Using Cloudflare's Proxy Feature
When you manage DNS through Cloudflare, each record has a proxy status toggle represented by an orange cloud (proxied) or grey cloud (DNS only). Enabling the orange cloud routes traffic through Cloudflare's network, providing performance and security benefits.
What the Orange Cloud Does
When Cloudflare proxy is enabled on a DNS record:
- All HTTP/HTTPS traffic is routed through Cloudflare's global network before reaching your server.
- Your server's real IP address is hidden from the public, protecting against direct attacks.
- Cloudflare provides DDoS protection, blocking malicious traffic before it reaches your server.
- Static content (images, CSS, JavaScript) is cached at Cloudflare's edge locations, reducing load on your server and speeding up delivery to visitors worldwide.
- Cloudflare's free SSL/TLS is applied, encrypting traffic between visitors and Cloudflare.
How to Enable the Proxy
- Log in to your Cloudflare dashboard and select your domain.
- Navigate to DNS > Records.
- Find the record you want to proxy (A or CNAME records).
- Click the grey cloud icon to toggle it to orange (proxied).
- The change takes effect within a few minutes.
When to Use the Orange Cloud
- A records for your website (root domain and www) — almost always enable the proxy.
- CNAME records for subdomains serving web content.
When to Keep the Grey Cloud (DNS Only)
- MX records: Email records must not be proxied. Cloudflare does not proxy email traffic.
- Mail subdomain: The A record for
mail.yourdomain.comshould remain DNS only. - FTP/SSH: Non-HTTP services need direct access to your server IP.
- SRV records: Cannot be proxied through Cloudflare.
- Custom ports: Cloudflare only proxies traffic on specific ports (80, 443, 8080, 8443, and a few others).
SSL Considerations
When using the Cloudflare proxy, set your SSL/TLS mode to Full (Strict) in the Cloudflare dashboard to ensure end-to-end encryption between visitors, Cloudflare, and your origin server.