Cloudflare & CDN

Faster, safer, quietly in front of your site.

A properly configured edge layer is one of the highest-leverage moves a small site can make — global delivery, automatic SSL, application firewall, and bot mitigation, all sitting between the open internet and your origin. We do the careful version of that setup, with caching rules that don’t break your checkout.

Get a free SEO report See what’s included
Sub-techniques covered · SSL/TLS · WAF · DDoS · Workers · Page Rules · Cloudflare Tunnel · Turnstile · Cache Rules · CN-AU Routing
01 — What’s Included

Nine edge configurations.
One honest setup.

Cloudflare is unusual among infrastructure tools — most of its value is locked behind dashboards that look simple but punish guesswork. The default settings are reasonable for a personal blog and quietly wrong for a business site. The advanced settings will silently break a checkout if you tick the wrong box.

Our work is to translate your actual application — its login flow, its forms, its API, its cached pages, its origin host — into a Cloudflare configuration that does what you wanted from it without the surprises.

N° 01

SSL/TLS Mode & Certificates

Encryption

The single most-misconfigured Cloudflare setting is the SSL/TLS mode — Flexible, Full, or Full (Strict). Flexible looks fine in a browser and is silently insecure between Cloudflare and your origin; Full (Strict) is the only acceptable production choice for a real business site. We move sites onto Full (Strict), provision an origin certificate where one is missing, enable HSTS with a sensible preload strategy, and make sure the entire chain — visitor to edge to origin — is encrypted end to end. We also handle deeper TLS hardening on the origin where it pairs with this work.

N° 02

Web Application Firewall (WAF)

Protection

Cloudflare’s WAF can block the OWASP Top 10 attack patterns, custom request signatures, and country-level traffic in seconds — but it can also block your actual customers if it is left on every default. We tune managed rulesets for your stack (WordPress, WooCommerce, Shopify, custom application), write custom rules for the abuse patterns you actually see in your logs, and configure rate limiting on the endpoints that matter — login, checkout, forms, search. Allow-listing is documented so your team and ours both know who is exempt and why.

N° 03

DDoS Mitigation & Bot Management

Resilience

Cloudflare’s automatic DDoS protection handles network-layer floods invisibly; the harder work is application-layer mitigation — credential stuffing, content scraping, fake-account creation, brute-force attempts. We configure Bot Fight Mode where appropriate, write Super Bot Fight Mode rules for sites that need finer control, integrate Turnstile on forms where reCAPTCHA used to live, and tune Under Attack Mode as a break-glass option you can flip on without us being available. The aim is a site that absorbs everything short of a serious incident without anyone on your team noticing.

N° 04

Cache Rules & Page Rules

Performance

A correct caching configuration is the single highest-impact performance change a small site can make — the difference between a 1.2s LCP and a 4s LCP, often without touching the origin at all. We write Cache Rules that cache static assets aggressively, html where it is genuinely static, and bypass cache on logged-in sessions, cart pages, and checkout. We use the new Cache Rules engine where it has replaced legacy Page Rules, and we keep the rule list short and explainable rather than accreting twenty layered rules that nobody can reason about six months later.

N° 05

Workers & Edge Logic

Programmable

Cloudflare Workers run JavaScript at the edge before requests reach your origin — a powerful tool for redirects at scale, A/B testing, geo-routing, header rewriting, request transformation, lightweight APIs, and bot challenges. Most sites do not need Workers; the ones that do, need them carefully. Where the use case is right we write the Worker, version it in Git, deploy through Wrangler, and document the failure mode. Where a Page Rule would do the job, we use the Page Rule.

N° 06

Cloudflare Tunnel

Origin shield

Cloudflare Tunnel hides your origin server’s public IP entirely — there is no inbound port exposed to the internet, only an outbound connection from your server to the Cloudflare edge. For most business websites this is the right answer: no IP for an attacker to scan, no origin reachable except through Cloudflare’s filters, and a clean integration with Zero Trust access policies for staging and admin endpoints. We deploy cloudflared, configure ingress rules, lock the firewall down to drop everything that did not arrive via the tunnel, and document the recovery procedure if the tunnel itself ever needs to be rebuilt.

N° 07

Turnstile & Form Protection

Anti-spam

Turnstile is Cloudflare’s reCAPTCHA replacement — privacy-respecting, mostly invisible to real visitors, and free at sensible volumes. We replace reCAPTCHA on contact forms, login pages, registration flows, and comment systems with Turnstile widgets, validate the token server-side, and tune the difficulty for forms that get hit hardest. The result is fewer spam submissions and fewer real customers giving up because they cannot read a distorted bus on a faded photo.

N° 08

DNS, Email Routing & Pairing

Records

Bringing a domain onto Cloudflare means moving authoritative DNS to Cloudflare’s nameservers — and that is the moment most things quietly break, because someone forgot to copy a record or set the proxy status wrong on a mail subdomain. We migrate DNS without dropping a record, set the proxy (orange cloud) status correctly per record type, configure Cloudflare Email Routing where it suits, and pair the work tightly with our DNS & Domain Management practice so SPF, DKIM, DMARC, and CAA records all stay consistent.

N° 09

CN ↔ AU Routing & Origin Strategy

Geography

Cloudflare’s edge is genuinely global, but the route between mainland China and the rest of the world remains the part of the internet that does not behave like the rest of the internet. For sites that serve both Australian customers and a meaningful CN audience, we plan origin placement and routing together: which records stay proxied, which traffic resolves to alternative origins in Hong Kong or Singapore, which assets sit on a separate CN-friendly host, and what the failure mode looks like if a particular Cloudflare edge gets throttled. We have run this configuration in production for bilingual sites and we keep the runbook current.

An honest note

About Cloudflare and mainland China.

Cloudflare is excellent on every continent except one. The Great Firewall blocks or throttles many Cloudflare edge nodes for visitors inside mainland China, which means a Cloudflare-fronted site can load smoothly in Sydney, London, and Vancouver while loading slowly — or not at all — in Shanghai. This is a real consideration, not a marketing pitch against the platform.

For sites where CN traffic is incidental, this rarely matters. For sites where mainland visitors are a meaningful share of the audience, we plan around it: alternative origin hosting in Hong Kong or Singapore, a separate CN-facing record set, China-friendly CDN partners for static assets, and an honest conversation about what level of CN performance is reasonable to promise. The right answer depends on your business — we will tell you what we would do in your situation, not what gets us the longest invoice.

02 — Our Approach

Audit. Stage.
Roll out. Verify.

Cloudflare changes have a habit of looking instant in the dashboard and arriving in production thirty seconds later. We treat every change as a change — staged where possible, rolled out deliberately, watched after deploy.

i

Audit before any change

The first deliverable is a written audit of your current Cloudflare setup — SSL mode, every Page Rule and Cache Rule in evaluation order, WAF rulesets enabled and their custom additions, DNS records with their proxy status, Workers running with their last deploy date, and the API tokens with access to all of it. You keep that document. It tells you what was configured, why, and who has access — and removes the black-box feeling most teams have about their CDN.

ii

Stage on a non-production zone

Where the change is non-trivial — a new caching strategy, a rewritten WAF ruleset, a Worker deploy — we stage it on a non-production zone first. Cloudflare’s free tier makes this practical: a staging.yourdomain or a separate test zone gets the new config, we verify behaviour against a representative set of URLs, and only then do the changes land in production. The first time you find out a Page Rule blocks the cart should not be after an order failed.

iii

One change at a time

When a problem appears in production after a deploy, the answer to “what changed?” should always be a single, named change. We avoid stacking five edits into one push, and we avoid touching unrelated rules during a single window. Slower in the short run, dramatically faster the first time something needs to be rolled back. Every change is logged with its date, its author, and its reason.

iv

Verified after deploy

After every change we verify behaviour from outside Cloudflare — a real browser, a curl from a different network, occasionally a probe from a different country. We confirm cache hit ratios with the response headers, watch the WAF events tab for false positives, and check rendered pages for broken cookies, busted login flows, or accidentally cached personalised content. No change is closed without verification.

03 — Who It’s For

Sites that should already
be on the edge.

Cloudflare suits almost every business website — the free tier alone delivers more value than any commercial CDN of a decade ago. The question is rarely “should we use it” but “is the configuration right.” A few recurring profiles where the careful version of this work pays back quickly.

A handful of recurring situations where the edge layer is the unlock — or where it has been silently misconfigured for longer than anyone realised.

  • i Small sites that want to feel like big onesBoutique firms, professional services, regional retailers — businesses whose sites should load like a Fortune 500 site without the budget of one. Cloudflare’s edge plus a careful caching strategy gets you there for the cost of a domain and an afternoon.
  • ii WooCommerce and Shopify stores hit by botsCarding attempts on checkout, inventory scrapers, fake account creation, comment spam. The free WAF and a properly configured Bot Management policy stop most of it before it reaches the origin.
  • iii Sites with a meaningful Australian and CN audienceBusinesses serving both markets need a routing strategy that respects both — Cloudflare for the rest of the world, alternative origin or CN-friendly CDN for mainland visitors, a clear failure mode for each.
  • iv Origin servers exposed to the open internetIf your VPS public IP is reachable, it is being scanned. Cloudflare Tunnel removes the inbound surface entirely while keeping your operational workflow intact.
  • v Sites where the cache configuration looks like archaeologyTwenty-three Page Rules, half of them disabled, none of them documented, and nobody confident that the cart is genuinely uncached. We rebuild it cleanly with Cache Rules and a written explanation.

We are happy to bring sites onto Cloudflare from scratch, take over an inherited configuration that nobody understands, or supplement an in-house team that wants a second set of eyes on the WAF and caching layers. The work pairs naturally with our DNS & Domain Management and SSL/TLS & Security Baseline practices, and most clients move all three onto a single retainer once the initial setup is verified.

04 — A complimentary report

Curious how Google sees your site?

Send us your URL. We’ll send back a Premium SEO Report, prepared by hand, within 48 hours — domain authority, keyword rankings, backlinks, competitor gap, and the quick wins worth chasing first.

No sales call required.

A thoughtful CDN is how a small site quietly acts like a big one — global, defended, and almost never the bottleneck.
— The Aureole Practice —
05 — Frequently Asked

Questions we get
about Cloudflare.

If a question is missing here, the contact link at the foot of the page goes straight to the person who would answer it. No ticket queues, no funnels.

i Do we really need Cloudflare? Our hosting includes a CDN.
In most cases, yes — even with a hosting-bundled CDN. Hosting CDNs typically cover static asset delivery and not much else. Cloudflare’s free tier adds a managed WAF, automatic DDoS mitigation, free origin certificates, programmable Workers, Turnstile, Page Rules, and a global edge network with substantially more points of presence than most bundled CDNs. The interesting question is rarely “Cloudflare or hosting CDN” — it is “Cloudflare configured well, or Cloudflare configured carelessly.” A misconfigured Cloudflare zone is genuinely worse than no CDN at all.
ii Will Cloudflare break our checkout, our login, or our admin area?
It can, if the caching rules cache pages that should never be cached — checkout, cart, account, wp-admin, anything personalised. The most common cause of “Cloudflare broke my site” is a Page Rule that aggressively caches everything to the edge, which then serves one customer’s cart contents to the next visitor. Our caching configurations explicitly bypass the cache for cart, checkout, account, login, search, and admin paths, and we verify every cached response is actually safe to share. We have never had a checkout incident from a configuration we deployed.
iii Does Cloudflare work for visitors in mainland China?
Partially, and unevenly. The Great Firewall blocks or throttles many Cloudflare edge nodes for mainland visitors, so a Cloudflare-fronted site can load reliably everywhere except inside China. For sites where CN traffic is incidental, this is rarely a problem — the connection still works, just slower. For sites where mainland visitors matter, we plan around it: alternative origin hosting in Hong Kong or Singapore, a separate CN-facing DNS record, China-friendly CDN partners for static assets where licensing permits, and an honest conversation about what is realistic to promise. We do not pretend Cloudflare alone is a full CN solution, and we do not push you onto a Chinese ICP-licensed configuration unless your business genuinely needs one.
iv Do we need a paid Cloudflare plan, or is the free tier enough?
For most small business websites, the free tier is genuinely enough — free SSL, free DDoS, free WAF (with the OWASP managed ruleset), free Workers (within request quotas), free Page Rules (three of them, which is plenty for most sites), and the same global edge as the paid plans. The Pro plan adds image optimisation, mobile redirects, more managed WAF rulesets, and lift-and-shift WAF rules — useful for some sites, unnecessary for many. Business and Enterprise are for sites with very specific compliance, support, or volume needs. We will recommend the free tier when the free tier is the right answer, and we have no incentive to upsell you.
v What is Cloudflare Tunnel and do we need it?
Cloudflare Tunnel runs a small daemon (cloudflared) on your origin server that opens an outbound connection to the Cloudflare edge — and only that connection. There is no inbound port exposed to the internet, no public IP to scan, no firewall hole to manage. For most business websites running on a VPS, this is the right answer: cleaner security posture, simpler firewall rules, and a quieter origin. The trade-off is a small additional dependency on Cloudflare itself; if your site cannot tolerate any Cloudflare downtime, you may want a backup access path. We help decide which side of that trade-off makes sense for your situation.
vi Can you take over a Cloudflare zone someone else set up?
Yes, and inherited Cloudflare zones are one of the most common engagements we run. Most are not broken, but most have configuration choices nobody can explain — Page Rules disabled but never deleted, custom WAF rules with no comment on what they do, API tokens with broad access and no rotation history, an SSL mode set to Flexible because someone read a forum post. We audit what is there, document it, fix what is genuinely wrong, retire rules nobody can justify, rotate access tokens, and hand you back a zone you understand. Then we maintain it.
vii Will Cloudflare improve our Core Web Vitals and SEO?
Often, meaningfully — particularly for global audiences and sites whose origin server is geographically distant from many visitors. A correct caching strategy improves time to first byte, LCP, and CLS by reducing the number of round trips and cutting variance from origin load. The SEO benefit is real but indirect: faster sites convert better, get indexed more efficiently, and pass Core Web Vitals thresholds that Google increasingly counts as ranking signals. Our parent IT practice and technical SEO work overlap on this, and we coordinate the two so the gains compound rather than collide.
06 — Connected Practice

Where the edge layer
fits in the whole.

The CDN is one layer in a stack — the link below returns to the parent IT practice; the pills extend laterally to the sister sub-disciplines that pair most closely with Cloudflare work.

Parent service

IT ServicesLess hassle, more growth. The full IT practice — hosting, DNS, email, Cloudflare, SSL, backup, and monitoring — under one accountable team.

Sister sub-disciplines

Hosting & Cloud DNS & Domain Management Email Setup SSL/TLS & Security Backup & Recovery Server Health Monitoring

Adjacent services

Technical SEO Web Design & Development Maintenance & Care Plans SEO
The Invitation

Ready for an edge layer
that just works?

Tell us what’s on Cloudflare today — or what isn’t, and what should be. We’ll respond within one business day with a clear assessment, a setup plan, and an honest read on whether mainland CN traffic needs a different approach.

Get in touch Or request a free SEO report
Mon–Fri · 9–6 PT support@aureoleintelligence.com Reply within 1 business day