Integrating CloudPanel with Cloudflare represents a critical architectural decision for modern web infrastructure. This transition shifts the perimeter defense from the local network interface to a global edge network. CloudPanel acts as a high-performance orchestration layer for PHP, Node.js, and Python applications; however, exposed origin servers remain vulnerable to volumetric DDoS attacks and direct IP exploitation. By implementing a Cloudflare proxy, administrators achieve a hardened security posture through resource encapsulation and request filtering before traffic ever hits the server NIC. This setup addresses the problem of origin exposure by ensuring that all ingress traffic passes through the Cloudflare WAF. The result is a significant reduction in server-side CPU overhead and reduced latency through edge caching. This manual provides the protocol for establishing this secure tunnel and optimizing the interaction between the edge and the local control plane. High-end infrastructure requires this synergy to maintain 99.999% availability during traffic spikes or malicious targeting.
TECHNICAL SPECIFICATIONS
| Requirement | Default Port/Operating Range | Protocol/Standard | Impact Level (1-10) | Recommended Resources |
| :— | :— | :— | :— | :— |
| CloudPanel Engine | Port 443, 8443 | TLS 1.3 / HTTP/2 | 10 | 2 vCPU / 4GB RAM |
| Cloudflare Proxy | Port 80, 443 | HTTPS / QUIC / IPv6 | 9 | Edge-based |
| Database Layer | Port 3306 | MySQL / MariaDB | 7 | Local SSD/NVMe |
| SSH / Shell Access | Port 22 | OpenSSH / Ed25519 | 8 | Key-based Auth Only |
| Internal Network | 10.0.0.0/8 | Private VPC | 6 | 10Gbps Virtual NIC |
THE CONFIGURATION PROTOCOL
Environment Prerequisites:
Successful deployment requires an existing Ubuntu 22.04 or 24.04 LTS instance with CloudPanel v2.x installed. The administrator must possess root or sudo privileges. A registered domain name pointed to Cloudflare Nameservers is mandatory. Ensure the server firewall allows ingress from Cloudflare IP ranges; failure to do so results in a 522 Timeout error.
Section A: Implementation Logic:
The philosophy of a CloudPanel Cloudflare Setup is rooted in the principle of defense in depth. By decoupling the entry point from the originating server, we introduce an idempotent layer of request validation. The edge serves as a buffer that handles the thermal-inertia of sudden traffic spikes and the computational overhead of TLS handshakes. This architectural design ensures that application server CPU cycles are dedicated to execution logic rather than packet filtering. Encapsulation of the origin IP address prevents direct-to-ip attacks, effectively making the server invisible to the public internet except through the Cloudflare gateway.
Step-By-Step Execution
1. DNS Record Provisioning
Update the DNS records in the Cloudflare Dashboard to include an A record pointing to the Public IP of the CloudPanel instance. Ensure the Proxy Status is set to “Proxied” (Orange Cloud).
System Note: This action updates the global DNS table. The proxy status ensures that the DNS query returns a Cloudflare Anycast IP instead of the true origin IP; this hides the physical geographic location of the server.
2. SSL/TLS Encryption Mode Selection
Navigate to the SSL/TLS tab and set the encryption mode to “Full (Strict)”.
System Note: This enforces an end-to-end encrypted tunnel. The “Strict” setting requires a valid certificate on the CloudPanel origin. This prevents “Man-in-the-Middle” (MITM) attacks by ensuring the edge only communicates with a server presenting a trusted certificate.
3. Generate Cloudflare Origin Certificates
In the Cloudflare Dashboard, go to SSL/TLS > Origin Server and click “Create Certificate”. Download the Public Key (PEM) and Private Key (KEY).
System Note: These certificates are signed by the Cloudflare Certificate Authority. They are not trusted by standard browsers but are trusted by the Cloudflare Edge, allowing for long-term (up to 15 years) secure communication without frequent renewals.
4. Installing Certificates in CloudPanel
Access the CloudPanel UI on port 8443. Navigate to the specific site and select the “SSL/TLS” tab. Choose “Actions” > “Import Certificate” and paste the PEM and KEY files.
System Note: This replaces the self-signed or Let’s Encrypt certificate. The kernel-level Nginx process will now use these keys to decrypt incoming edge traffic. This reduces the handshake overhead compared to public CA checks.
5. Configuring Nginx for Real IP Restoration
Create a new configuration file at /etc/nginx/conf.d/cloudflare.conf using a text editor like nano or vim.
System Note: By default, the origin server marks all traffic as coming from Cloudflare internal IPs. This step instructs the Nginx worker processes to extract the client IP from the CF-Connecting-IP header, which is essential for audit logs and application-level security logic.
6. Mapping Cloudflare IP Ranges
Insert the set_real_ip_from directives for all Cloudflare IPv4 and IPv6 ranges into the file created in Step 5. Add real_ip_header CF-Connecting-IP; at the end.
System Note: This modification occurs in the Nginx memory space. It tells the server to trust headers provided by these specific IP ranges. Without this, security features like the CloudPanel IP Blocker will mistakenly ban Cloudflare’s edge nodes rather than the malicious actor.
7. Verifying Configuration and Reloading Services
Run the command nginx -t to verify syntax. If successful, execute systemctl reload nginx.
System Note: The reload command sends a SIGHUP signal to the Nginx master process. This allows the server to adopt new configurations without dropping active connections; it is a zero-downtime operation.
Section B: Dependency Fault-Lines:
A common bottleneck in this setup is the mismatch between the Maximum Transmission Unit (MTU) of the server’s NIC and the Cloudflare tunnel. If the payload exceeds the MTU, packet-loss occurs. Another failure point is the “Redirect Loop” caused by keeping Cloudflare on “Flexible” mode while the origin forces HTTPS; use “Full (Strict)” to resolve this. Library conflicts might arise if outdated OpenSSL versions are present on the host OS; ensure the system is upgraded via apt update && apt upgrade.
THE TROUBLESHOOTING MATRIX
Section C: Logs & Debugging:
When a connection fails, the first point of audit is the CloudPanel Nginx error log located at /var/log/nginx/error.log.
– Error 521: Indicates the Nginx service is down or the firewall is blocking port 443. Use systemctl status nginx and ufw status to verify.
– Error 522: Suggests a routing issue or packet-loss at the network layer. Verify the origin IP in Cloudflare DNS matches the output of curl -4 icanhazip.com.
– Error 525/526: These relate specifically to the TLS handshake. Ensure the Origin Certificate is correctly pasted in the CloudPanel UI.
– Use tail -f /var/log/nginx/access.log to monitor real-time traffic. If the IP addresses visible are not the actual visitor IPs, re-examine the real_ip configuration in Step 6.
OPTIMIZATION & HARDENING
Performance Tuning:
To maximize throughput, enable Brotli compression in Cloudflare and ensure the CloudPanel server has Gzip enabled. For low-latency data delivery, configure the sysctl.conf file to use the BBR (Bottleneck Bandwidth and Round-trip propagation time) congestion control algorithm. Execute echo “net.core.default_qdisc=fq” >> /etc/sysctl.conf followed by echo “net.ipv4.tcp_congestion_control=bbr” >> /etc/sysctl.conf. This optimizes how the kernel handles packet egress, significantly reducing signal-attenuation over long-distance routes.
Security Hardening:
Implement a strict firewall policy. Once the Cloudflare proxy is active, the origin should only accept web traffic from Cloudflare IPs. Use iptables or ufw to drop any traffic on ports 80 and 443 that does not originate from the Cloudflare IP list. This prevents attackers from bypassing the WAF by scanning for the origin IP. Furthermore, disable the Server header in Nginx to prevent version-string disclosure.
Scaling Logic:
As traffic increases, the bottleneck typically shifts from the network to the database. Monitor the I/O Wait on the CloudPanel instance. If the throughput exceeds 500 requests per second, consider offloading the database to a dedicated instance and utilizing Cloudflare Load Balancing to distribute traffic across multiple CloudPanel origins. This ensures horizontal scalability while maintaining the security encapsulation provided by the edge.
THE ADMIN DESK
How do I fix the “Invalid SSL” error after setup?
Ensure Cloudflare is set to “Full (Strict)” and that you have imported the Origin Certificate into CloudPanel. If the error persists, verify that the system time on your server is synchronized using timedatectl.
Why am I seeing Cloudflare IPs in my logs?
The ngx_http_realip_module is likely missing or misconfigured. Ensure the set_real_ip_from directives are included in your Nginx configuration and that you have reloaded the service using systemctl reload nginx.
Can I use Cloudflare and Let’s Encrypt together?
Yes; however, “Full (Strict)” mode is preferred with Origin Certificates for long-term stability. If using Let’s Encrypt, ensure the proxy is temporarily disabled during the initial challenge or use the DNS-01 challenge via the Cloudflare API.
How do I block specific countries using this setup?
Use Cloudflare WAF Custom Rules. Since the traffic is encapsulated by Cloudflare, you can block Geolocation metadata at the edge before the payload ever reaches your CloudPanel instance, saving server bandwidth and processing power.
Will Cloudflare slow down my CloudPanel site?
On the contrary; Cloudflare’s edge caching and Tiered Cache architecture reduce the distance packets travel. By offloading static assets and TLS termination to the edge, the origin server experiences lower latency and higher available throughput for dynamic requests.
