If you want to mitigate DDoS attacks in this day and age, CloudFlare is pretty much the only answer. That, and large CDNs around the world operated by the likes of Google and Amazon, but I’m no enterprise entity and can’t pay thousands of dollars every month just to show my blog posts on the Internet, so CloudFlare it is.
Step 1 – Sign into CloudFlare. Go inside the DNS tab. Set the apex to your server IP, and make sure the cloud icon is orange (that means it is being proxied). For any other subdomains, just set it as CNAME type and point it towards your apex. Why? In the future, if you ever change servers, you only need to update one endpoint (and if you ever need to point your subdomain to a different server, it’s just one configuration to update).
Remember, now that your IP has been proxied, you cannot SSH using your domain anymore, since it is masked with CloudFlare’s CDN IP address (this is a good thing!) Instead, use the actual IP to log in.
Step 2 – Add the nginx configuration below (modifying it to fit your use-case):
The above is for the WordPress installation you’re reading from that used to host this blog post. Don’t worry about the listen 80 directive, as certbot will change it anyway.
Some more fancy config (in case I need it in the future when my server has been destroyed):
Now, symlink the configuration:
Step 3 – Install certbot and the CloudFlare DNS plugin.
After installing Certbot runs something like this:
Remember you need the secrets file set up. Refer to the documentation. Actually, I need that too in the future so I’ll just post it here: