fairlane.systems

CLOUDFLARE · TECH STACK

Cloudflare as DNS, reverse proxy, and WAF: SSL modes, cache rules, origin certificates

Cloudflare provides DNS, WAF, and DDoS protection for 9+ Fairlane domains. Proxied mode, Full-strict SSL, free 15-year origin cert, Cache Rules over Page Rules.

Researched & fact-checked by: · As of: 2026-05

What is Cloudflare?

Cloudflare is a globally distributed network of edge servers that sits in front of an origin server (e.g. the Hetzner dedicated host in Falkenstein) and bundles DNS resolution, TLS termination, caching, DDoS protection, and a web application firewall into one stack. The free tier already covers over 90% of what an SME would need from a self-built edge cluster – multi-Tbit/s DDoS mitigation is included on the free plan.

For Swiss fiduciary and SME setups, Cloudflare plays three clearly bounded roles. First: authoritative DNS with anycast routing – resolution times under 20 ms worldwide. Second: reverse proxy in "Proxied" mode (orange cloud in the dashboard), which hides origin IPs and delivers HTTP/3, TLS 1.3, gzip/brotli, and automatic image compression. Third: WAF with Managed Rules against OWASP Top 10, bot score, path-level rate limiting, and configurable custom rules. As of May 2026, Cloudflare runs 9+ Fairlane domains from a single console, with Cache Rules replacing the early-2025-deprecated Page Rules and with Cache Reserve, stable since February 2026, for long-lived origin offload.

Why it matters

Without an edge layer, a Hetzner server has two measurable problems. First: every request must travel to Falkenstein, which means ~20–30 ms round-trip for visitors from Zurich and over 250 ms from Tokyo. Second: every DDoS attempt hits origin CPU directly. Cloudflare solves both at once with a single click on "Proxied" in the DNS tab.

Concrete effects for a Swiss SME: latency for the German-speaking region drops to 5–10 ms because edge PoPs in Zurich, Vienna, and Frankfurt answer. Bot scrapers fishing Reddit comment addresses are stopped before origin – the Hetzner IP appears in no bot list. SSL/TLS configuration stays current automatically (TLS 1.3, HTTP/3, OCSP stapling); no manual cipher tuning required. When the origin server moves provider, the cutover takes 15 minutes because DNS TTLs sit under Cloudflare control rather than waiting hours to propagate.

How it works

Cloudflare has three DNS record modes: Off (no Cloudflare), DNS-only (grey cloud – DNS only), Proxied (orange cloud – traffic through Cloudflare). The difference is fundamental and is often set wrong.

DNS-only vs Proxied. DNS-only makes Cloudflare a plain DNS provider – no WAF, no cache, no IP hiding. Sensible for MX records (mail servers must be directly reachable), SSH subdomains, FTP. Proxied is the default for everything web-related and enables the full edge feature set.

SSL/TLS modes. Four levels, from insecure to strict. "Flexible" encrypts browser-to-Cloudflare but not Cloudflare-to-origin – a plaintext trap, deprecated since 2024. "Full" encrypts both legs but accepts any origin cert including self-signed – MITM-vulnerable. "Full (strict)" is the correct default: both legs encrypted, origin cert validated. Precondition: the origin needs a valid cert, either Lets-Encrypt via Certbot or a Cloudflare Origin Certificate.

Cloudflare Origin Certificates. Free, valid 15 years, signed by the Cloudflare Origin CA. Important: this cert is valid ONLY on the Cloudflare-to-origin leg, not in any public browser trust store. The Cloudflare edge trusts it; without Cloudflare it is useless. Advantage over Lets-Encrypt: 15-year lifetime instead of 90 days, no renewal cron, no ACME rate limit.

Cache Rules instead of Page Rules. Page Rules were deprecated in March 2025 and are being shut down through 2026. Cache Rules are the direct replacement, with finer-grained logic: conditions can combine path, hostname, query parameters, headers, and cookie values. A typical rule for static assets: `URI Path ends with .jpg, .png, .webp, .css, .js → Cache eligibility: eligible, Edge TTL: 1 month, Browser TTL: 1 week`. Images and bundles then sit at the edge for 30 days rather than burdening the origin.

WAF Managed Rules. On the free plan: Cloudflare Managed Ruleset (OWASP Core) plus Free Managed Rules. On Pro additionally Sensitive Data Detection and Bot Fight Mode Plus. Rules can be set to Skip, Log, Challenge, or Block. Recommendation for SMEs: start with everything on Log, observe for a week, define false positives, then switch to Block.

Cloudflare onboarding in 7 steps

  1. 01Add the domain as a site in Cloudflare, switch the registrar nameservers to the two assigned CF nameservers.
  2. 02Audit all A/AAAA records: web-related on Proxied (orange), mail records (MX, SPF, DKIM, DMARC) on DNS-only (grey).
  3. 03Set SSL/TLS mode to "Full (strict)". Origin server: generate a Cloudflare Origin Certificate OR verify the existing Lets-Encrypt cert.
  4. 04Enable HSTS with 6 months initially – once stable, raise to 1 year plus Preload.
  5. 05Create Cache Rules: static extensions (.jpg/.png/.webp/.css/.js) with edge TTL 1 month. HTML/dynamic without edge cache.
  6. 06Enable WAF: Managed Ruleset on Log, observe for a week, define false positives, then switch to Block.
  7. 07Version DNS records in Git (cloudflare-terraform or cloudflared) – manual UI clicks are not reproducible.

When to use Cloudflare

Cloudflare is the right choice when (a) the domain must be publicly reachable, (b) the origin IP should not appear in public lists, and (c) latency for visitors outside Falkenstein matters. That covers almost any marketing site and any client-facing platform.

Concrete Swiss SME cases: a fiduciary website with a lead form – the Cloudflare WAF blocks classic SQL injection and form spam before origin. A client platform with a login area – rate limiting on /login at 10 attempts per minute per IP. An internal n8n workflow endpoint – Cloudflare Tunnel instead of an open port, which cannot even be scanned as open. An image CDN for marketing assets – Cloudflare Polish compresses PNGs to WebP automatically and saved 40–60% bandwidth on Fairlane domains.

When not to use

Cloudflare is the wrong choice when (a) strict Swiss-hosting on the revDSG level is required and no US providers may sit in the path – Cloudflare is US-incorporated and may fall under the CLOUD Act (assessment: transit data is short-lived and encrypted, but for heavily regulated sectors like banking back office still risky), (b) the system has a private-addressed origin that should never be routed through Cloudflare edges (e.g. an internal balance-sheet database), or (c) the application needs long-lived WebSocket streams over 100 seconds and the free plan applies – then Pro or Enterprise is mandatory.

More pitfalls: leaving SSL/TLS mode on "Flexible" because the origin has no cert yet – the consequence is plaintext between Cloudflare and origin, a classic MITM position. Configuring "Bypass Cache on Cookie" too aggressively so that effectively nothing caches. Putting WAF rules on Block without waiting through the log phase – this likely blocks your own client login. And using Cloudflare Workers for critical business logic without a fallback strategy for Cloudflare outages – Cloudflare had one day of global outage in each of 2024 and 2025.

Trade-offs

STRENGTHS

  • DDoS mitigation and WAF included on the free plan
  • Origin IP hidden; bot scrapers see only Cloudflare
  • DACH latency at 5–10 ms via anycast
  • 15-year origin certificate with no renewal effort

WEAKNESSES

  • US corporation – for heavily regulated sectors a TIA is needed
  • Global outages 1–2 times a year for several hours
  • No long-lived WebSockets on the free plan
  • "Flexible" SSL is a magnet for configuration mistakes

FAQ

Cloudflare and revDSG/EU AI Act – is there a conflict?

Cloudflare is a US corporation with EU regionalisation. Transit data flows through European PoPs (Zurich, Frankfurt, Vienna) and is TLS-encrypted. Cloudflare is not a data controller for business data – as long as no client data sits in Workers or KV. Recommendation: sign a DPA with Cloudflare, use Standard Contractual Clauses (SCC 2021/914), document a transfer impact assessment. For banking back office, still place the origin server in Switzerland.

What does Cloudflare cost for an SME?

The free plan covers most SMEs already: unlimited DNS changes, DDoS protection, free managed WAF rules, 3 cache rules, 5 page-rule equivalents. Pro from USD 20/month per domain adds advanced WAF, image polish, and mobile optimisation. Business from USD 200/month for 100% uptime SLA. Fairlane runs 9+ domains for about USD 60/month across all plans.

What happens when Cloudflare fails?

During a global Cloudflare outage, the domain is unreachable until recovery – this happened once in 2024 and once in 2025, each for several hours. Mitigation: keep DNS TTLs short (300 seconds), prepare a backup DNS-provider configuration (Route53 or Hetzner DNS as standby). In emergencies: flip the registrar nameservers and point straight at origin. Recovery time: 1–2 hours manually.

Related topics

NGINX · TECH STACKNginx as reverse proxy: SSL, rate limits, and security headers for containerised appsSERVER & INFRASTRUCTURE · SERVICEServer & Infrastructure: Ubuntu, Docker, monitoring – set up, hardened, handed overHETZNER · TECHHetzner as EU hosting for Swiss fiduciaries and SMEs: data centres, contracts, costTIA · COMPLIANCEThird-country transfer and Transfer Impact Assessment (TIA): Swiss data in US and PRC cloud LLMsrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM use

Sources

  1. Cloudflare Developers – SSL/TLS modes (Flexible, Full, Full strict) · 2026-04
  2. Cloudflare Blog – Page Rules deprecation and Cache Rules migration · 2025-03
  3. Cloudflare Developers – Origin CA certificates (15-year) · 2026-02
  4. Cloudflare WAF – Managed Rules reference · 2026-05

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call