How to migrate from Cloudflare to a privacy-aligned edge (2026)

TL;DR

Move from Cloudflare to one of:

1. BunnyCDN — multi-PoP commercial CDN with crypto payment, content-permissive AUP. Closest like-for-like replacement.
2. Self-hosted reverse proxy on a second offshore VPS (nginx, Caddy, HAProxy) — full control, no third party.
3. No CDN — for sub-1M-pageview sites, a single offshore VPS often handles traffic fine without a CDN layer.

Critical: once you remove Cloudflare, your origin IP is exposed. If your origin is at a content-permissive offshore host, that’s fine. If your origin is somewhere you didn’t want public, change the origin first, then remove Cloudflare.

Why move off Cloudflare

The case for leaving Cloudflare in 2026:

1. Content-policy risk: Cloudflare has terminated customers for non-DMCA reasons (Daily Stormer 2017, Kiwi Farms 2022, others). Their AUP is broader than DMCA. If your content is controversial-but-legal, Cloudflare is a single point of failure.
2. US legal exposure: Cloudflare is US-headquartered and subject to US legal process including subpoenas for customer information.
3. DNS history is in their records: if your DNS history is on Cloudflare, you’ve leaked your origin IP history forever.
4. Performance is not always better: for single-region traffic, a properly-tuned VPS often outperforms Cloudflare’s free tier.

Pre-migration: address origin exposure

The single biggest risk in leaving Cloudflare is exposing your origin IP.

If you’ve been hiding behind Cloudflare specifically because your origin IP is sensitive, migrate the origin first:

1. Provision a new VPS at a content-permissive offshore host (FlokiNET is the canonical pick).
2. Migrate the application onto the new origin.
3. Update Cloudflare DNS to point to the new origin.
4. Verify everything works through Cloudflare for a few days.
5. Then start the Cloudflare removal (steps below).

If your origin is already at a content-permissive offshore host, you can skip this and proceed directly to removal.

Step-by-step

1. Pick the replacement

BunnyCDN is the most-recommended commercial CDN for privacy-aligned operators in 2026:

• Multi-PoP (50+ global locations).
• Accepts crypto including Bitcoin.
• AUP is more content-permissive than Cloudflare.
• Pricing is per-GB, no minimum.

Self-hosted reverse proxy option:

• Provision a second VPS at a different offshore provider for geographic / jurisdictional spread.
• Run nginx or Caddy in front, proxying to your origin.
• Cache static assets locally.
• For DDoS protection, use the host’s built-in DDoS mitigation (FlokiNET, AbeloHost, BuyVM all have this).

No CDN — works fine for low-traffic sites:

• A single VPS with a 1 Gbps unmetered port handles substantial traffic.
• Offload static assets to object storage (BuyVM Block Storage) and serve directly.

2. DNS migration

• Reduce TTLs to 60 seconds 24 hours before cutover.
• Move your DNS away from Cloudflare DNS. Recommended: Njalla DNS (bundled with their domain service) or deSEC.io (free, EU-based, DNSSEC-by-default).
• Update A/AAAA records to point to the new edge (or directly to origin if no CDN).
• Update MX, CNAME, TXT records.

3. Cutover

• At cutover time: change the nameservers at your registrar from Cloudflare’s to the new DNS provider’s.
• Wait for nameserver propagation (5 min - 24 h depending on TLD).
• Verify traffic is flowing through the new path with curl -v and DNS lookup tools.

4. Decommission Cloudflare

• Wait 7 days post-cutover before removing the Cloudflare account (in case of rollback need).
• Export and download your zone file before deletion.
• Cancel paid plans before final removal.
• Delete the Cloudflare account.

What you lose

Be honest about what Cloudflare provided that the replacement doesn’t:

• Free SSL certificate via Cloudflare Universal SSL: replaced by Let’s Encrypt (free, automated via Caddy).
• Free DDoS protection at unmetered scale: replaced by your VPS provider’s DDoS service (varies; FlokiNET and BuyVM are good).
• Bot management / WAF: replaced by self-hosted ModSecurity rules or by the application-layer rate limiting.
• Workers (serverless): no exact replacement; rewrite as proper backend code.
• Always Online (cached version when origin is down): rare to need, can be replicated with stale-while-revalidate at edge nginx.

What you gain

• No third-party visibility into your traffic.
• No risk of policy-based termination by a US-headquartered edge.
• Origin IP is already at the offshore host, no longer dependent on a hiding layer.
• Lower long-term cost for many workloads (BunnyCDN is much cheaper than Cloudflare’s enterprise tiers).

Related

• Cloudflare and DMCA — FAQ
• How to choose a DMCA-ignored host
• FlokiNET review