Invos

01_cloudflare_account_setup

3 min read

Cloudflare Account Setup

This document outlines the standard process for setting up a new Cloudflare account for a client project.

Account Creation and Access

  1. Use a Distribution List for the Root Account:
    • When creating a new Cloudflare account for a client, do not use an individual’s email address.
    • Create an email distribution list or alias (e.g., client-name-cloudflare@our-company.com).
    • This ensures that access to the root account is not tied to a single person.
  2. Enable Two-Factor Authentication (2FA):
    • 2FA must be enabled on the root account immediately after creation.
    • Use an authenticator app (like Google Authenticator or Authy) for the 2FA code. Store the recovery codes in the company’s secure password manager.
  3. Invite Team Members with Role-Based Access Control (RBAC):
    • Do not share the root account credentials.
    • Invite team members to the Cloudflare account using their individual company email addresses.
    • Assign roles based on the principle of least privilege, as defined in our Access Control Policy. Standard roles include:
      • Super Administrator: Should be limited to 1-2 senior DevOps leads.
      • Administrator: For team members who need broad access to manage services.
      • Read Only: For team members who only need to view settings and analytics.
      • Specific Service Roles: Assign roles for specific Cloudflare services (e.g., “Workers Administrator”, “DNS Administrator”) where possible.

Initial DNS and Domain Setup

  1. Add the Client’s Site:
    • In the Cloudflare dashboard, click “Add a site” and enter the client’s domain name.
  2. Select a Plan:
    • Choose the appropriate plan based on the project requirements (e.g., Free, Pro, Business).
  3. Update DNS Records:
    • Cloudflare will scan for existing DNS records. Review these carefully.
    • If migrating an existing site, ensure all necessary records (A, CNAME, MX, TXT) are present.
  4. Change Nameservers:
    • Cloudflare will provide a new set of nameservers.
    • The client (or our team, if we have access) needs to update the nameservers at the domain registrar (e.g., GoDaddy, Namecheap).
    • This change can take up to 24 hours to propagate.

Basic Security and Performance Configuration

Once the site is active on Cloudflare, perform the following initial configuration:

  • SSL/TLS:
    • Navigate to SSL/TLS > Overview.
    • Set the encryption mode to Full (Strict). This ensures a secure connection between the user, Cloudflare, and our origin server.
  • Auto Minify:
    • Navigate to Speed > Optimization.
    • Enable Auto Minify for JavaScript, CSS, and HTML.
  • Brotli:
    • In the same section, ensure Brotli compression is enabled.
  • Firewall Rules (Basic):
    • Navigate to Security > WAF > Firewall Rules.
    • Implement basic rules to block common threats, such as blocking traffic from known malicious IPs or challenging requests from outside the client’s primary countries of operation (if applicable).

Graph View

Backlinks