> ## Documentation Index
> Fetch the complete documentation index at: https://wiki.lumiweb.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloudflare

> SSL modes, DDoS protection, redirects, cache

Cloudflare sits between your visitor and your site: it provides free SSL (HTTPS) and protection against attacks. **Most people don't need to set anything up** — it's already on for Lumi domains. This page is handy if you want to switch the SSL mode, raise the protection level, set up a redirect, or connect an external domain.

<Info>
  Every Lumi domain is automatically connected to Cloudflare right after registration — SSL and baseline DDoS protection are on with no action needed.
</Info>

Management: **My Domains** → domain → **Cloudflare settings**.

## What you can set in the bot

The **Cloudflare settings** section gives you:

| Setting             | Values                                                |
| ------------------- | ----------------------------------------------------- |
| **SSL mode**        | Off / Flexible / Full / Full (strict)                 |
| **DDoS protection** | Off / Low / Medium / High / Under Attack              |
| **Redirects**       | 301/302 to another domain                             |
| **Purge cache**     | clear the Cloudflare cache after changes to your site |

<Note>
  If the domain's NS aren't on Cloudflare, the bot first offers to switch them automatically — without that, SSL, DNS, and redirects won't work.
</Note>

## SSL modes

The mode determines the encryption on the Cloudflare ↔ your server leg.

| Mode              | When you need it                                                       |
| ----------------- | ---------------------------------------------------------------------- |
| **Off**           | HTTPS disabled. Almost never needed.                                   |
| **Flexible**      | No certificate on the server. Only as a stopgap.                       |
| **Full**          | Self-signed or expired certificate.                                    |
| **Full (strict)** | Valid certificate on the server. **Recommended for production sites.** |

<Warning>
  On **Flexible**, with an HTTP→HTTPS redirect enabled on the server, you get a "Too many redirects" error. The fix is Full (strict), or removing the redirect on the server side.
</Warning>

## DDoS protection

You set the level in **Cloudflare settings**:

| Level                   | When to enable                                                                           |
| ----------------------- | ---------------------------------------------------------------------------------------- |
| **Off**                 | Protection disabled. Not recommended.                                                    |
| **Low / Medium / High** | Baseline filtering. The higher the level, the stricter the checks on suspicious traffic. |
| **Under Attack**        | During an active attack: every visitor sees a short challenge before entering.           |

<Tip>
  Medium is enough for everyday use. Turn on **Under Attack** only during a real attack — it adds a challenge delay for visitors.
</Tip>

## Redirects

**Cloudflare settings → Redirects → Add.** Target domain with `https://`, code `301` (permanent, recommended) or `302` (temporary).

<Steps>
  <Step title="Make sure there's an A record">
    A redirect only works if the domain has an A record. For Lumi domains, the bot creates it for you.
  </Step>

  <Step title="If there's no server">
    If the domain is in your own Cloudflare account and there's no server, create an A record on the root with the address `192.0.2.1` (a documentation IP from RFC 5737 — it leads nowhere, but Cloudflare accepts it as valid).
  </Step>

  <Step title="Check the record's settings">
    The record must be proxied (orange cloud), and the domain's NS must be Cloudflare.
  </Step>
</Steps>

## Connecting an external domain to Cloudflare

Lumi domains are already on Cloudflare. If a domain was bought elsewhere, connect it manually:

<Steps>
  <Step title="Add the site">
    At [dash.cloudflare.com](https://dash.cloudflare.com/) → **Add a site** → enter the domain → choose the **Free** plan.
  </Step>

  <Step title="Copy the NS">
    Cloudflare gives you two addresses like `xxx.ns.cloudflare.com`.
  </Step>

  <Step title="Change the NS at your registrar">
    Set these NS at the domain's current registrar. Propagation usually takes 10–30 minutes, sometimes up to 24 hours.
  </Step>

  <Step title="Enable SSL and HTTPS">
    **SSL/TLS → Overview** → set mode to **Full (strict)** (requires a valid certificate on the server). Turn on **Always Use HTTPS**.
  </Step>
</Steps>

<Note>
  Want to host a static site or landing page? Run it on a [VPS](/en/vps/start) or build it in your own Cloudflare Pages account, then point the domain at it via DNS or a redirect. There's no in-bot site upload.
</Note>

## Fine print

<AccordionGroup>
  <Accordion title="HSTS — be careful" icon="lock">
    <Warning>
      **HSTS** forces the browser to reach the site over HTTPS only. Enable it only with consistently working HTTPS: if HTTPS later breaks, visitors won't be able to get in for months, and there's no quick rollback.
    </Warning>
  </Accordion>

  <Accordion title="Your own SSL instead of Cloudflare" icon="certificate">
    Want end-to-end encryption with your own certificate, no middleman? In **DNS settings**, turn off proxying on the relevant record — the orange cloud turns grey. You lose the cache, IP hiding, and some of the protection, but you can install your own certificate. How to install it — [SSL and Let's Encrypt](/en/vps/ssl).
  </Accordion>
</AccordionGroup>

<Note>
  Advanced settings live in your own account on cloudflare.com. Errors like 521 / 522 / 525 are covered on the [Domain not working](/en/domains/troubleshooting) page.
</Note>

<CardGroup cols={2}>
  <Card title="DNS records" icon="list" href="/en/domains/dns">
    A, CNAME, MX, TXT, and TTL values.
  </Card>

  <Card title="Domain not working" icon="triangle-exclamation" href="/en/domains/troubleshooting">
    A diagnostic checklist for DNS and Cloudflare errors.
  </Card>
</CardGroup>
