This is my very first post in China (and hopefully not the last one lol). So far so good, except that my server IP was recently blocked due to service misuse (more info). Have learned several things along the way, but first I need to rescue my blog & portfolio site so that they are accessible in China. As a side note, the domain was purchased from Namecheap and DNS was configured under DigitalOcean.
TL;DR
- Use Cloudflare to hide your server IP, protect your sites from potential hacks, and fast loading in different parts of the world.
- Don't force a single VPS to wear multiple hats (like web hosting, mail server, and SS).
- If your VPS image handles both web hosting and mail service together, manage carefully on Cloudflare to ensure that mail server works just fine.
Why Cloudflare?
This is what they said...
Cloudflare also provides security by protecting Internet properties from malicious activity like DDoS attacks, malicious bots, and other nefarious intrusions.
Basically it is a free content delivery network (CDN) that speed up page streaming based on geolocations. In my previous DNS setup, the blog subdomain directly pointed to the server IP - a simple ping would uncover the IP immediately. It was not until the IP was blocked in China did I realize that this is a dangerous act. With Cloudflare, the domain name will not expose the server IP anymore. Since the domain is now handled by Cloudflare, my websites should be viewable in China (and even faster!) as long as their associated IPs are not blocked. It is to my understanding that the associated IP would change periodically (or location based?), not confirmed though.
How to configure Cloudflare?
Simple -
- Register an account on Cloudflare
- Enter domain names. Cloudflare will automatically scan existing DNS records for you.
- Confirm that the captured DNS records match with your current setting.
- Update your nameserver information at your domain provider.
- Wait a bit (for DNS praprogation), and you're good to go!
It really takes less than 5 minutes. This guide provides more details.
Ugh, hard lessons
This is my first time setting up a VPS, so I was greedy: I used it for web hosting, mail forwarding, and shadowsocks (SS) server. THIS IS NOT A GOOD PRACTICE. Specifically for Digital Ocean, it is encouraged to separate these tasks into different droplets (so that if one is down, others will stay intact and function normally). But for me, since all these features were under the same droplet, their performances are dependent upon each other. As the IP was blocked in China (due to SS), requests sent to my hosted websites timed out indefintely. (It is said that the IP will be removed from blacklists sometimes in the future, but as of today no) My turnaround was to use CDN (i.e. Cloudflare), but then all DNS records are maintained by Cloudflare instead. The provider did a great job auto-scanning and importing existing DNS rows from Digital Ocean - except for the mail server.
The moment I turned Cloudflare on, I stopped receiving any emails from my domain mailbox. I didn't realize this until two days later, when Gmail prompted that my test email was undeliverable. The error message is displayed below:
I then found that the 4 IPs belong to Cloudflare. Below was a screenshot of my previous DNS setting:
Notice the two rows highlighted in yellow. These records determine how mail DNS works and I got both wrong.
When the A record for mail got a grey cloud, Cloudflare warns that the record was exposing my IP. This is the right way to go, though; Cloudflare does not host my mail server, so no HTTP proxy is required (only DNS). Moreover, name of the MX record should be the domain name. I spent two hours trying to figure out why Postfix suddenly stopped forwarding emails to my personal mailbox, only to find that it's not Postfix's fault but DNS issues :P. Now I have it setup this way and the mail server is working as usual:
In short...
Don't be aggressive and put all eggs into the same basket. If you do and it fails, take the failure as a way to learn and remedy right away lol.