September 11, 2019

How I overcame technical difficulties and got my Bluehost websites on Cloudflare

September 11, 2019

Cloudflare is a content delivery network that protects websites from attacks and unwanted traffic, as well as keeping them online when hosting servers go down. I had my websites on Cloudflare, but left it. Recently, I decided to get back on the service, but it turned out to be more difficult than I anticipated.

Background Information

When I wrote this article, all of my websites were hosted on a shared Bluehost server. One of the available free upgrades was to protect or proxy my website content on a service called Cloudflare. I first got on Cloudflare about 3 years ago after my main website, wizcrafts.net, became a target for spammers and exploit attacks. When you join Cloudflare they route your web traffic through their servers, adding a firewall between the Internet and your website. That firewall automatically blocks tons of known exploit probes without any user interaction. You can further configure the firewall to varying extents depending on whether you have a free account, or are a paying customer. When I first joined, I added many of the IP addresses (in CIDR format) that were either probing me for vulnerable scripts, or attempting to post spam comments on my blog and contact forms. There was also a constant stream of what is known as "referer spam" in my server's access logs. By placing my websites behind the Cloudflare firewall, I got rid of most of these annoyances. However, because Cloudflare substituted its own IP addresses in place of the originals, I couldn't identify the source IP addresses like before. This interfered with my ongoing blocklist work that depended on seeing originating IP addresses in the logs.

After years of laboriously compiling and publishing IP addresses belonging to countries I wanted to block, my time at home grew shorter as other business pursuits took its place. First, I stopped publishing iptables blocklists altogether. Then, I slowed down updating my .htaccess blocklists, which were already pretty effective. I still update the .htaccess blocklists using other means of identifying the source IP addresses, just not as often.

After being off Cloudflare for about 1 year, I decided to go back onto it. Previously, all I had to do was log into my hosting provider's control panel and activate Cloudflare for each of my hosted domains. My web host at the time was Bluehost and they were a designated partner company for integrated Cloudflare activations. Back then, within a few hours of activating Cloudflare, my websites were fully protected and online with Cloudflare. Not so this time around.

To be fair, my previous term on Cloudflare was before I obtained a Let's Encrypt SSL Certificate and my web pages were all delivered as HTTP, not HTTPS. Converting from HTTP into HTTPS was a major undertaking which I detailed in this blog post. In my extended comments, I will outline the obstacles I encountered getting back on Cloudflare and the steps I took to overcome them. Suffice it to say that I am now fully on Cloudflare, with green padlocks for HTTPS and all email and ftp systems online and accessible.

The Nuts and Bolts of the matter

When I reactivated the Cloudflare account via my Bluehost cpanel, everything seemed to proceed like before. But, the problems soon became apparent when, after a few hours, I reloaded one of my web pages (in Firefox) and it wouldn't open at all. Instead, this strange error message appeared in the now blank tab: Error code: SSL_ERROR_NO_CYPHER_OVERLAP. Oh oh! I verified that something was wrong in Microsoft Edge. Now what?

Cloudflare has a toggle switch feature on the main Dashboard page for each website to pause or disable Cloudflare on that website. I tried pausing, then disabling, but nothing changed regarding the blank web page. So, I logged back into my cpanel on Bluehost and disabled the redirect to Cloudflare from there. My HTTPS web pages came back online almost instantly. However, I could no longer log in via ftp to upload files! This began what would turn into a 2 week fight to get my websites on Cloudflare without errors or malfunctions.

I opened a trouble ticket with Cloudflare support and got several replies. One of them explained that the cryptic error was because the SSL certificate issued by Bluehost was incompatible with the one issued by Cloudflare. But, both were issued by the same company: Let's Encrypt! I called Bluehost and they said all was normal on their end; it must be a Cloudflare issue. But, Cloudflare support told me something was wrong on Bluehost's end and that it was a known problem to Cloudflare support. They also explained why I lost the ability to ftp and how to fix it. It is because Bluehost's implementation of Cloudflare is broken due to the way they implement the free Let's Encrypt SSL certificates. They conflict with those issued by Cloudflare. Websites that have not activated a free SSL certificate on Bluehost won't have the same problems as I had. If you are hosted with a different company you may or may not not run into these problems.

The best solution, according to Cloudflare support, was to restore everything back to its default state under the DNS settings on Bluehost then set everything up on Cloudflare. This is how the settings were before I attempted to change to Cloudflare. Then, here comes the fun part, I had to log into Cloudflare directly and set up my routing manually. I already had an account from my previous term with them, so the credentials were still valid. If you are new to this, you will have to set up an account with Cloudflare. There are totally free accounts, so go with that to start out. When you come to the sign up page and see several squares with account details, click or press inside, or on the button under the one labeled "Free." With your Cloudflare account accepted and activated, proceed as follows.

Be prepared to access your domain registrar. If it is the same as where your files are hosted, log into your hosting account and find the section for domains. Otherwise, log into your domain Registrar account and get ready to edit the DNS and Name Servers. If you have more than one domain name with that account that you want on Cloudflare, cue them up.

  1. When logged into your Cloudflare account, Add a "Site" (domain) you want on there. Type only the registered domain name itself, without http://, or www, or anything else, as in: example.com
  2. Click on the Continue button to setup the "DNS" servers and "proxies"
  3. Fun part: When the DNS page loads on Cloudflare, it may show anywhere from 0 to 19 or more records found! Press the browser's refresh icon until you get at least 10 to 14 or more DNS records showing (I have 19 records showing). Cloudflare polls your web hosting account for the domain you added to see what records are on file. This is important!
  4. Once you get a good set of records showing, make sure that the only ones with an orange cloud icon (proxied by Cloudflare) are the A records for your domain.com (or .net, .org, etc) and for "www" version, which might be either an "A" or a "CNAME" record. If you also have a .m mobile sub-domain that serves web pages, it can also have orange cloud.
  5. All other DNS records MUST have gray clouds and must point to the numeric IP address of your web host's server. This should already be filled in on Cloudflare, but you can verify it in your web host's control panel. Somewhere in the summary there will be the IP address of your server (whether shared or dedicated). Write down your server's IP address, or copy and save it for later use in this process.*
  6. The orange cloud icon services are proxied by Cloudflare and should not include email, ftp, SOA, TXT, or other non-HTTP services.
  7. With the DNS entries completed, click to continue to the next step; to change the Name Servers for your domain.
  8. Log into your domain Registrar (or web host if they are also the Registrar on record), load the domains page, open its settings and expand the page for DNS and Name Servers. You should already have the name server for your web host listed. These need to be edited or removed and replaced with the two Name Servers provided to you by Cloudflare on the DNS Management page. The prefixes vary, but will include cloudflare.com. For example, in my account, one is called "gina.cloudflare.com" and the other is "mark.cloudflare.com".
  9. Add the two Cloudflare name servers, then delete the original name servers that pointed to your web host.
  10. Once you make and save the Name Servers change it will take anywhere from two to 24 hours to propagate around the World. Until the new Name Servers take effect, the old ones will continue to serve your website. The changeover should be seamless. You can monitor the progress of the name server changeover via What's My DNS

Fixing your FTP client

* If you use an FTP client (links), like WS_FTP, Filezilla, or Direct FTP to upload files to your server and you were using the domain name as the "host name," that field will have to be edited to point to the web host's server IP address that you saved a while ago instead of the domain name. The user name and password will remain the same. The only change is you'll log into an IP address instead of a domain name. Don't forget to save the changes, then try logging into your account via ftp. It should work (it does for me).

If you are unable to locate your website's IP address from the DNS records or cpanel, or other control panel, you can use a Windows computer to find it. Most operating systems recognize the PING command when entered from a Command Prompt, PowerShell, or Terminal window. The command is simple. Type ping - then a space, followed by your domain name (without www). Example: ping example.com. Your computer will query an online database and display the ip address of the website, along with information about the ping replies. Note, that the IP may be displayed in IPv4 or IPv6 format.

This system worked for me and I sincerely hope it helps somebody else out there on the Interwebs!

Posted by Wiz at 8:15 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



Search


About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.

MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.

Categories

Tag Cloud

Recent Posts

Popular Posts

Archives

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^