Comprehensive Cloudflare setup

We are looking for an experienced specialist in Cloudflare to connect the service to the online store of used computer equipment compbest.com.ua. The site operates on a self-hosted Khoroshop on the client's VDS server (not cloud, as it is currently in Khoroshop).

Important conditions:

• The site operates in production with significant traffic, any work must be as safe as possible.

• Many integrations (analytics, advertising, own email, integration with eSputnik and CRM, API, payment services, backups to other servers, product exports, etc.) — nothing should "drop off".

• Critically:

  • do not block real users, advertising traffic, and useful bots;

  • do not harm SEO;

  • have the ability for quick and clear rollback of changes.

• Both security and speed optimization (caching, images in webp, etc.) need to be configured.

Configuration needs to be carried out in several stages:

1. Test connection to the mirror copy of the site

• Check the operation of the proxy (Proxied), HTTPS, order form, user cabinet, site admin panel, integrations.

• Check the operation of caching.

• Document the working configuration as a base for future transfer to production.

2. Audit production DNS

• Gather all records: A, CNAME, MX, TXT (SPF/DKIM/DMARC), SRV/CAA.

• List of subdomains: web, mail, API, dev, CRM, webhooks, integrations.

• Determine for each: Proxied or DNS only.

3. DNS configuration in Cloudflare (before changing NS)

• Import the DNS zone, verify with the current one, add missing records.

• Reduce TTL for key records (≈300 sec).

• All mail hosts (mail/SMTP/IMAP/POP/webmail) → DNS only (gray cloud).

• Transfer SPF/DKIM/DMARC TXT unchanged.

4. Switching NS and basic check

• Replace NS at the registrar with Cloudflare.

• compbest.com.ua and www → Proxied.

• Check everything: site, admin panel, cart/checkout, other forms, buyer's cabinet, mail (SPF/DKIM/DMARC = pass), integrations (payments, CRM, API), etc.

5. SSL and security (WAF / Firewall / admin panel)

• SSL/TLS: Full (Strict) mode (if the server has a valid certificate).

• Enable Always Use HTTPS, check for redirect loop.

• Configure WAF:

  • Cloudflare Managed Rules / OWASP in soft mode (Security Level Low/Medium).

  • Do not block Googlebot / Bing / advertising bots.

• Whitelist for payment services, CRM, important integrations (IP/ASN), our trusted servers.

• Specific rules for the site admin panel:

  • no caching (at the level of rules/exceptions),

  • enhanced protection (Firewall/Challenge for suspicious requests),

  • while not breaking access for managers from dynamic IP/VPN (exceptions).

6. Caching and performance

• Standard caching of static files (CSS/JS/images).

• Exclusions from caching: cart, checkout, login, personal cabinet, admin URL.

• Optimizations: Auto Minify (HTML/CSS/JS), Brotli, HTTP/2/3.

• Image compression + conversion to WebP/modern formats via Cloudflare (Polish/Images or similar), without breaking existing image URLs.

7. Monitoring (two weeks after connecting Cloudflare)

• Monitor the operation of all integrations.

• Check in Cloudflare/Google Search Console/Microsoft Clarity/Google Analytics/ad services:

  • that search and advertising bot traffic is not blocked;

  • there are no mass 4xx/5xx due to WAF/Firewall;

  • there is no drop in SEO positions.

In the response, please indicate:

real experience with Cloudflare and relevant implementation cases;

timelines;

price.