See all projects
Cloudflare
Positioned Cloudflare Enterprise in front of my newsletter and lab domains to block attacks, establish secure origin connectivity, and optimize content delivery.
Domains
Communication and Network Security
Security and Risk Management
Security Operations
Tooling
Cloudflare
Year
2025
Purpose and Scope
I deployed Cloudflare across my personal domains—lab, portfolio, and newsletter—to create a layered security and performance stack without enterprise-level complexity. The objective was three-fold: shield public-facing assets with advanced WAF protection, accelerate global content delivery for distributed readers, and secure backend infrastructure by eliminating direct exposure. For my newsletter domain, I prioritized reader experience through aggressive caching and image optimizations. My portfolio required similar performance tuning but with greater emphasis on always-current content delivery. The lab environment demanded heightened security, as it hosts a SIEM on an EC2 instance that needs protection without direct internet accessibility. By unifying these domains under Cloudflare's umbrella, I've built a comprehensive edge security and performance platform functioning as both a protective shield and delivery accelerator while centralizing visibility across my entire digital footprint.
Approach and Build
Implementation followed a domain-by-domain methodology, starting with fundamental protections before layering in specialized optimizations. First, I migrated DNS management to Cloudflare and established baseline security with SPF, DKIM, and DMARC records alongside DNSSEC for all domains. Next came traffic protection—enabling WAF with managed rulesets, DDoS mitigation, and custom rule expressions to filter bot traffic and suspicious patterns. For my newsletter domain, I turned to performance tuning: implementing Polish and Mirage for automatic image optimization, configuring browser and edge caching policies, and enabling Argo Smart Routing to reduce latency for global readers. My lab environment required the most complex setup—I established a Cloudflare Tunnel between the EC2 instance and Cloudflare's edge, creating an outbound-only connection that completely conceals the origin server while still allowing authenticated access to the SIEM. Final optimizations included deploying Scrape Shield to prevent email harvesting, implementing hotlink protection for images, and enabling IPv6 compatibility to future-proof all properties.
Lessons Learned
Managing multiple domains through Cloudflare revealed that performance and security aren't competing priorities but complementary forces when properly configured. Starting with moderate WAF settings and incrementally tightening rules—similar to my Proofpoint approach—prevented false positives while steadily improving protection. Cloudflare Tunnel proved remarkably effective for securing backend infrastructure; by eliminating inbound ports completely, the attack surface was dramatically reduced especially compared to traditional VPN solutions. Perhaps most valuable was discovering the governance benefits of centralized policy management; rule changes deploy instantly across all properties, eliminating the disjointed security posture that typically accompanies multiple independent domains. For anyone managing even a small collection of websites, this unified control plane scales remarkably well from personal projects to enterprise deployments.
