# Cloudflare Configuration Guide

## DNS Setup

### 1. Create API Token (Recommended)

1. Go to [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens)
2. Click **Create Token**
3. Use **Custom Token**
4. Configure permissions:
   - **Zone:Read** - All zones
   - **DNS:Edit** - All zones
5. Zone Resources:
   - Include: Specific zone - lemonlink.eu
6. Click **Continue to summary** → **Create Token**
7. Copy the token to your `.env` file as `CF_DNS_API_TOKEN`

### 2. DNS Records

Create these A records in Cloudflare DNS:

| Type | Name | Target | Proxy Status | TTL |
|------|------|--------|--------------|-----|
| A | @ | YOUR_SERVER_IP | 🟠 Proxied | Auto |
| A | * | YOUR_SERVER_IP | 🟠 Proxied | Auto |
| A | auth | YOUR_SERVER_IP | 🟠 Proxied | Auto |

The wildcard (`*`) record is crucial for automatic subdomain routing.

### 3. SSL/TLS Settings

Navigate to **SSL/TLS** → **Overview**:

| Setting | Value | Why |
|---------|-------|-----|
| SSL/TLS encryption mode | **Full (strict)** | Encrypts end-to-end with origin cert validation |
| Always Use HTTPS | **ON** | Redirects HTTP to HTTPS |
| Automatic HTTPS Rewrites | **ON** | Fixes mixed content |
| Minimum TLS Version | **1.2** | Security best practice |

### 4. Edge Certificates

**SSL/TLS** → **Edge Certificates**:

- Enable **Always Use HTTPS**
- Set **Minimum TLS Version** to 1.2
- Enable **Automatic HTTPS Rewrites**
- Enable **Opportunistic Encryption**
- Consider enabling **TLS 1.3** (fastest)

### 5. Security Settings

**Security** → **Settings**:

| Setting | Recommended Value |
|---------|-------------------|
| Security Level | Medium or High |
| Challenge Passage | 30 minutes |
| Browser Integrity Check | ON |

### 6. DDoS Protection

**Security** → **DDoS** → **Configure**:

- HTTP DDoS attack protection: **ON**
- Sensitivity: **High**
- Action: **Managed Challenge**

### 7. Firewall Rules (Optional but Recommended)

**Security** → **WAF** → **Firewall rules**:

Create rules to block threats before they reach your server:

**Block Known Bad Bots:**
```
(cf.client.bot) or (http.user_agent contains "bot" and not cf.client.bot)
```
Action: Block

**Rate Limit Login Attempts:**
```
(http.request.uri.path contains "/api/verify") or (http.request.uri.path contains "/login")
```
Action: Challenge (Rate limit: 5 requests per 10 seconds)

**Block Countries (Optional):**
```
(not ip.geoip.country in {"SE" "NO" "DK" "FI" "DE"})
```
Action: Block or Challenge

### 8. Origin Server Certificates (Optional)

For extra security between Cloudflare and your server:

1. **SSL/TLS** → **Origin Server** → **Create Certificate**
2. Let Cloudflare generate a certificate
3. Choose RSA (2048) or ECC
4. Download certificate and private key
5. Place in `traefik/certs/` and reference in config

For most homelab setups, the auto-generated Let's Encrypt certificates are sufficient.

### 9. Page Rules (Optional)

**Rules** → **Page Rules**:

Create rules for specific caching/security behaviors:

**Cache Static Assets:**
```
*lemonlink.eu/static/*
```
Settings:
- Cache Level: Cache Everything
- Edge Cache TTL: 1 month

**Secure Auth Endpoint:**
```
auth.lemonlink.eu/*
```
Settings:
- Security Level: High
- Browser Integrity Check: On

### 10. Analytics & Monitoring

Enable **Security Events** notifications:

1. **Notifications** → **Add**
2. Choose **Security Events**
3. Set threshold (e.g., notify on 100+ events)

## Verification

Test your setup:

```bash
# Check DNS resolution
dig +short lemonlink.eu
dig +short auth.lemonlink.eu
dig +short test.lemonlink.eu  # Should resolve to CF IP

# Check SSL
curl -I https://lemonlink.eu
# Should show Cloudflare headers

# Check certificate
echo | openssl s_client -servername lemonlink.eu -connect lemonlink.eu:443 2>/dev/null | openssl x509 -noout -text | grep -A2 "Subject Alternative Name"
```

## Troubleshooting

### "Too Many Redirects" Error
- Check SSL/TLS mode is **Full (strict)**, not Flexible
- Verify no redirect loops in Traefik config

### Certificate Errors
- Ensure `CF_API_EMAIL` and `CF_API_KEY` are correct in `.env`
- Check Traefik logs for ACME errors
- Verify DNS propagation: `dig @1.1.1.1 lemonlink.eu`

### Cloudflare IP in Logs (Not Client IP)
- Ensure `forwardedHeaders.trustedIPs` includes all Cloudflare IPs in `traefik.yml`
- Check `X-Forwarded-For` header is being passed

## Cloudflare IPs (Keep Updated!)

Traefik config includes Cloudflare IPs, but verify they're current:
https://www.cloudflare.com/ips/

Update `traefik/traefik.yml` if IPs change.