4.5 KiB
Cloudflare Configuration Guide
DNS Setup
1. Create API Token (Recommended)
- Go to Cloudflare API Tokens
- Click Create Token
- Use Custom Token
- Configure permissions:
- Zone:Read - All zones
- DNS:Edit - All zones
- Zone Resources:
- Include: Specific zone - lemonlink.eu
- Click Continue to summary → Create Token
- Copy the token to your
.envfile asCF_DNS_API_TOKEN
2. DNS Records
Create these A records in Cloudflare DNS:
| Type | Name | Target | Proxy Status | TTL |
|---|---|---|---|---|
| A | @ | YOUR_SERVER_IP | 🟠 Proxied | Auto |
| A | * | YOUR_SERVER_IP | 🟠 Proxied | Auto |
| A | auth | YOUR_SERVER_IP | 🟠 Proxied | Auto |
The wildcard (*) record is crucial for automatic subdomain routing.
3. SSL/TLS Settings
Navigate to SSL/TLS → Overview:
| Setting | Value | Why |
|---|---|---|
| SSL/TLS encryption mode | Full (strict) | Encrypts end-to-end with origin cert validation |
| Always Use HTTPS | ON | Redirects HTTP to HTTPS |
| Automatic HTTPS Rewrites | ON | Fixes mixed content |
| Minimum TLS Version | 1.2 | Security best practice |
4. Edge Certificates
SSL/TLS → Edge Certificates:
- Enable Always Use HTTPS
- Set Minimum TLS Version to 1.2
- Enable Automatic HTTPS Rewrites
- Enable Opportunistic Encryption
- Consider enabling TLS 1.3 (fastest)
5. Security Settings
Security → Settings:
| Setting | Recommended Value |
|---|---|
| Security Level | Medium or High |
| Challenge Passage | 30 minutes |
| Browser Integrity Check | ON |
6. DDoS Protection
Security → DDoS → Configure:
- HTTP DDoS attack protection: ON
- Sensitivity: High
- Action: Managed Challenge
7. Firewall Rules (Optional but Recommended)
Security → WAF → Firewall rules:
Create rules to block threats before they reach your server:
Block Known Bad Bots:
(cf.client.bot) or (http.user_agent contains "bot" and not cf.client.bot)
Action: Block
Rate Limit Login Attempts:
(http.request.uri.path contains "/api/verify") or (http.request.uri.path contains "/login")
Action: Challenge (Rate limit: 5 requests per 10 seconds)
Block Countries (Optional):
(not ip.geoip.country in {"SE" "NO" "DK" "FI" "DE"})
Action: Block or Challenge
8. Origin Server Certificates (Optional)
For extra security between Cloudflare and your server:
- SSL/TLS → Origin Server → Create Certificate
- Let Cloudflare generate a certificate
- Choose RSA (2048) or ECC
- Download certificate and private key
- Place in
traefik/certs/and reference in config
For most homelab setups, the auto-generated Let's Encrypt certificates are sufficient.
9. Page Rules (Optional)
Rules → Page Rules:
Create rules for specific caching/security behaviors:
Cache Static Assets:
*lemonlink.eu/static/*
Settings:
- Cache Level: Cache Everything
- Edge Cache TTL: 1 month
Secure Auth Endpoint:
auth.lemonlink.eu/*
Settings:
- Security Level: High
- Browser Integrity Check: On
10. Analytics & Monitoring
Enable Security Events notifications:
- Notifications → Add
- Choose Security Events
- Set threshold (e.g., notify on 100+ events)
Verification
Test your setup:
# Check DNS resolution
dig +short lemonlink.eu
dig +short auth.lemonlink.eu
dig +short test.lemonlink.eu # Should resolve to CF IP
# Check SSL
curl -I https://lemonlink.eu
# Should show Cloudflare headers
# Check certificate
echo | openssl s_client -servername lemonlink.eu -connect lemonlink.eu:443 2>/dev/null | openssl x509 -noout -text | grep -A2 "Subject Alternative Name"
Troubleshooting
"Too Many Redirects" Error
- Check SSL/TLS mode is Full (strict), not Flexible
- Verify no redirect loops in Traefik config
Certificate Errors
- Ensure
CF_API_EMAILandCF_API_KEYare correct in.env - Check Traefik logs for ACME errors
- Verify DNS propagation:
dig @1.1.1.1 lemonlink.eu
Cloudflare IP in Logs (Not Client IP)
- Ensure
forwardedHeaders.trustedIPsincludes all Cloudflare IPs intraefik.yml - Check
X-Forwarded-Forheader is being passed
Cloudflare IPs (Keep Updated!)
Traefik config includes Cloudflare IPs, but verify they're current: https://www.cloudflare.com/ips/
Update traefik/traefik.yml if IPs change.