Skip to content

Cloudflare DNS Setup

NOTE: when using Cloudflare for DNS, MageMojo cannot assign or install a Let's Encrypt certificate; LE certficates can only be installed when using the MageMojo Route 53 nameservers. Furthermore, certificates issued and signed by Cloudflare cannot be installed on Stratus. Certificates must be issued by a publicly trusted Certificate Authority (CA), such as ACM or those listed by the Mozilla Foundation. For more information, see "Continually Enhancing Domain Security on Amazon CloudFront".

The initial setup wizard for Cloudflare will prompt to point A records instead of a CNAME. This is not an ideal setup because IPs can change and will be different depending on geographical location. Cloudflare can be allowed to pull records automatically since it will also pull the needed records for Amazon SES. Cloudflare will automatically apply CNAME flattening.

Remove the A records and change the DNS to point to the cloudfront URL for your domain. You can find this under the DNS Admin panel in stratus.

Screenshot

Sample Cloudflare DNS Setup

Screenshot

Changing nameservers should not cause any downtime if the domain is currently pointed to stratus. However, as a precaution, proceed during off-peak hours. If the domain is not currently pointed to stratus, DNS changes can take up to 24hrs to propagate.

Cloudflare Settings

Under SSL > Overview, make sure the setting is set to FULL.

Screenshot

Under SSL > Edge Certificates, make sure Always Use HTTPS is set to On.

Screenshot

Cloudflare Proxy

Once the store is behind Cloudflare, the proxy portion can be turned off any time under the DNS tab in the Cloudflare account by turning the orange cloud to a grey cloud (by clicking it).

Proxied example:

Screenshot

Not Proxied example:

Screenshot

Nginx Includes

So that more than Cloudflare IP numbers will show in the Nginx logs, please add the following to the Nginx includes:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

For the latest, updated list of values, see this Cloudflare Article

Whitelisting Validation

It is important that an additional step be taken to whitelist the Stratus instance in Cloudflare. Otherwise, Google Analytics validation will fail and could result in the suspension of the account.

See Whitelisting Validation for Cloudflare for instructions.