Cloudflare Setup Instructions for sempers.com
Purpose: Cloudflare sits in front of SiteGround, providing CDN/caching, DDoS protection, wildcard subdomain redirect (fixing duplicate content for SEO), and hosting for the internal wiki.
Last updated: February 20, 2026
Current Configuration
| Setting | Value |
|---|---|
| Cloudflare account | Zachary@sempers.com |
| Plan | Free |
| Registrar | GoDaddy |
| Nameservers | arely.ns.cloudflare.com, henrik.ns.cloudflare.com |
| Origin server | SiteGround (35.209.94.229, port 18765 for SSH) |
| SSL mode | Full (strict) |
| NGINX Direct Delivery | OFF (disabled Feb 9, 2026) |
DNS Records
| Type | Name | Content | Proxy |
|---|---|---|---|
| A | * | 35.209.94.229 | Proxied |
| A | sempers.com | 35.209.94.229 | Proxied |
| A | www | 35.209.94.229 | Proxied |
| CNAME | calendar | ghs.google.com | Proxied |
| CNAME | docs | ghs.google.com | Proxied |
| CNAME | groups | ghs.google.com | Proxied |
| CNAME | ghs.google.com | Proxied | |
| CNAME | sites | ghs.google.com | Proxied |
| CNAME | wiki | sempers-com.pages.dev | Proxied |
| MX | sempers.com | (Google Workspace MX records) | DNS only |
| TXT | sempers.com | SPF, DMARC, DKIM, Google site verification | DNS only |
Wildcard Subdomain Redirect Rule
Location: Rules > Redirect Rules > “Wildcard subdomain redirect”
Redirects all subdomains to sempers.com except qa, eng, and wiki.
Expression:
http.host ne "sempers.com" and http.host ne "qa.sempers.com" and http.host ne "eng.sempers.com" and http.host ne "wiki.sempers.com"
Action: Dynamic redirect to concat("https://sempers.com", http.request.uri.path) with status 301.
This catches www, ftp, aaa, and any other random subdomain and 301 redirects to sempers.com with the same path.
Wiki (wiki.sempers.com)
Cloudflare Pages
| Setting | Value |
|---|---|
| Project name | sempers-com |
| GitHub repo | zjs-tslf/sempers.com |
| Build command | cd wiki && npx @11ty/eleventy |
| Build output directory | wiki/_site |
| Root directory | / (repo root) |
| Framework preset | None |
Auto-deploys on every push to master. The wiki reads markdown files from business-files/ and renders them as HTML pages.
Cloudflare Access (Authentication)
| Setting | Value |
|---|---|
| Application name | Sempers Wiki |
| Application domain | wiki.sempers.com |
| Session duration | 24 hours |
| Login method | Google only (One-time PIN removed) |
| Policy | Allow Owner — zachary@sempers.com |
Google OAuth credentials are in Google Cloud Console (project: sempers.com:api-project-235551370032). Authorized redirect URI: https://sempers.cloudflareaccess.com/cdn-cgi/access/callback
Environments
| Environment | Domain | Hosting | Notes |
|---|---|---|---|
| Production | sempers.com | SiteGround | Deployed via GitHub Actions |
| QA | qa.sempers.com | SiteGround | Auto-deploys from non-refactor branches |
| ENG | eng.sempers.com | SiteGround | Auto-deploys from refactor/* branches |
| Wiki | wiki.sempers.com | Cloudflare Pages | Auto-deploys on push to master |
Verification Commands
# Wildcard redirect — should 301 to sempers.com
curl -I https://www.sempers.com/
curl -I https://aaa.sempers.com/
curl -I https://xyz123.sempers.com/
# Main site — should 200
curl -I https://sempers.com/
# QA/ENG — should 200 (may require auth)
curl -I https://qa.sempers.com/
curl -I https://eng.sempers.com/
# Wiki — should 302 to Cloudflare Access login
curl -I https://wiki.sempers.com/
What Cloudflare Handles
- DNS management
- CDN/caching (replaces SiteGround NGINX Direct Delivery)
- Wildcard subdomain redirects (fixing SEO duplicate content)
- Wiki hosting (Cloudflare Pages)
- Wiki authentication (Cloudflare Access with Google login)
- DDoS protection
- Analytics
What SiteGround Still Handles
- Origin server for sempers.com, qa, and eng
- File storage and Apache (.htaccess rules)
- SSH access for GitHub Actions deploys
- Email (Google Workspace via MX records)
Important Gotchas
- GitHub Actions SSH: Must use SiteGround’s direct IP (35.209.94.229), not sempers.com, because the domain resolves to Cloudflare IPs now. Secrets:
QA_SSH_HOSTandPROD_SSH_HOST. - SiteGround SSH port: 18765 (not 22).
- Adding new subdomains: If you add a new subdomain that should NOT redirect to sempers.com, add it to the redirect rule exception list.
- .htaccess: The deploy-production.yml workflow overwrites .htaccess on every deploy. Any .htaccess changes must be made in the workflow file, not directly on the server.
Rollback
If anything goes wrong, change nameservers back to SiteGround’s originals at GoDaddy. Everything reverts within 1-24 hours.
Originally created: February 9, 2026 Updated: February 20, 2026 — Added wiki, Access, Pages config, actual DNS records, gotchas