How to Install Cloudflare on Your VPS
Cloudflare is one of the most widely used tools for improving website security, performance, and reliability. If you're running a VPS (Virtual Private Server), integrating Cloudflare isn't about installing software on the server itself — it's about routing your domain's traffic through Cloudflare's global network. Understanding exactly what that means, and how to do it, clears up a lot of confusion.
What "Installing Cloudflare" Actually Means
Cloudflare doesn't run as a traditional application on your VPS. Instead, it sits between your visitors and your server as a reverse proxy. When someone visits your domain, their request hits Cloudflare's network first. Cloudflare then forwards it to your VPS, returns the response, and handles caching, DDoS filtering, SSL termination, and more along the way.
This means the setup happens at the DNS level, not at the server level — at least for the core product. You point your domain's nameservers to Cloudflare, and Cloudflare becomes the authoritative DNS provider for that domain.
There are two distinct integration paths worth knowing:
- Cloudflare DNS proxy (the standard setup): Your domain routes through Cloudflare's network. Your VPS IP is hidden behind Cloudflare's IP addresses.
- Cloudflare Tunnel (formerly Argo Tunnel): A lightweight daemon (
cloudflared) runs on your VPS and creates an outbound connection to Cloudflare. No open inbound ports required.
Step-by-Step: Standard Cloudflare Setup via DNS
This is the most common approach and works for nearly any VPS running a web server (Nginx, Apache, Caddy, etc.).
1. Create a Cloudflare Account and Add Your Domain
Sign up at cloudflare.com, then click Add a Site and enter your domain name. Cloudflare will scan your existing DNS records automatically.
2. Review and Confirm DNS Records
Cloudflare imports your current DNS records. Check that your A record (which points your domain to your VPS IP address) is present and correct. You'll see an orange cloud icon next to records — this means traffic for that record is proxied through Cloudflare. A grey cloud means DNS-only (no proxy).
3. Change Your Domain's Nameservers
Cloudflare will provide two custom nameservers (e.g., ns1.cloudflare.com, ns2.cloudflare.com). Log into your domain registrar (wherever you bought your domain — GoDaddy, Namecheap, Google Domains, etc.) and replace the existing nameservers with the ones Cloudflare provides.
DNS propagation typically takes anywhere from a few minutes to 48 hours, though it's usually much faster.
4. Verify Activation
Back in the Cloudflare dashboard, your site status will change to Active once propagation is complete. At this point, traffic to your domain routes through Cloudflare before reaching your VPS.
Setting Up Cloudflare Tunnel on a VPS 🔧
If you want a Cloudflare Tunnel — useful when your VPS is behind a firewall, doesn't have a public IP, or you want to avoid exposing ports — the process involves running a daemon on the server itself.
Install the cloudflared Daemon
On a Debian/Ubuntu VPS:
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list sudo apt update && sudo apt install cloudflared For RHEL/CentOS-based systems, Cloudflare provides an RPM package via their package repository.
Authenticate and Create a Tunnel
cloudflared tunnel login cloudflared tunnel create my-tunnel You'll then create a configuration file mapping the tunnel to your local service (e.g., your web server running on localhost:80 or localhost:443), and run the tunnel as a system service.
Key Variables That Affect Your Setup
The right approach depends on several factors specific to your environment:
| Factor | Impact |
|---|---|
| VPS operating system | Package install commands differ between Debian, Ubuntu, CentOS, and Arch |
| Web server software | SSL/TLS config in Nginx or Apache needs to align with Cloudflare's SSL mode |
| SSL/TLS mode | Flexible, Full, or Full (Strict) — wrong choice causes redirect loops or insecure connections |
| Firewall rules | You may want to restrict your VPS to only accept traffic from Cloudflare's IP ranges |
| Use of Cloudflare Tunnel | Eliminates need for open inbound ports but requires daemon management |
SSL Configuration Matters More Than Most Expect 🔒
One of the most common post-setup problems is a redirect loop caused by SSL misconfiguration. If your VPS doesn't have a valid SSL certificate but Cloudflare's SSL mode is set to "Full (Strict)," the connection will fail. If it's set to "Flexible" while your server also redirects HTTP to HTTPS, you'll get a loop.
The safest configuration for most VPS setups is Full (Strict) with a valid certificate on the server — either from Let's Encrypt (free, via Certbot) or Cloudflare's own Origin Certificate.
Locking Down Your VPS After Setup
Once Cloudflare is proxying your traffic, your VPS's real IP is shielded — but only if you configure your firewall correctly. If someone discovers your VPS IP through historical DNS records or other means, they can bypass Cloudflare entirely.
To prevent this, restrict incoming web traffic (ports 80 and 443) to Cloudflare's published IP ranges only. Cloudflare maintains an up-to-date list at cloudflare.com/ips. Tools like ufw, iptables, or your VPS provider's firewall panel make this straightforward.
Where Individual Setup Diverges
The steps above cover the standard path, but your specific configuration — your OS version, web server stack, whether you're running containerized services, your SSL certificate situation, and how your VPS firewall is currently configured — determines exactly what you'll encounter and what additional adjustments you'll need to make. The core mechanics are the same; the edge cases are where setups start to look meaningfully different from one another.