website is revamped or the content is migrated, redirect the old URL to the new URL to maintain the continuity of SEO ranking and user access.
4. Path redirection: Redirects a specific path or directory to a new path or directory.
5. Custom Redirects: Perform more complex redirect operations based on query parameters, user agent, etc.

Note: The previous page rules can also configure redirection for a certain URL, so if it can be achieved with redirection rules alone, try not to use page rules.

Although URL Rewriting and URL Redirecting are somewhat similar in concept, they have significant differences in their functions and implementations:

• URL Rewriting:
1. The URL that the user sees in the browser does not change.
2. Often used to create user-friendly and SEO-optimized URLs that hide internal structure.
3. Processed on the server side, the rewriting process is invisible to the user.

• URL Redirection:
1. The URL that users see in their browser will change.
2. Usually used for page migration, forced HTTPS, domain name consistency, etc.
3. The browser is notified to redirect through the HTTP status code, and the redirection process is visible to the user.

IP Access Rules

Here you can set corresponding actions (block, allow, challenge, etc.) for access requests directly at the IP address level (which can be a single IP address, IP address range, country/region, ASN number), and you can also block access to specific types of requests based on UserAgent.

Note: In fact, the functions here can also be implemented in WAF, but WAF rules are limited after all (the Free plan has only 5 rules), so if the required effect can be achieved here, you don’t need to consume WAF rules to achieve the same effect.

Automatic procedures

CF's bot capabilities are intelligent security measures designed to detect and manage automated traffic, such as crawlers, robots, and other automated programs. Through these features, CF can help website administrators distinguish between human users and automated traffic, thereby protecting websites from malicious activities while ensuring that legitimate automated programs can access normally.

Several key aspects of CF Auto-Program functionality are as follows:

1. Automatic detectionCF uses advanced machine learning and behavioral analysis techniques to automatically detect and classify automated traffic. These detection technologies can identify common robot behavior patterns and make judgments based on factors such as user activity and request frequency.
2. Challenges and Verification: For suspicious automated traffic, CF can impose challenges, such as CAPTCHA verification, to ensure that the traffic comes from real users rather than malicious robots.
3. Rate LimitingCF can set rate limiting rules to limit the number of requests per user in a specific time based on IP address or other identifiers, thereby preventing crawlers or DDoS attacks.
   
   
4. Custom rules：Webmasters can customize rules to target specific types of automated traffic. For example, allowing trusted search engine crawlers to access while blocking unknown or malicious robots requires combining WAF functionality.
5. Analytics and Reporting: CF provides detailed traffic analysis and reports to help website administrators understand the source and behavior patterns of automated traffic and adjust security policies.

This automated program function is actually just a detection mechanism: it can detect the access of automated programs (including crawlers, attacks, etc.) and classify and identify these automated programs. To implement policy control of these automated programs, it is necessary to combine other functions to achieve it, such as WAF rule settings.

WAF

CF's Web Application Firewall (WAF) is a powerful security feature designed to protect websites from common network attacks, such as SQL injection, cross-site scripting (XSS) attacks, cross-site request forgery (CSRF), etc. By analyzing and filtering HTTP/HTTPS traffic, WAF can identify and block malicious requests to ensure the security of websites and applications.

The main features and benefits of CF WAF are as follows:

1. RulesetsCF WAF includes a large number of predefined security rule sets, covering the OWASP Top 10 vulnerabilities and other common threats. These rule sets are regularly updated to address the latest security threats:
   
   
2. Custom rules: Website administrators can create custom rules (5 rules are available on the Free plan) to meet specific security needs. For example, you can create rules based on specific URL paths, query parameters, or HTTP headers:
   
   
3. Virtual Patching: After discovering a vulnerability, website administrators can immediately apply a virtual patch without waiting for the development team to fix the code, thereby quickly blocking potential attacks. This is achieved by using WAF custom rules for protection based on the principle of the vulnerability.
4. Defense against advanced attacks: Through integrated machine learning and behavioral analysis technologies, CF WAF can detect and block complex and advanced attacks, such as zero-day vulnerability exploits, also through custom rules.
5. Bot Management: In addition to protecting websites from threats from human attackers, CF WAF can also identify and manage automated traffic to prevent attacks from malicious crawlers and botnets, which requires custom rules combined with automated program functions to achieve.
6. Logging and Monitoring: WAF provides detailed attack logs and real-time monitoring to help website administrators understand the source and type of attacks and adjust security policies in a timely manner:
   
   

For a detailed introduction to CF WAF functions and configuration tutorials, see: Home Data Center Series CloudFlare Tutorial (IV) CF WAF Function Introduction and Detailed Configuration Tutorial

Header modification

CF's header modification feature allows website administrators to add, delete, or modify HTTP request and response headers by configuring rules.

A brief description of the header modification function is as follows:

1. Adding Headers:
   • describe: Adds a new header to an HTTP request or response.
   • use: It can be used to pass custom information, implement security policies (such as Content-Security-Policy), optimize browser cache (such as Cache-Control), set up cross-domain resource sharing (such as CORS), etc.
2. Modify the header:
   • describe: Modifies an existing HTTP request or response header.
   • use: Can be used to update security policies, adjust cache settings, change user agent information, etc.
3. Remove the header:
   • describe: Removes specific headers from an HTTP request or response.
   • use: Can be used to remove sensitive information, disable unnecessary headers, improve security, etc.

Common Uses

1. safety:
   • Adding security headers: Such as X-Frame-Options, X-XSS-Protection, Strict-Transport-Security (HSTS), etc. to prevent clickjacking, cross-site scripting attacks and other common security threats.
   • Content Security Policy (CSP): Control resource loading through the Content-Security-Policy header to prevent XSS attacks.
2. Performance Optimization:
   • Cache Control: Optimize browser caching through Cache-Control and Expires headers to increase page loading speed.
   • Compression Settings: Set the Content-Encoding header to enable Gzip or Brotli compression to reduce the amount of data transferred.
3. Cross-Origin Resource Sharing (CORS):
   • Setting CORS Headers: Such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, etc., to allow or restrict cross-domain requests.
4. Traffic Management:
   • Custom Headers: Add custom headers to track or classify traffic, supporting application-specific needs.

access(Zero Trust)

Note: As of May 25, 2022, Access configuration has moved to Zero Trust.

Zero Trust capabilities are a comprehensive set of security solutions designed to protect enterprise networks and applications through a zero trust architecture. The zero trust model assumes that all network traffic is untrusted, regardless of its source, and must be secured through strict authentication and authorization mechanisms. A brief introduction to Zero Trust capabilities is as follows:

1. Authentication and access control:
   • describe: Ensure that only authenticated and authorized users can access corporate resources through integrated single sign-on (SSO), multi-factor authentication (MFA), and fine-grained access control policies.
   • use: Protect internal applications, SaaS applications, and remote work environments from unauthorized access.
2. Secure Web Gateway (SWG):
   • describe: Monitor and filter all outbound Internet traffic to prevent malware, phishing attacks, and other threats.
   • use: Protect employees’ Internet access security and ensure compliance with the company’s Internet usage policy.
3. Application and API Security:
   • describe: Protect applications and APIs from various network attacks through Web Application Firewall (WAF), Bot Management and DDoS Protection.
   • use: Ensure the availability and security of the enterprise's online services and applications.
4. Zero Trust Network Access (ZTNA):
   • describe：Provide secure access to distributed work environments without the need for traditional VPNs. Ensure users can access only the resources they are authorized to through policy-driven access control.
   • use: Protect remote and hybrid work environments and provide more secure and efficient access.
5. Data Protection:
   • describe：Protect sensitive enterprise data from being leaked through data loss prevention (DLP) and cloud access security broker (CASB) functions.
   • use：Ensure the security of enterprise data during transmission and storage to prevent data leakage and unauthorized access.

Zero Trust has the following advantages:

1. Enhanced security: Protect enterprise networks and applications from a variety of attacks through strict authentication, access control, and real-time threat detection.
2. Simplified management: Centrally manage all security policies and configurations, simplifying the management work of IT teams.
3. Flexibility and scalability: Supports distributed work environments and provides security solutions for all sizes and industries.
4. Compliance：Help enterprises meet the security requirements of various laws and industry regulations.

Note: There are too many Zero Trust functions and configurations to describe in a few sentences. I will write several articles to introduce them later. Here I will only mention the two most commonly used functions: Tunnel and WARP+, both of which are configured in the Zero Trust section.

Workers Routing

CF's Workers routing is a serverless computing platform that allows developers to run JavaScript and TypeScript code on the CF edge network around the world (both languages are based on the V8 JavaScript engine, which is the core of Google Chrome and Node.js), and allows developers to route network requests to different Workers scripts based on specific rules and conditions. Through these routing rules, developers can achieve refined management and processing of requests, thereby improving the flexibility and performance of applications.

A brief introduction to CF Workers routing functionality is as follows:

1. Path-based routing:
   • describe: Routes requests to specific Workers scripts based on the requested URL path.
   • use: Applicable to assign specific processing logic to different URL paths. For example, route requests for the /api/* path to the Workers script that handles API requests.
2. Subdomain-based routing:
   • describe: Routes requests to different Workers scripts based on the requested subdomain.
   • use：Applicable to multi-tenant architecture or subdomain segmentation scenarios. For example, requests for blog.example.com are routed to the Workers script that processes blog content, while requests for shop.example.com are routed to the Workers script that processes e-commerce functions.
3. Routing based on query parameters:
   • describe: Routes requests to specific Workers scripts based on the request's query parameters.
   • use: Applicable to scenarios that require special processing based on query parameters. For example, based on the query parameter ?lang=en, the request is routed to a Workers script that processes English content.
4. Custom rules and conditions:
   • describe: Create complex custom rules and conditions to route based on various attributes of the request (such as user agent, request headers, geolocation, etc.).
   • use：Suitable for scenarios where complex decisions need to be made based on multiple conditions. For example, routing requests to different processing scripts based on user agents to adapt to different client devices.

For an introduction to specific Worker functions and a configuration tutorial on how to use Worker to optimize website access, see the article:Home Data Center Series Cloudflare Tutorial (VII) Introduction to CF Worker Functions and Practical Operation, Verification and Research on Related Technical Principles of "Beggar Version APO for WordPress" Function Accelerating Website Access Based on Worker.

Note: CF Workers is very powerful. I will write a special article about it later. Here I will briefly mention it: for example, if docker hub is blocked and cannot be accessed in China, you can deploy JS scripts on Workers to implement reverse proxy function to pull images; for example, if you still feel that the website deployed on CF is slow in China even if CDN is used, you can deploy JS scripts on Workers to implement the beggar version of APO function to speed up website access (Free plan). There are also many projects based on Workers on github, which can realize many functions. The only thing to note is that the Free plan only supports 100,000 requests per day, and it will not take effect after exceeding the limit (for example, if you encounter an attack~).

Summarize

I believe that after reading this article, you will have a general understanding of the functions of each technical node involved in the traffic sequence and the priority order of hit determination for processing access requests. As for the configuration details of each specific part, I will introduce them in detail in subsequent articles. Of course, I will write articles of different lengths according to the number of functions involved and the importance of each technical node.

In a nutshell: This article introduces what CF does during the period from when a user's access request "enters CF's edge network" to when it is "prepared to be sent to the source server."

As for how to make "users' access requests reach CF's edge network" and "how CF sends the request to the source server", these will be discussed in the next article.

In addition: I have always wanted to write this article, but I have never been too lazy to write it, always thinking it is too troublesome, but I have to introduce the overall solution of CF. So this time, I took the opportunity of writing the CF series of tutorials to force myself and finally wrote it. I have to say, I really found some details that I didn’t pay attention to before, for example, the actual processing priority of the IP access rules in the WAF interface is higher than that of WAF.