Custom Domain Home Hosting Guide

Overview

This guide walks you through setting up a professional custom domain for your home server using Cloudflare's proxy protection. You'll learn to hide your real IP address, implement enterprise-grade security, and create a robust hosting solution that rivals commercial providers.

What you'll achieve: A professional domain (your-domain.com) that masks your home IP behind Cloudflare's global network, providing DDoS protection, SSL termination, and secure access to your self-hosted services.

Domain Registration & Setup

1.1 Register Your Domain

Go to Cloudflare Registrar (domains.cloudflare.com)
Register your-domain.com at wholesale pricing
Complete the registration process and verify ownership

1.2 Add Domain to Cloudflare

Create a free Cloudflare account at cloudflare.com
Click "Add a Site" and enter your domain name
Select the Free plan
Cloudflare will scan your existing DNS records

1.3 Update Nameservers

Cloudflare will provide you with nameservers (e.g., nina.ns.cloudflare.com)
Go to your domain registrar's control panel
Replace the default nameservers with Cloudflare's nameservers
Wait 24-48 hours for DNS propagation (usually much faster)

Verification: Once active, you'll see "Active" status in your Cloudflare dashboard.

DNS Configuration

2.1 Create A Record for Root Domain

In your Cloudflare DNS dashboard:

Type: A
Name: @ (this represents the root domain)
IPv4 Address: XXX.XXX.XXX.XXX (your current public IP)
Proxy status: ☁️ Proxied (orange cloud)
TTL: Auto

2.2 Optional: Create Subdomain Records

For services like lab.your-domain.com:

Type: A
Name: lab
IPv4 Address: XXX.XXX.XXX.XXX
Proxy status: ☁️ Proxied (orange cloud)

Important: The orange cloud (Proxied) status is crucial - this hides your real IP and routes traffic through Cloudflare's servers.

# Find your current public IP
curl -4 ifconfig.me
# or
curl -4 https://api.ipify.org
                

Server Firewall Configuration

3.1 Block Direct Access

Configure UFW to deny direct access to your server:

# Deny all HTTP and HTTPS traffic initially
sudo ufw deny 80
sudo ufw deny 443
                    

3.2 Allow Cloudflare IP Ranges

Only allow Cloudflare's servers to access your web services:

# Download and allow Cloudflare IPv4 ranges
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    sudo ufw allow from $ip to any port 80
    sudo ufw allow from $ip to any port 443
done

# Download and allow Cloudflare IPv6 ranges
for ip in $(curl -s https://www.cloudflare.com/ips-v6); do
    sudo ufw allow from $ip to any port 80
    sudo ufw allow from $ip to any port 443
done
                    

3.3 Create Update Script

Cloudflare IP ranges can change, so create an update script:

# Create update script
sudo nano /usr/local/bin/update-cloudflare-rules.sh

# Script content:
#!/bin/bash
# Remove old Cloudflare rules (be careful with this in production)
sudo ufw --force reset
sudo ufw --force enable

# Re-add Cloudflare rules
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    sudo ufw allow from $ip to any port 80
    sudo ufw allow from $ip to any port 443
done

for ip in $(curl -s https://www.cloudflare.com/ips-v6); do
    sudo ufw allow from $ip to any port 80
    sudo ufw allow from $ip to any port 443
done

# Make executable
sudo chmod +x /usr/local/bin/update-cloudflare-rules.sh
                    

Security Note: After these changes, direct access to XXX.XXX.XXX.XXX will be blocked. Only traffic from Cloudflare will reach your server.

SSL/TLS Configuration

4.1 Enable HTTPS in Cloudflare

Go to SSL/TLS tab in Cloudflare dashboard
Set encryption mode to Flexible (easiest) or Full
Enable "Always Use HTTPS" redirect
Enable "HTTP Strict Transport Security (HSTS)" for extra security

4.2 Option A: Flexible SSL (Easiest)

Cloudflare handles SSL termination
Traffic between Cloudflare and your server uses HTTP
No server-side SSL certificate required
Good for getting started quickly

4.3 Option B: Full SSL (Recommended)

Go to SSL/TLS → Origin Certificates in Cloudflare
Create a Cloudflare Origin Certificate
Download the certificate and private key
Install on your web server (Apache/Nginx)
Set encryption mode to Full (strict)

Result: Your domain will now serve HTTPS traffic with a valid SSL certificate.

SSH Security Hardening

5.1 Review Current UFW Rules

sudo ufw status numbered

Look for any rules allowing SSH from "Anywhere" - these need to be removed.

5.2 Remove Broad SSH Access

If you see rules like "22/tcp ALLOW IN Anywhere", remove them:

# Replace X with the actual rule numbers
sudo ufw delete X
sudo ufw delete Y
                    

5.3 Allow SSH from Local Network Only

# Allow SSH from your local network (adjust IP range as needed)
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp

# If you use a VPN, also allow from VPN subnet
sudo ufw allow from 10.6.0.0/24 to any port 22 proto tcp
                    

5.4 Verify SSH Security

sudo ufw status numbered

Ensure SSH (port 22) is only allowed from specific IP ranges, not "Anywhere".

Safety Tip: Make these changes from a local terminal session, not SSH, in case you accidentally lock yourself out.

Dynamic IP Management

6.1 Create Cloudflare API Token

Go to Cloudflare Dashboard → My Profile → API Tokens
Click "Create Token" → "Custom token"
Permissions: Zone:Zone:Read, Zone:DNS:Edit
Zone Resources: Include - Specific zone - your-domain.com
Save the token securely

6.2 Get Zone and Record IDs

# Get Zone ID
curl -X GET "https://api.cloudflare.com/client/v4/zones?name=your-domain.com" \
     -H "Authorization: Bearer YOUR_API_TOKEN" \
     -H "Content-Type: application/json"

# Get Record ID (using Zone ID from above)
curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records?type=A&name=your-domain.com" \
     -H "Authorization: Bearer YOUR_API_TOKEN" \
     -H "Content-Type: application/json"
                    

6.3 Create DDNS Update Script

# Create the script
sudo nano /usr/local/bin/cloudflare-ddns.sh

# Script content:
#!/bin/bash

# Configuration
API_TOKEN="your_cloudflare_api_token"
ZONE_ID="your_zone_id"
RECORD_ID="your_record_id"
DOMAIN="your-domain.com"

# Get current public IP
CURRENT_IP=$(curl -s https://api.ipify.org)

# Update DNS record
RESPONSE=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
     -H "Authorization: Bearer $API_TOKEN" \
     -H "Content-Type: application/json" \
     --data "{\"type\":\"A\",\"name\":\"$DOMAIN\",\"content\":\"$CURRENT_IP\"}")

# Log the result
echo "$(date): Updated $DOMAIN to $CURRENT_IP" >> /var/log/cloudflare-ddns.log

# Make executable
sudo chmod +x /usr/local/bin/cloudflare-ddns.sh
                    

6.4 Setup Automated Updates

# Add to crontab to run every 5 minutes
sudo crontab -e

# Add this line:
*/5 * * * * /usr/local/bin/cloudflare-ddns.sh
                    

Purpose: This ensures your DNS records automatically update when your ISP changes your IP address.

Testing & Verification

7.1 Test Domain Resolution

# Test DNS resolution
nslookup your-domain.com
dig your-domain.com

# Should show Cloudflare IPs, not your home IP
                    

7.2 Verify HTTPS Access

Visit https://your-domain.com in a browser
Check that the SSL certificate is valid
Verify that the site loads correctly

7.3 Confirm IP Masking

# This should fail (connection refused/timeout)
curl -I http://XXX.XXX.XXX.XXX

# This should work
curl -I https://your-domain.com
                    

7.4 Test Firewall Rules

# Check UFW status
sudo ufw status verbose

# Verify SSH is restricted to local networks only
# Verify web traffic only allowed from Cloudflare
                    

🎉 Congratulations! You've Successfully Completed the Setup

What you've achieved:

Professional custom domain (your-domain.com) hosted from home
Enterprise-grade DDoS protection via Cloudflare
SSL/TLS encryption with valid certificates
Complete IP masking - your real location is hidden
Automatic DNS updates for dynamic IP addresses
Secured SSH access limited to local network only

💡

Advanced Configuration Options

Subdomain Structure Example:

your-domain.com→Main homepage

api.your-domain.com→API endpoints

lab.your-domain.com→Development environment

monitor.your-domain.com→System monitoring

All traffic proxied through Cloudflare for maximum security.

Additional Security Enhancements

Cloudflare Access: Add zero-trust authentication
Rate Limiting: Configure request rate limits
Firewall Rules: Block specific countries or IP ranges
Bot Protection: Enable advanced bot detection

Performance Optimization

Caching: Configure page and browser caching rules
Compression: Enable Brotli and Gzip compression
Minification: Automatic CSS/JS/HTML minification
CDN: Leverage Cloudflare's global CDN network

Security Reminder: Never expose your real IP address (XXX.XXX.XXX.XXX) directly. Always route traffic through Cloudflare's proxy to maintain security and anonymity.

🏆

Professional Achievement

You've successfully implemented a professional-grade hosting solution that rivals commercial providers. This setup demonstrates advanced skills in:

Network Architecture: DNS management, proxy configuration, and traffic routing
Security Engineering: Firewall configuration, IP masking, and access control
Systems Administration: Linux server management and service automation
Cloud Integration: Cloudflare API usage and service orchestration
DevOps Practices: Infrastructure as code and automated deployments

Cost Comparison: You're achieving what typically costs $10-50/month on cloud platforms, while maintaining complete control over your infrastructure and data.

← Back to theLAB Wiki