The orange cloud in Cloudflare doesn’t just hide your IP; it actively intercepts and inspects all traffic destined for your domain, making it a powerful proxy but a potential bottleneck if misconfigured.
Let’s see this in action. Imagine you have a domain, example.com, and you’ve pointed its A record to Cloudflare’s IP addresses.
example.com. 300 IN A 104.18.10.150
300 IN A 104.18.11.150
When a user tries to access example.com, their DNS resolver will return these Cloudflare IPs. The user’s browser then connects to Cloudflare, not directly to your origin server. Cloudflare, with the orange cloud enabled, forwards this request to your actual server’s IP.
Here’s what that looks like for a typical HTTP request:
-
User’s Browser (Client):
GET / HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 ...... -
Cloudflare Edge Server: Receives the request. Inspects it for security policies (WAF, rate limiting, etc.). If it passes, it determines the origin IP from Cloudflare’s configuration.
-
Cloudflare Edge Server: Forwards the request to your origin server, often appearing as a request from Cloudflare’s own IP address.
GET / HTTP/1.1Host: example.comUser-Agent: Cloudflare-Traffic-ManagerCF-Connecting-IP: <User's Original IP>X-Forwarded-For: <User's Original IP>... -
Your Origin Server: Processes the request and sends a response back to Cloudflare.
-
Cloudflare Edge Server: Receives the response. It might compress it, cache it (if cacheable), or apply other optimizations before sending it back to the user.
-
User’s Browser (Client): Receives the final response.
The orange cloud means Cloudflare is acting as a reverse proxy for that specific DNS record. This is the default and most common setup. The key benefit is that Cloudflare can apply its extensive suite of security and performance features before traffic even hits your origin. This includes:
- DDoS Mitigation: Absorbing and filtering malicious traffic.
- Web Application Firewall (WAF): Blocking common web exploits.
- Rate Limiting: Preventing brute-force attacks or API abuse.
- SSL/TLS Encryption: Providing HTTPS for your domain, even if your origin doesn’t have it (though origin SSL is recommended).
- Caching: Serving static assets from Cloudflare’s edge, reducing load on your server and improving response times.
- Page Rules: Applying specific actions (like redirects, security settings, or caching) based on URL patterns.
The alternative, a grey cloud, signifies "DNS Only." In this mode, Cloudflare simply resolves your domain name to your origin server’s IP address. It does not proxy or inspect any traffic. Your origin server is directly exposed to the internet.
The problem Cloudflare solves with the orange cloud is making it easy for anyone to leverage their global network for security and performance without needing to re-architect their infrastructure. It abstracts away the complexity of managing edge infrastructure.
The exact levers you control are primarily within the Cloudflare dashboard under the "DNS" and "Security" sections. For each DNS record, you choose between the orange cloud (proxy) and the grey cloud (DNS Only). Within "Security," you configure WAF rules, rate limiting, bot management, SSL/TLS settings, and more. Page Rules allow granular control over how Cloudflare handles traffic to specific parts of your site.
When you have a DNS record proxied (orange cloud), Cloudflare modifies the Host header of incoming requests to match the hostname you’ve configured in Cloudflare. This is crucial for your origin server to correctly identify which domain is being requested if it hosts multiple sites. It also adds headers like CF-Connecting-IP and X-Forwarded-For to pass the original client IP address to your origin, which is essential for logging and application logic. If your origin server is expecting requests to arrive with the Host header directly from the client’s browser (e.g., for certain authentication mechanisms or internal routing logic that relies on the original Host header), and Cloudflare is changing it, you might see unexpected behavior. In such cases, you’d either need to adjust your origin’s configuration to accept the Cloudflare-modified Host header or consider disabling the proxy for that specific record if the functionality is critical and cannot be adapted.