Sucuri Docs > Website Firewall > Configuration > Support for CloudFlare

Support for CloudFlare

If you are using CloudFlare (the CDN) and want to add our WAF/Firewall protection to your website, this guide should help you get that configured.

There are two known issues you should be aware of before proceeding:

1) Sucuri Firewall (D)DoS Protection will still work when CloudFlare is in place, however we are unable to block (D)DoS attackers’ IP addresses using the IDS (Intrusion detection System) because the IP addresses hitting us are from CloudFlare, which we can’t block on a network level. This network design limitation decreases the (D)DoS Protection efficiency.

2) Let’s Encrypt SSL will not be issued if you are using CloudFlare in front of Sucuri Firewall. You must upload your own SSL certificate or disable CloudFlare until the Let’s Encrypt SSL is issued, which could take a couple hours after DNS changes.

Often due to our caching technology and global Anycast CDN, an additional CDN will not improve performance further for most sites.

Now, let’s proceed to the steps. We’ll need to set up the following:

  1. Sucuri Firewall pointing to your hosting provider, as normally it is.
  2. CloudFlare pointing to the Sucuri Firewall.

Note: If you find this process complicated, open a support ticket and we’ll help you set up.

Step by Step

1) Enable the CDN option on the Sucuri Firewall dashboard setting it to CloudFlare. Just like this image:

Sucuri Firewall External CDN Settings

2) On the Sucuri Firewall side, make sure that the Hosting IP address is actually pointing to your hosting company IP address and not CloudFlare.

If the site was previously live at CloudFlare when you added it to Sucuri Firewall, you will need to manually edit the hosting IP address to point to your web server.

3) Inside CloudFlare’s Zone File for your domain, add our Firewall IP address as the main A record:

CloudFlare Editing Zone

Also, set CloudFlare to active if it does not have the “orange” cloud. If you want to use Let’s Encrypt SSL provided by Sucuri Firewall, change the icon to orange only a couple hours after editing the DNS.

That’s it. For other CDN providers, the process and known issues are pretty similar.

Was this article helpful?