Orange Cloud (Proxy)
Learning Focus
By the end of this lesson you will understand what happens when Cloudflare's proxy (orange cloud) is enabled for a DNS record.
What the Orange Cloud Does
When enabled, Cloudflare becomes a reverse proxy between visitors and your server:
Benefits of proxied mode:
- CDN caching for static assets
- DDoS protection at the edge
- WAF rules applied before traffic reaches your server
- Your origin server IP is hidden from the public
- Free HTTPS on the Cloudflare edge
What Gets Proxied
| Protocol | Proxied? | Notes |
|---|---|---|
| HTTP/HTTPS (80/443) | ✅ Yes | Standard web traffic |
| SSH (22) | ❌ No | Use DNS-only records |
| Email (25, 587, 993) | ❌ No | Must be DNS only |
| Custom TCP ports | ❌ No (without Spectrum) | Cloudflare Spectrum needed |
When to Disable Proxy (Grey Cloud)
- Email servers (MX records)
- SSH or SCP access records
- Direct database connections
- Services on non-standard ports
info
The orange cloud hides your server's real IP address. This is a security benefit — attackers cannot target your server directly.
Key Takeaways
- Orange cloud (proxied) routes traffic through Cloudflare's CDN and security layer.
- Only HTTP and HTTPS traffic is proxied by default.
- Use DNS-only (grey cloud) for email, SSH, and non-HTTP services.
What's Next
- Continue to Real Visitor IP for restoring real client IPs behind the proxy.