How to set up Cloudflare with your Kualo hosting account

Cloudflare sits between your visitors and your hosting server, providing a CDN, DDoS protection, and performance improvements. This guide covers everything you need to get Cloudflare working correctly with your Kualo hosting account.

What Cloudflare does and when to use it

When you add your domain to Cloudflare, Cloudflare becomes your authoritative DNS provider. All traffic to your site passes through Cloudflare's network before reaching our servers. This gives you:

A global CDN that caches static assets close to your visitors
DDoS mitigation and bot filtering at the network edge
Free SSL at the Cloudflare edge (separate from your origin SSL)
A single dashboard to manage DNS, firewall rules, and performance settings

Cloudflare is a good choice if you want faster global delivery, extra security, or more control over your DNS. If you only need SSL on your site, AutoSSL handles that automatically without any third-party service.

Switching to Cloudflare nameservers means Cloudflare manages your DNS, not cPanel. Any future DNS changes - including MX records and subdomains - must be made in your Cloudflare dashboard, not in cPanel's Zone Editor.

Step 1: Sign up for a Cloudflare account

Go to cloudflare.com and click Sign up.
Enter your email address and choose a password, then click Create Account.
On the next screen, click Add a site and enter your domain name (for example, example.com).
Select the Free plan (or a paid plan if you need advanced features) and click Continue.

Cloudflare will now scan your existing DNS records.

Step 2: Review and verify your imported DNS records

After the scan, Cloudflare displays all the DNS records it found for your domain. This step is critical - if any records are missing or wrong, parts of your site or email will stop working after you switch nameservers.

Check the following carefully:

A record for your root domain (@ or example.com) - this should point to your Kualo server IP address. You can find your server IP in cPanel under Server Information, or in your Kualo welcome email.
A record for www - should also point to your server IP, or be a CNAME pointing to your root domain.
MX records - if you use Kualo email, these must be present and correct. Compare them with the records shown in cPanel's Zone Editor.
TXT records - check that any SPF, DKIM, and DMARC records have been imported. Missing TXT records can cause email deliverability problems.
Any subdomains - for example, mail, ftp, or cpanel subdomains. These are often used for direct server access and should typically be set to DNS only (grey cloud) rather than proxied.

If a record is missing, click Add record and enter the details manually. You can cross-reference everything against cPanel's Zone Editor before you proceed.

For a plain-language explanation of what each record type does, see our introduction to DNS record types.

Once you are satisfied the records are correct, click Continue.

Step 3: Note your Cloudflare nameservers

Cloudflare will show you two nameservers to use, which look something like:

aria.ns.cloudflare.com
kip.ns.cloudflare.com

Your nameservers will be unique to your account - do not use the examples above. Copy them carefully before moving on.

Step 4: Update your nameservers at Kualo

If your domain is registered with Kualo, follow these steps to point it at Cloudflare's nameservers.

Log in to my.kualo.com.
Go to Domains and click on the domain you are setting up.
Click Nameservers (or Manage Nameservers).
Select Use custom nameservers and replace the existing entries with the two Cloudflare nameservers from Step 3.
Save your changes.

For a full walkthrough of this process, see Updating nameservers at Kualo.

If your domain is registered elsewhere, log in to your registrar's control panel and update the nameservers there.

Nameserver changes can take up to 24 hours to propagate fully, though they often complete within a couple of hours. During this time your site will remain accessible. See What is DNS propagation and how long does it take? for more detail.

Step 5: Confirm Cloudflare is active

Once propagation is complete, Cloudflare will send you a confirmation email and the status in your Cloudflare dashboard will change to Active. You can also check propagation progress using a tool such as whatsmydns.net.

Step 6: Configure SSL and HTTPS in Cloudflare

Cloudflare handles SSL in two places: between your visitors and Cloudflare (the edge), and between Cloudflare and your origin server (our server). Getting this right is important.

Choose the correct SSL mode

In your Cloudflare dashboard, go to SSL/TLS and choose one of the following modes:

Mode	What it does	When to use it
Off	No SSL anywhere	Never recommended
Flexible	HTTPS to visitors, HTTP to origin	Only if your origin has no SSL certificate - not recommended
Full	HTTPS to visitors, HTTPS to origin (certificate not verified)	If you have a self-signed certificate on the origin
Full (Strict)	HTTPS to visitors, HTTPS to origin with a valid certificate	Recommended if you have a valid SSL certificate on your origin

We recommend Full (Strict) if you have a valid SSL certificate installed on your Kualo account. AutoSSL provides a free, valid certificate automatically, so this is the right choice for most customers.

Forcing HTTPS for visitors

Do not use Cloudflare's Always Use HTTPS setting (found under SSL/TLS > Edge Certificates). This setting will cause AutoSSL to fail. AutoSSL renews your certificate by placing a verification file on your server and checking it over HTTP - if Cloudflare intercepts that request and redirects it to HTTPS, the renewal will fail. See Using AutoSSL with Cloudflare for the correct approach.

To redirect visitors from HTTP to HTTPS without breaking AutoSSL, use a redirect rule in your .htaccess file or follow the guidance in our dedicated article: Using AutoSSL with Cloudflare.

AutoSSL and Cloudflare

AutoSSL is our automatic SSL certificate system, which renews your certificate every 90 days. When Cloudflare is active, there is an important interaction to be aware of.

AutoSSL renews your certificate by placing a verification file on your server and checking it over HTTP. If Cloudflare's Always Use HTTPS setting is turned on, or if your SSL mode is set to Full (Strict) without a valid certificate already in place, Cloudflare can intercept that verification request and cause the renewal to fail.

For full details on how to keep AutoSSL working correctly alongside Cloudflare, read our dedicated article: Using AutoSSL with Cloudflare.

Proxied vs. DNS-only records

In Cloudflare, each DNS record has an orange cloud (proxied) or a grey cloud (DNS only) icon.

Proxied (orange cloud): Traffic passes through Cloudflare. You get CDN, caching, and DDoS protection. Cloudflare's IP is shown publicly, not your server IP.
DNS only (grey cloud): Cloudflare acts as a plain DNS resolver. Traffic goes directly to your server. Your server IP is publicly visible.

For your main website A records (@ and www), proxied is usually what you want. For server-specific subdomains such as mail, cpanel, ftp, and webmail, set these to DNS only so that direct connections to those services work correctly.

Do not proxy your mail-related records (MX, mail subdomain). Email does not route through Cloudflare's proxy and proxying mail subdomains will break email delivery.

Managing DNS records going forward

Once Cloudflare is active, make all DNS changes in your Cloudflare dashboard rather than in cPanel's Zone Editor. Changes made in cPanel will have no effect because Cloudflare is now your authoritative DNS provider.

Getting help from our support team

If you run into problems or would like us to help you troubleshoot your Cloudflare setup, our support team can assist. To allow us to access your Cloudflare account, you will need to share access with us - see How to create a support ticket in MyKualo to get in touch, and we will walk you through granting access.