Protect your origin server — Free
Your origin server is a physical or virtual machine that is not owned by Cloudflare and hosts your application content (data, webpages, etc.).
Receiving too many requests can be bad for your origin. These requests might increase latency for visitors, incur higher costs — particularly for cloud-based machines — and could knock your application offline.
Select a plan to see how Cloudflare can help you protect your origin:
Secure origin connections
When you secure origin connections, it prevents attackers from discovering and overloading your origin server with requests.
DNS:
- Proxy records (when possible): Set up proxied (orange-clouded) DNS records to hide your origin IP addresses and provide DDoS protection. As part of this, you should allow Cloudflare IP addresses at your origin to prevent requests from being blocked.
- Review DNS-only records: Audit existing DNS-only records (
SPF
,TXT
, and more) to make sure they do not contain origin IP information. - Evaluate mail infrastructure: If possible, do not host a mail service on the same server as the web resource you want to protect, since emails sent to non-existent addresses get bounced back to the attacker and reveal the mail server IP.
- Rotate origin IPs: Once onboarded, rotate your origin IPs, as DNS records are in the public domain. Historical records are kept and would contain IP addresses prior to joining Cloudflare.
Application layer
Cloudflare Tunnel (HTTP / WebSockets)
Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP address, by creating an outbound-only connections to Cloudflare’s global network.
- Security: Very secure.
- Availability: All customers.
- Challenges: Requires installing the
cloudflared
daemon on origin server or virtual machine.
HTTP Basic Authentication
Only allow traffic with specific (and secret) HTTP headers.
- Security: Moderately secure.
- Availability: All customers.
- Challenges:
- Requires more configuration efforts on application- and server-side to accept those headers.
- Basic authentication is vulnerable to replay attacks. Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session.
- Process:
- Use Transform rules or Workers to add an HTTP Auth Header.
- Configure your origin server to restrict access based on the HTTP Auth Header (or perform HTTP Basic Authentication).
JSON Web Tokens (JWT) Validation
Only allow traffic with the appropriate JWT.
- Security: Very secure.
- Availability: Some customers.
- Challenges:
- Requires either installing incremental software or modifying application code.
- Lots of manual work.
- Resources:
Transport Layer
Authenticated Origin Pulls
Authenticated origin pulls help ensure requests to your origin server come from the Cloudflare network.
- Security: Very secure.
- Availability: All customers.
- Challenges:
- Requires Full or Full (strict) encryption modes.
- Requires more configuration efforts for application and server, such as uploading a Cloudflare Origin CA certificate and configuring the server to use it.
- Not scalable for large numbers of origin servers.
Cloudflare Tunnel (SSH / RDP)
Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP address, by creating an outbound-only connections to Cloudflare’s global network.
- Security: Very secure.
- Availability: All customers.
- Challenges: Requires installing the
cloudflared
daemon on origin server or virtual machine.
Network Layer
Allowlist Cloudflare IP addresses
Explicitly block all traffic that does not come from Cloudflare IP addresses (or the IP addresses of your trusted partners, vendors, or applications).
- Security: Moderately secure.
- Availability: All customers.
- Challenges:
- Requires allowlisting Cloudflare IP ranges at your origin server.
- Vulnerable to IP spoofing.
Monitor origin health
To receive an email when Cloudflare is unable to reach your origin, create a notification for Passive Origin Monitoring. Reduce origin traffic
Block traffic
For more details, refer to Secure your website.
Increase caching
The cache stores data from your application (webpages, etc.) at Cloudflare data centers around the world, which reduces the number of requests sent to your origin server. Distribute traffic
To randomly distribute traffic across multiple servers, set up multiple DNS records.
For more fine-grained control over traffic distribution — including automatic failover, intelligent routing, and more — set up our add-on load balancing service.