appycodes.

Most teams treat Cloudflare as a CDN. We use it as a deployment target.

Cloudflare as a deployment target, not a CDN. Workers for edge logic. R2 for media. WAF and Bulk Redirects for migrations. We use the full surface, not just the orange cloud.

Request path · Cloudflare edge

  • Workers

    Edge logic, A/B, auth, header rewrites

  • WAF · Rules

    Country allowlists, bot defence, rate limiting

  • Cache

    What to cache, what to bypass, how to invalidate

  • Redirect Rules

    Single rules, bulk redirects, wildcard fallbacks

R2 storage

Zero egress

Origin

WordPress · Laravel · Pages

What you get

Six surfaces we actually ship on.

Not an exhaustive list of Cloudflare products. Only the ones we use in production today and can recommend with a war story attached.

01

R2 storage migrations

Off S3, DO Spaces, or origin disk. Cost-modelled before the move. Standalone PHP / Node migration scripts that don't load the host CMS so they survive plugin / package conflicts.

02

Workers for edge logic

A/B testing, personalisation, header rewrites, geo-aware redirects, signed-URL gates, simple auth. Code that runs in 270+ POPs without thinking about it.

03

Redirect Rules architecture

Single Redirect Rules on Business+, Bulk Redirects from exported sitemaps (up to 100K), wildcard fallbacks via wildcard_replace. Layered for ambiguous shapes.

04

WAF rule design

Country allowlists. ASN blocking. Bot management with Managed Challenge tuning. Rate limiting that bites attackers, not Googlebot. We test under Managed Challenge before flipping to Block.

05

Cache strategy

What to cache at the edge, what to bypass, how to invalidate. Tuned for WordPress, WooCommerce, and Laravel apps where pages and APIs cache very differently.

06

Pages deployments

Static and Next.js sites where the build pipeline fits. Custom builds with Workers in front. Branch previews, custom domains, the boring deployment plumbing.

The egress cost curve

Why media-heavy WordPress sites move to R2.

Monthly cost ($) for 100 GB stored across S3 (eu-west-2), DigitalOcean Spaces (lon1), and Cloudflare R2, plotted against outbound egress (TB / month). R2's zero-egress pricing produces the sharp divergence at the right.

EgressS3 (eu-west-2)DO Spaces (lon1)Cloudflare R2
1 TB / month$90$80$15
5 TB / month$450$400$15
10 TB / month$900$800$15
25 TB / month$2,250$2,000$15
50 TB / month$4,500$4,000$15
100 TB / month$9,000$8,000$15

R2 stays flat because egress is zero. The other two scale linearly with outbound traffic.

Evidence

Three engagements. Different Cloudflare primitives in each.

R2 + Forge migration

All White Laser

Migrated media from a Forge-hosted WordPress site to Cloudflare R2 (S3-compatible, endpoint https://<account-id>.r2.cloudflarestorage.com).

The interesting part wasn't the migration, it was sidestepping plugin Guzzle conflicts. AutomateWoo and others bundle their own Guzzle; the bundled versions disagree. Solution: don't load WordPress in the migration script. Standalone PHP, AWS SDK via Composer in a separate vendor tree, credentials in a dedicated r2-config.php with chmod 600, off-VCS.

The recurring monthly cron sync uses the same WP-free script pattern so it survives plugin updates.

# r2-config.php (chmod 600, off-VCS)
$config = [
  'endpoint' => 'https://<id>.r2.cloudflarestorage.com',
  'region' => 'auto',
  'credentials' => [ ... ],
];

Redirect rules at the edge

UK action-sports retailer (anonymised)

Magento to Shopify migration with ambiguous URL shapes the platform couldn't resolve. Wildcards via wildcard_replace on Free/Pro plans (no regex), regex Single Redirect Rules on Business+, layered with explicit per-URL overrides.

Long-term: Cloudflare Bulk Redirects driven by an exported sitemap CSV. Wildcard rules retained as fallback. Client name changed due to confidentiality, a whitelabel engagement.

# regex Single Redirect Rule
when (http.request.uri.path matches "^/[^/]+\.html$")
then concat("/products", regex_replace(
  http.request.uri.path, "\.html$", ""))

WAF · geo · bot defence

PlusHeat logo

PlusHeat

nginx upstream timeouts caused by Hetzner Cloud bots hammering specific paths. Built the Cloudflare WAF rule using an allowlist approach (not ip.src.country in {GB IE FR DE NL ...}) rather than enumerating every country to block.

Carved out India, Pakistan, and the US, necessary for our own developers and search engine crawlers. Added cf.client.bot to ensure verified Googlebot bypasses geo restrictions. Deployed first under Managed Challenge to monitor Firewall Events for false positives, switched to Block once clean.

# Cloudflare WAF expression
(not ip.src.country in {"GB" "IE" "FR" "DE" "NL" "IN" "PK" "US"})
and not cf.client.bot

Paired engagements: Shopify migration (the rules above), WordPress security (the WAF tuning), maintenance and support for the ongoing edge tuning.

Good fit if

When the edge earns its keep

  • WordPress / WooCommerce sites paying for S3 egress on media-heavy stores
  • Teams migrating platforms (Magento, WordPress, custom to Shopify) with messy URL shapes
  • Sites under attack (DDoS, credential stuffing, content scraping) that need WAF rules tuned by someone who has tuned them before
  • Operators using Cloudflare as the orange cloud and nothing else, leaving 80% of the value on the table

Probably not a fit

When Cloudflare isn't the answer

  • Sites where Cloudflare isn't deployed at all. Start with a free tier and basic DNS
  • Apps with hard requirements for Fastly, Akamai, or AWS CloudFront edge specifically
  • Teams looking for a Cloudflare reseller. We engineer, we don't bill for the plan

Surface we operate on

Workers, R2, WAF, Rules, Pages. The rest on demand.

Edge compute
Workers · Durable Objects · KV · D1 (where workload fits)
Storage
R2 · S3-compatible · zero egress fees · monthly cron syncs
Routing
Single Redirect Rules · Bulk Redirects · wildcard fallbacks
Security
WAF · Rate Limiting · Managed Challenge to Block escalation · ASN + geo
Hosting
Cloudflare Pages · static + Next.js builds with Workers in front

If Cloudflare is on but only as DNS

Bring the bill, the URL shapes, or the bot pattern. We'll show what the edge can absorb.

Contact