How to Use Cloudflare with Your VPS — DNS, CDN & SSL Setup (2026)

How to Use Cloudflare with Your VPS — DNS, CDN & SSL Setup (2026)

Running a VPS gives you full control over your server — but that control doesn’t automatically mean your site is fast, protected, or resilient under traffic. Cloudflare fills that gap. It sits between your visitors and your VPS, caching content globally, absorbing DDoS attacks, and handling SSL termination before a single request ever reaches your server.

Best part — the free plan covers everything most VPS owners actually need. CDN, SSL, DDoS protection, basic firewall rules, DNS management, all free. You just have to set it up correctly.

This guide walks through the complete Cloudflare + VPS setup — DNS pointing, SSL mode selection, origin certificate installation, CDN proxy config, page rules, firewall, and fixing the visitor IP passthrough issue that trips up most people. Works on Ubuntu, AlmaLinux, or any Linux VPS with Apache or Nginx.


What Cloudflare Actually Does for Your VPS

Before touching any settings, it helps to understand what Cloudflare actually changes about how your site works — because it changes quite a bit.

Without Cloudflare, traffic flows like this:

Visitor → DNS resolves to your VPS IP → Your VPS handles everything

With Cloudflare proxying enabled:

Visitor → DNS resolves to Cloudflare IP → Cloudflare CDN/Firewall → Your VPS (origin)

Your VPS IP is hidden. Cloudflare’s IP is what the world sees. This is what enables everything else:

Feature What It Does for Your VPS Free Plan?
CDN Caches static assets (images, CSS, JS) at 300+ edge locations globally — faster load times for visitors far from your server ✅ Yes
DDoS protection Absorbs Layer 3/4/7 attacks before they reach your VPS — your server stays online even during large attacks ✅ Yes (unmetered)
Free SSL Cloudflare issues SSL between visitor and Cloudflare edge — your site shows HTTPS even without a cert on the VPS ✅ Yes
IP masking Hides your real VPS IP — attackers can’t directly target your server ✅ Yes
DNS management Fast Anycast DNS replacing your registrar’s slow default nameservers ✅ Yes
Firewall rules Block bad bots, countries, IPs, or suspicious request patterns before they reach your VPS ✅ 5 rules free
Page rules / caching Fine-grained control over what gets cached, cache TTL, redirects ✅ 3 rules free
Analytics Traffic overview, threat map, bandwidth saved — without installing anything on your VPS ✅ Yes
Bot management Blocks known bad bots automatically ✅ Basic
WAF (Web Application Firewall) Blocks SQLi, XSS, and common exploit patterns ❌ Pro+ only

Free vs Pro Plan — What You Actually Need

Cloudflare’s free plan is genuinely good. For most VPS owners running personal projects, blogs, or small business sites, it covers everything. Here’s where Pro actually adds value:

Feature Free Pro ($20/month)
CDN + DDoS protection ✅ Unlimited ✅ Unlimited
SSL modes ✅ All modes ✅ All modes
Firewall rules 5 rules 20 rules
Page rules 3 rules 20 rules
WAF (managed ruleset)
Image optimization (Polish)
Mobile optimization (Mirage)
Cache analytics Basic Advanced
Support Community Priority email

Honest take — start with free. If you need more firewall rules or WAF for a client site or e-commerce, upgrade then. This guide covers the free plan setup entirely.


Step 1 — Create a Cloudflare Account and Add Your Domain

Go to cloudflare.com and create a free account. After verifying your email:

  1. Click Add a Site
  2. Enter your domain name (just the root domain — yourdomain.com, not www.yourdomain.com)
  3. Click Add Site
  4. Select the Free plan and click Continue

Cloudflare will scan your existing DNS records automatically. This takes about 60 seconds. After scanning, it shows you all the DNS records it found at your current nameservers — review them before proceeding to Step 2.


Step 2 — Configure DNS Records in Cloudflare

After the DNS scan, Cloudflare shows your existing records. You need to make sure the right records are present and pointing to your VPS IP. Here’s what a typical VPS setup needs:

Type Name Content Proxy Status TTL
A @ YOUR_VPS_IP 🟠 Proxied Auto
A www YOUR_VPS_IP 🟠 Proxied Auto
A mail YOUR_VPS_IP ⬜ DNS only Auto
MX @ mail.yourdomain.com DNS only (MX can’t proxy) Auto
TXT @ Your SPF record DNS only Auto
CNAME www yourdomain.com 🟠 Proxied Auto
⚠️ Critical — never proxy your mail subdomain: The mail A record and all MX records must stay on DNS only (grey cloud). If you proxy mail through Cloudflare, email breaks — Cloudflare doesn’t forward SMTP traffic. This is the most common mistake when setting up Cloudflare on a VPS that also runs a mail server. See our Linux mail server guide for more on mail setup.

Add any missing records by clicking Add record. Make sure your VPS IP is correct in the A records — get it from your VPS provider’s control panel. Once DNS records look right, click Continue.


Step 3 — Point Your Domain to Cloudflare Nameservers

Cloudflare will show you two nameservers assigned to your account — something like:

aria.ns.cloudflare.com
ken.ns.cloudflare.com

These are unique to your Cloudflare account — don’t copy them from here, use the ones shown in your actual dashboard.

Log into your domain registrar (GoDaddy, Namecheap, Porkbun, wherever you bought the domain) and replace the existing nameservers with Cloudflare’s two nameservers. The exact steps vary by registrar but it’s always under Domain Settings → Nameservers.

After saving, come back to Cloudflare and click Done, check nameservers. Cloudflare will verify propagation and activate your domain — this takes anywhere from a few minutes to 24 hours depending on your registrar’s TTL.

You’ll get an email from Cloudflare once the domain is active. Until then your site continues working normally via the old nameservers.

💡 Already using VPS nameservers (like ns1.yourdomain.com)? If your VPS has cPanel/WHM with its own nameservers, you have two options: point the domain’s nameservers to Cloudflare (Cloudflare manages DNS instead of WHM), or use Cloudflare’s CNAME setup (Pro+). For most setups, pointing to Cloudflare nameservers is simpler. Your cPanel DNS zones still work — they just don’t serve DNS anymore. See our cPanel on VPS guide for how this interacts with WHM nameservers.

Step 4 — Configure SSL/TLS Mode

This is the step most people get wrong — and it leads to either insecure configurations or redirect loops that take the site down.

In your Cloudflare dashboard, go to SSL/TLS → Overview. You’ll see four modes:

Mode Visitor → Cloudflare Cloudflare → VPS Use When Risk
Off HTTP only HTTP only Never 🔴 No encryption at all
Flexible HTTPS ✅ HTTP (unencrypted) VPS has no SSL cert at all 🟠 Traffic between Cloudflare and VPS is unencrypted
Full HTTPS ✅ HTTPS ✅ (cert not verified) VPS has self-signed cert 🟡 Doesn’t verify your VPS cert — MITM possible between CF and VPS
Full (Strict) HTTPS ✅ HTTPS ✅ (cert verified) VPS has a valid cert (Let’s Encrypt or Cloudflare Origin) ✅ Most secure — use this

Which mode to use:

  • If you already have Let’s Encrypt on your VPS — set Full (Strict) immediately
  • If your VPS has no SSL cert — use Flexible temporarily while you install an origin cert, then switch to Full (Strict)
  • Never run Flexible long term — it means traffic between Cloudflare and your server is unencrypted
⚠️ Redirect loop warning: If your VPS already has a redirect rule forcing HTTPS (like in .htaccess or Nginx config) and Cloudflare SSL mode is set to Flexible, you’ll get an infinite redirect loop — ERR_TOO_MANY_REDIRECTS. Fix by either switching to Full mode or removing the HTTPS redirect on your VPS temporarily. Our SSL types guide explains why each layer matters.

Step 5 — Install a Cloudflare Origin Certificate on Your VPS

A Cloudflare Origin Certificate is a free SSL certificate that Cloudflare issues specifically for the connection between Cloudflare and your VPS. It’s valid for 15 years and is the cleanest way to run Full (Strict) mode without needing to renew Let’s Encrypt every 90 days.

Generate the certificate in Cloudflare first:

  1. Go to SSL/TLS → Origin Server
  2. Click Create Certificate
  3. Leave “Let Cloudflare generate a private key” selected
  4. Add your hostnames — yourdomain.com and *.yourdomain.com (wildcard covers all subdomains)
  5. Set validity to 15 years
  6. Click Create

Cloudflare shows you the certificate and private key. Copy both — you won’t see the private key again.

Install on Apache (Ubuntu)

Save the files on your VPS:

sudo nano /etc/ssl/cloudflare/yourdomain.com.pem
# Paste the Certificate here, save

sudo nano /etc/ssl/cloudflare/yourdomain.com.key
# Paste the Private Key here, save

Update your Apache virtual host SSL block:

sudo nano /etc/apache2/sites-available/yourdomain.com-le-ssl.conf
<VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/yourdomain.com

    SSLEngine on
    SSLCertificateFile    /etc/ssl/cloudflare/yourdomain.com.pem
    SSLCertificateKeyFile /etc/ssl/cloudflare/yourdomain.com.key

    <Directory /var/www/yourdomain.com>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
sudo systemctl reload apache2

Install on Nginx (Ubuntu)

sudo nano /etc/nginx/sites-available/yourdomain.com

Update the SSL section of your server block:

server {
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/yourdomain.com;

    ssl_certificate     /etc/ssl/cloudflare/yourdomain.com.pem;
    ssl_certificate_key /etc/ssl/cloudflare/yourdomain.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
}
sudo nginx -t
sudo systemctl reload nginx

Now go back to Cloudflare and switch SSL/TLS mode to Full (Strict). The origin certificate is only trusted by Cloudflare — it won’t be trusted by browsers directly, so your site must always go through Cloudflare proxy for SSL to work when using an origin cert.

If you’re running Apache + MySQL with WordPress, our guide on hosting WordPress on a free VPS has the full Apache virtual host config context. For Nginx setups, see our Nginx server blocks guide.


Step 6 — Enable the CDN Proxy and Understand Orange vs Grey Cloud

In Cloudflare DNS settings, every A and CNAME record has a proxy toggle. This is the orange/grey cloud icon — and it controls whether that record goes through Cloudflare’s CDN and security stack or resolves directly to your VPS.

Cloud Status Icon What Happens VPS IP Exposed? CDN Active?
Proxied 🟠 Orange cloud Traffic routes through Cloudflare — CDN, DDoS protection, firewall all active No — hidden ✅ Yes
DNS only ⬜ Grey cloud DNS resolves directly to your VPS IP — no Cloudflare layer Yes — exposed ❌ No

For your main domain and www subdomain — set to orange (proxied). These are your web traffic records and benefit most from CDN and protection.

Records that must stay grey (DNS only):

  • mail subdomain — Cloudflare can’t proxy SMTP/IMAP/POP3
  • Any subdomain used for SSH access directly
  • FTP subdomains
  • VPN server subdomains (WireGuard, OpenVPN) — see our VPN server on VPS guide
  • Server monitoring endpoints that need direct access

Cloudflare Caching Behaviour

By default, Cloudflare caches static assets — images, CSS, JavaScript, fonts. It does not cache HTML pages by default (dynamic content). For WordPress or Laravel sites, Cloudflare’s default cache level is “Standard” — it caches files with standard cache headers and respects your origin server’s Cache-Control headers.

Check what Cloudflare is currently caching at Caching → Cache Rules. The default behaviour for a VPS-hosted site is usually fine to start — tune it after you see how your traffic pattern looks in the analytics tab.


Step 7 — Set Up Page Rules and Caching

The free plan gives you 3 page rules. Use them well — they let you override Cloudflare’s default behaviour for specific URL patterns. Here are the most useful rules for a VPS-hosted WordPress or web app:

Rule 1 — Force HTTPS Everywhere

URL pattern: http://yourdomain.com/*
Setting: Always Use HTTPS

This ensures any HTTP request redirects to HTTPS at the Cloudflare edge — before it ever reaches your VPS. Faster than a server-side redirect.

Rule 2 — Bypass Cache for WordPress Admin

URL pattern: yourdomain.com/wp-admin/*
Setting: Cache Level → Bypass

Prevents caching of WordPress admin pages — you always want to see fresh content in the dashboard. Also add yourdomain.com/wp-login.php to the pattern if you’re running WordPress.

Rule 3 — Aggressive Caching for Static Pages

URL pattern: yourdomain.com/blog/*
Setting: Cache Level → Cache Everything, Edge Cache TTL → 1 day

Caches full HTML pages of your blog posts at Cloudflare’s edge. Visitors get served directly from the CDN — your VPS doesn’t see the request at all. Massive performance improvement for content-heavy sites.

💡 Page rules vs Cache Rules: Cloudflare is migrating functionality from Page Rules to the newer Cache Rules and Transform Rules system. New setups should use Cache Rules (under Caching → Cache Rules) instead of Page Rules where possible — they’re more powerful and won’t be deprecated. Page Rules still work fine for now.

Step 8 — Cloudflare Firewall and DDoS Protection

Cloudflare’s free firewall blocks bad traffic before it reaches your VPS — saving your server resources and protecting against common attacks. Here’s what to configure:

Security Level

Go to Security → Settings. Set Security Level to Medium to start. This challenges visitors with suspicious IP scores (known bots, VPN users flagged in threat databases) with a CAPTCHA before they reach your site. High is more aggressive — use it if you’re under active attack.

Bot Fight Mode

Enable Bot Fight Mode under Security → Bots. This blocks known bad bots (scrapers, credential stuffers, vulnerability scanners) automatically. Free and worth enabling on every VPS site.

Firewall Rules (5 on free plan)

Go to Security → WAF → Firewall Rules. Here are five useful rules for most VPS setups:

# Rule Name Expression Action
1 Block bad bots by user agent (http.user_agent contains "sqlmap") or (http.user_agent contains "nikto") or (http.user_agent contains "nmap") Block
2 Block WordPress XML-RPC (http.request.uri.path eq "/xmlrpc.php") Block
3 Challenge wp-login.php (http.request.uri.path eq "/wp-login.php") and not ip.src in {YOUR_HOME_IP} Managed Challenge
4 Block high-threat countries (ip.geoip.country in {"CN" "RU" "KP"}) and (http.request.uri.path contains "/wp-") Block
5 Allow your own IP always ip.src eq YOUR_HOME_IP Allow

Rule 5 (allowlist your own IP) should always be first — it ensures you’re never locked out by your own firewall rules. For deeper VPS-level security hardening beyond Cloudflare, read our guides on securing and firewalling your VPS server and preventing brute force attacks.

DDoS Protection

Cloudflare’s DDoS protection is automatic and unmetered on all plans — including free. You don’t configure it; it’s always on. It handles Layer 3 (network), Layer 4 (transport), and basic Layer 7 (application) attacks. Under active DDoS, go to Security → DDoS and switch the HTTP DDoS attack protection ruleset sensitivity to High. Our VPS-level guide on mitigating DDoS attacks on VPS covers the server-side configuration that complements Cloudflare’s protection.


Step 9 — Restore Visitor IP on Your VPS

Here’s a problem most people don’t notice until they check their logs: when Cloudflare proxies traffic, every request appears to come from a Cloudflare IP address, not the visitor’s real IP. Your VPS logs, WordPress plugins, and security tools all see Cloudflare’s IP instead of the actual visitor.

This breaks:

  • Access logs (all traffic looks like it’s from Cloudflare)
  • IP-based blocking on your VPS (e.g. Fail2Ban blocking Cloudflare instead of the attacker)
  • WordPress security plugins that log visitor IPs
  • WooCommerce fraud detection that checks customer IPs
  • Rate limiting rules based on IP

Fix it by installing the Cloudflare mod on your web server. Cloudflare sends the real visitor IP in the CF-Connecting-IP header — you just need to tell your server to use it.

Fix for Apache

sudo apt install libapache2-mod-remoteip -y
sudo a2enmod remoteip
sudo systemctl restart apache2

Create a Cloudflare configuration file:

sudo nano /etc/apache2/conf-available/cloudflare-remoteip.conf
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32
sudo a2enconf cloudflare-remoteip
sudo systemctl reload apache2

Fix for Nginx

Add to your nginx.conf or a separate include file:

sudo nano /etc/nginx/conf.d/cloudflare-real-ip.conf
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;
sudo nginx -t
sudo systemctl reload nginx

After this, check your access logs — you should see real visitor IPs instead of Cloudflare’s ranges. For Nginx server block reference, see our Nginx server blocks on Ubuntu 22.04 guide.


Using Cloudflare with cPanel VPS

If your VPS runs cPanel/WHM, the setup is slightly different from a bare Apache/Nginx install.

The key thing to understand: when you add a domain to Cloudflare and switch nameservers, WHM’s DNS zone for that domain no longer serves traffic — Cloudflare’s DNS does instead. WHM still manages Apache, PHP, email, and databases — just not DNS resolution for that domain.

What to do in WHM

  • Keep the DNS zone in WHM — it doesn’t hurt to have it there, it’s just inactive
  • AutoSSL in WHM still works — Let’s Encrypt renews certs on the origin server, which pairs fine with Cloudflare’s Full (Strict) mode
  • OR use Cloudflare Origin Certificates instead of Let’s Encrypt — saves you 90-day renewal management
  • In WHM → Basic WHM Setup, your nameservers will still show your old VPS nameservers — that’s fine, it doesn’t affect Cloudflare-managed domains

Mail on cPanel + Cloudflare

cPanel handles email through Exim. Make sure the mail subdomain A record and all MX records in Cloudflare are set to DNS only (grey cloud). cPanel’s AutoSSL handles SSL for webmail (mail.yourdomain.com) independently.

For a full cPanel install walkthrough, see our step-by-step guide to installing cPanel on a VPS.


Common Mistakes and How to Avoid Them

Mistake What Goes Wrong Fix
SSL mode set to Flexible with HTTPS redirect on server ERR_TOO_MANY_REDIRECTS — infinite redirect loop Switch to Full or Full (Strict), or temporarily remove HTTPS redirect from .htaccess/Nginx config
Proxying the mail subdomain Email sending and receiving breaks completely Set mail A record and MX records to DNS only (grey cloud) — never proxy mail
Not restoring real visitor IP Logs show Cloudflare IPs, Fail2Ban blocks Cloudflare, security plugins malfunction Install mod_remoteip (Apache) or real_ip_header config (Nginx) from Step 9
Using origin certificate without Full (Strict) mode Browser shows SSL error when accessing site directly via IP Origin certs are only trusted by Cloudflare — always use with Full (Strict) and keep proxy enabled
Exposing real VPS IP elsewhere Cloudflare’s IP masking is bypassed — attackers find your real IP and attack directly Check old DNS records, subdomains, email headers, and SSL cert history at crt.sh for IP leaks
Setting security level to High permanently Legitimate visitors (especially mobile/ISP shared IPs) get blocked or CAPTCHAed constantly Use Medium normally, switch to High only during active attacks
Caching WordPress admin pages Logged-in users see stale cached admin pages Add page rule or cache rule to bypass cache for /wp-admin/* and /wp-login.php

Troubleshooting

Problem Likely Cause Fix
ERR_TOO_MANY_REDIRECTS SSL mode mismatch — Flexible + server-side HTTPS redirect Switch Cloudflare SSL to Full or Full (Strict), or remove redirect from .htaccess
Site shows “526 Invalid SSL Certificate” Full (Strict) mode but VPS cert is expired or self-signed Install Cloudflare Origin Certificate (Step 5) or renew Let’s Encrypt: certbot renew
Domain not activating in Cloudflare Nameservers not updated at registrar or propagation pending Check nameservers at registrar match Cloudflare’s assigned nameservers. Check propagation at dnschecker.org
Email stops working after adding to Cloudflare MX records or mail A record proxied through Cloudflare Set mail subdomain A record and MX records to DNS only (grey cloud)
Cloudflare shows “Error 1000 — DNS points to prohibited IP” A record pointing to a Cloudflare-owned IP or loopback Update A record to your actual VPS IP — not 127.0.0.1 or a Cloudflare IP
Real visitor IPs still not showing in logs mod_remoteip or real_ip_header config not applied correctly Verify Apache config with apache2ctl -t or Nginx with nginx -t. Confirm module is loaded: apache2ctl -M | grep remoteip
Cloudflare caching stale pages after update Cached HTML served from edge after site content changes Purge cache manually in Cloudflare → Caching → Purge Cache → Purge Everything. Set up automatic cache purge via WordPress plugin (Cloudflare plugin handles this)
WordPress shows “Your connection is not secure” for logged-in users WordPress Site URL still set to http:// instead of https:// Settings → General → change WordPress Address and Site Address to https://. Or add to wp-config.php: define('FORCE_SSL_ADMIN', true);
“Error 521 — Web server is down” Cloudflare can’t connect to your VPS on port 80/443 Check Apache/Nginx is running: systemctl status apache2. Check VPS firewall allows port 80/443 from Cloudflare IP ranges. See our port 80/443 guide

FAQ

Does Cloudflare replace Let’s Encrypt on my VPS?

Not exactly — they do different things. Let’s Encrypt secures the connection between Cloudflare and your VPS (origin). Cloudflare’s edge certificate secures the connection between your visitors and Cloudflare. You need both for Full (Strict) mode. The alternative is using a Cloudflare Origin Certificate on your VPS instead of Let’s Encrypt — same result, 15-year validity, no auto-renewal needed.

Will Cloudflare slow down my site?

Opposite usually. Cloudflare adds a tiny overhead to the first request (DNS + routing through their edge), but cached assets are served from a Cloudflare datacenter physically closer to your visitor — which is almost always faster than hitting your VPS directly. The performance gain from CDN caching easily outweighs the routing overhead for most sites.

Can I use Cloudflare with a free VPS?

Yes — completely. Cloudflare doesn’t care what kind of VPS you’re running. The VPSWala free VPS works with Cloudflare just like any paid plan. The only requirement is a domain name pointed to your VPS IP — Cloudflare isn’t available for IP-only setups.

Does Cloudflare hide my VPS IP completely?

Mostly, but not perfectly. Old DNS records cached before Cloudflare was added can leak your IP. SSL certificate history at crt.sh sometimes shows the original IP. Email headers from your server can expose it too. To minimize leakage: clear old DNS records, use Cloudflare’s email routing instead of exposing your mail server IP, and check crt.sh after setup.

Does Cloudflare work with cPanel?

Yes. Point the domain’s nameservers to Cloudflare instead of WHM’s nameservers. cPanel continues to manage Apache, PHP, email, and databases — Cloudflare manages DNS resolution. AutoSSL in WHM still works for origin certificates. Full walkthrough in the cPanel section above and our cPanel VPS install guide.

What ports does Cloudflare proxy?

The free plan proxies HTTP/HTTPS on specific ports only. For HTTP: 80, 8080, 8880, 2052, 2082, 2086, 2095. For HTTPS: 443, 2053, 2083, 2087, 2096, 8443. If your VPS runs a service on a non-standard port (like 3000 for a Node.js app), you either need to proxy it through port 443 via Nginx reverse proxy or leave that subdomain on DNS only. See our Nginx reverse proxy guide for the forwarding setup.

Can I use Cloudflare with WireGuard VPN on my VPS?

The WireGuard subdomain (e.g. vpn.yourdomain.com) should be set to DNS only in Cloudflare — WireGuard uses UDP which Cloudflare’s proxy doesn’t forward. Your site domain and VPN domain can coexist on the same VPS with separate DNS records. See our WireGuard VPN on free VPS guide for the full setup.


Cloudflare is one of the best free upgrades you can add to a VPS — DDoS protection, CDN, SSL management, and a firewall layer all for nothing. The setup takes about 30 minutes and the performance and security improvement is immediate.

If you want a VPS worth putting behind Cloudflare, the VPSWala 30-day Professional free trial — 8-core AMD EPYC, 8 GB DDR5 ECC RAM, 1 TB Micron NVMe — deploys AlmaLinux or Ubuntu in 60 seconds with a static IP and KVM virtualization. No credit card required.

For related reading, check our guides on VPS security and firewall setup, protecting your VPS from DDoS attacks, mitigating DDoS on VPS, and setting up subdomains with Let’s Encrypt on Nginx.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *