Protect your origin server — Pro
Your origin server is a physical or virtual machine that is not owned by Cloudflare and hosts your application content (data, webpages, etc.).
Receiving too many requests can be bad for your origin. These requests might increase latency for visitors, incur higher costs — particularly for cloud-based machines — and could knock your application offline.
Select a plan to see how Cloudflare can help you protect your origin:
Secure origin connections
When you secure origin connections, it prevents attackers from discovering and overloading your origin server with requests.
- DNS: Set up proxied (orange-clouded) DNS records and change your domain nameservers , which will also require that you allow Cloudflare IP addresses at your origin.
- SSL:
- To encrypt traffic between Cloudflare and your server, choose Full (strict) SSL/TLS mode (requires server configuration)
- To ensure requests originate from the Cloudflare network, set up authenticated origin pulls .
- Prevent external connections:
- Firewall (moderately secure): Set up a firewall rule that only allows traffic from Cloudflare IP addresses.
- Cloudflare Tunnel (very secure): To encrypt all traffic and prevent any inbound connections to your origin, set up a Cloudflare Tunnel .
Monitor origin health
To receive an email when Cloudflare is unable to reach your origin,
create a notification
for Passive Origin Monitoring.
For more active monitoring, set up standalone health checks for your origin.
Zero Downtime Failover
If you have another A or AAAA record in your Cloudflare DNS or your Cloudflare Load Balancer provides another origin in the same pool, Zero-Downtime Failover automatically retries requests to your origin even before a Load Balancing decision is made.
Cloudflare currently retries only once for HTTP 521, 522, and 523 response codes.
Reduce origin traffic
Block traffic
So long as your traffic is proxied by Cloudflare , Cloudflare automatically protects your application from DDoS attacks.
Additionally, adjust various settings in Security to restrict potentially malicious traffic:
- Get automatic protection from common threats with Managed Rulesets
- Set up customized firewall rules
- Enable bot protection
- Block, challenge, or allow specific addresses with IP access rules
- Create rate limiting rules (usage-based billing) as a final defense against malicious traffic
Increase caching
The cache stores data from your application (webpages, etc.) at Cloudflare data centers around the world, which reduces the number of requests sent to your origin server.Distribute traffic
To randomly distribute traffic across multiple servers, set up multiple DNS records .
For more fine-grained control over traffic distribution — including automatic failover, intelligent routing, and more — set up our add-on load balancing service .