How Interesting...
July 26, 2021

QNAP - front your internet facing NAS with Cloudflare

Posted on July 26, 2021  •  5 minutes  • 1031 words
Table of contents

This article shows you how to front your QNAP’s public DDNS with Cloudflare; an enterprise-class edge network service. Using Cloudflare - even on the free tier comes with a ton of benefits including:

Yey another feature we’ll use is to offload our responsibility of SSL certificate renewals to Cloudflare. If you’ve set up Let’s Encrypt such as in my previous post you’ll already know you need to manually renew this certificate every three months. Sure it’s just a click of a button, but it’s annoyingly not automatable directly from the QNAP’s user interface. Cloudflare are their own certificate authority, which means we can replace this old process with one which automatically renews 🚀


When this article was originally written, DNS Flattening, which allows you to host a canonical name (CNAME) at the root of a domain was not yet available. Therefore I used a subdomain, which is a more traditional way of supporting a CNAME. Both ways should work and it’s up to you if you want your QNAP on a subdomain or at the root.

Before you begin

Before you start making changes, it’s worth knowing a few things.

Using Cloudflare in this way will only offer its benefits on your vanity domain - not on your DDNS myqnapcloud domain. If someone were to learn that address they could access it directly and skip Cloudflare. You could additionally set up some firewall rules to QuFirewall which only allow access from Cloudflare’s network, but those connections would still be received by the NAS, meaning DDoS attacks would still be possible. If I find a way to solve this problem, I’ll write a future post on how.

If you use your domain for multiple services

The following changes will affect all services or endpoints which you host on your custom vanity domain. For instance, if you have a vanity domain such as and you currently host your QNAP on but you also have a website on a subdomain such as, both will be affected. Once you configure Cloudflare, any existing SSL certificates will be overruled and become irrelevant. If you only intend to host your QNAP on your vanity domain, this warning is safe to ignore.

The process takes time

This process can take several hours to complete. DNS propagation takes time and you might end up debugging ghosts if you’re not careful. You will have limited and sometimes no access to your vanity domain until everything is finished. If you get something wrong you’ll have to resort to accessing your QNAP via your local IP address within your network until you resolve the issues, so it’s worth performing this work when you’re within the same network as your QNAP.

You may also need access to your domain registrar to make changes.

Preparing the NAS

Add Cloudflare access to QuFirewall

You may need to add Cloudflare to your firewall if you have one active, even with if you only have basic protection selected. This is because Cloudflare is an North American company and your GeoIP blocking will prevent any access unless you’re in North America. We’ll continue to use QuFirewall as your DDNS domain will not be directly protected.

Cloudflare’s IP ranges can be found here:

We will need to add them all to the the firewall’s allow list.

Editing your QuFirewall Profile

  1. Edit the active profile

  2. Click Add Rule and enter the fist IP4 address to the list as an IP Range. Select the correct Subnet Mask via the drop-down like so:

  3. Click Apply and rinse and repeat for all IP4 addresses in the list

  4. Once all of the IP4 Addresses have been added, ensure they sit above the deny all rule in the list. You can drag and drop to modify ordering

  5. Make sure you apply the changes

Setting Up Cloudflare

  1. Create a Cloudflare account here if you do not have one already and sign in:

  2. Add your custom vanity domain you use for your QNAP using the Add a Site button. Don’t add your DDNS ( here:

  3. Select the Free Account

  4. Let Cloudflare scan and add your existing DNS records. Once it’s populated them, click Add Record

  5. Fill out the following details:
    Type: select CNAME from the drop down menu
    Name: enter your subdomain here, eg qnap if you want to access your QNAP at If you just want to host your QNAP at the root of the domain, simply enter an @ symbol. What this does is “flatten” your domain to allow you to use a CNAME to your DDNS.
    Target: enter your QNAP DDNS domain here in full. Do this even if you’re using DNS flattening. The end result will be something like so:
    A CNAME (canonical name) is an alias of another domain. This domain can be either another CNAME record, or different domain, such as You can read more about CNAMEs here

  6. Change your nameservers as instructed by the next page. You’ll need to visit your Domain Registrar and update the name server records to point to the ones Cloudflare assign you. Here’s the ones I have assigned for this blog: This bit can take a while as the DNS changes need to be propagated around the world.

  7. I recommend setting up security with the following settings to get you started. Cloudflare are adding new features all the time, so it’s a good idea to take a look around and experimenting to see what works best for you.
    Automatic HTTPS Rewrites : ON
    Always use HTTPS : ON
    Auto Minify : JS, CSS, HTML
    Brotli : ON

  8. Check back in 24 hours. You may lose access to your QNAP if you have a Firewall running such as QFirewall etc. This will be because you have not yet added in access to and from Cloudflare.

That’s it. All going well you should now have some of the added benefits of fronting your QNAP with Cloudflare.

Socials / Links

I tweet tech, bad jokes and silly memes