174 lines
4.5 KiB
Markdown
174 lines
4.5 KiB
Markdown
# Cloudflare Configuration Guide
|
|
|
|
## DNS Setup
|
|
|
|
### 1. Create API Token (Recommended)
|
|
|
|
1. Go to [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens)
|
|
2. Click **Create Token**
|
|
3. Use **Custom Token**
|
|
4. Configure permissions:
|
|
- **Zone:Read** - All zones
|
|
- **DNS:Edit** - All zones
|
|
5. Zone Resources:
|
|
- Include: Specific zone - lemonlink.eu
|
|
6. Click **Continue to summary** → **Create Token**
|
|
7. Copy the token to your `.env` file as `CF_DNS_API_TOKEN`
|
|
|
|
### 2. DNS Records
|
|
|
|
Create these A records in Cloudflare DNS:
|
|
|
|
| Type | Name | Target | Proxy Status | TTL |
|
|
|------|------|--------|--------------|-----|
|
|
| A | @ | YOUR_SERVER_IP | 🟠 Proxied | Auto |
|
|
| A | * | YOUR_SERVER_IP | 🟠 Proxied | Auto |
|
|
| A | auth | YOUR_SERVER_IP | 🟠 Proxied | Auto |
|
|
|
|
The wildcard (`*`) record is crucial for automatic subdomain routing.
|
|
|
|
### 3. SSL/TLS Settings
|
|
|
|
Navigate to **SSL/TLS** → **Overview**:
|
|
|
|
| Setting | Value | Why |
|
|
|---------|-------|-----|
|
|
| SSL/TLS encryption mode | **Full (strict)** | Encrypts end-to-end with origin cert validation |
|
|
| Always Use HTTPS | **ON** | Redirects HTTP to HTTPS |
|
|
| Automatic HTTPS Rewrites | **ON** | Fixes mixed content |
|
|
| Minimum TLS Version | **1.2** | Security best practice |
|
|
|
|
### 4. Edge Certificates
|
|
|
|
**SSL/TLS** → **Edge Certificates**:
|
|
|
|
- Enable **Always Use HTTPS**
|
|
- Set **Minimum TLS Version** to 1.2
|
|
- Enable **Automatic HTTPS Rewrites**
|
|
- Enable **Opportunistic Encryption**
|
|
- Consider enabling **TLS 1.3** (fastest)
|
|
|
|
### 5. Security Settings
|
|
|
|
**Security** → **Settings**:
|
|
|
|
| Setting | Recommended Value |
|
|
|---------|-------------------|
|
|
| Security Level | Medium or High |
|
|
| Challenge Passage | 30 minutes |
|
|
| Browser Integrity Check | ON |
|
|
|
|
### 6. DDoS Protection
|
|
|
|
**Security** → **DDoS** → **Configure**:
|
|
|
|
- HTTP DDoS attack protection: **ON**
|
|
- Sensitivity: **High**
|
|
- Action: **Managed Challenge**
|
|
|
|
### 7. Firewall Rules (Optional but Recommended)
|
|
|
|
**Security** → **WAF** → **Firewall rules**:
|
|
|
|
Create rules to block threats before they reach your server:
|
|
|
|
**Block Known Bad Bots:**
|
|
```
|
|
(cf.client.bot) or (http.user_agent contains "bot" and not cf.client.bot)
|
|
```
|
|
Action: Block
|
|
|
|
**Rate Limit Login Attempts:**
|
|
```
|
|
(http.request.uri.path contains "/api/verify") or (http.request.uri.path contains "/login")
|
|
```
|
|
Action: Challenge (Rate limit: 5 requests per 10 seconds)
|
|
|
|
**Block Countries (Optional):**
|
|
```
|
|
(not ip.geoip.country in {"SE" "NO" "DK" "FI" "DE"})
|
|
```
|
|
Action: Block or Challenge
|
|
|
|
### 8. Origin Server Certificates (Optional)
|
|
|
|
For extra security between Cloudflare and your server:
|
|
|
|
1. **SSL/TLS** → **Origin Server** → **Create Certificate**
|
|
2. Let Cloudflare generate a certificate
|
|
3. Choose RSA (2048) or ECC
|
|
4. Download certificate and private key
|
|
5. Place in `traefik/certs/` and reference in config
|
|
|
|
For most homelab setups, the auto-generated Let's Encrypt certificates are sufficient.
|
|
|
|
### 9. Page Rules (Optional)
|
|
|
|
**Rules** → **Page Rules**:
|
|
|
|
Create rules for specific caching/security behaviors:
|
|
|
|
**Cache Static Assets:**
|
|
```
|
|
*lemonlink.eu/static/*
|
|
```
|
|
Settings:
|
|
- Cache Level: Cache Everything
|
|
- Edge Cache TTL: 1 month
|
|
|
|
**Secure Auth Endpoint:**
|
|
```
|
|
auth.lemonlink.eu/*
|
|
```
|
|
Settings:
|
|
- Security Level: High
|
|
- Browser Integrity Check: On
|
|
|
|
### 10. Analytics & Monitoring
|
|
|
|
Enable **Security Events** notifications:
|
|
|
|
1. **Notifications** → **Add**
|
|
2. Choose **Security Events**
|
|
3. Set threshold (e.g., notify on 100+ events)
|
|
|
|
## Verification
|
|
|
|
Test your setup:
|
|
|
|
```bash
|
|
# Check DNS resolution
|
|
dig +short lemonlink.eu
|
|
dig +short auth.lemonlink.eu
|
|
dig +short test.lemonlink.eu # Should resolve to CF IP
|
|
|
|
# Check SSL
|
|
curl -I https://lemonlink.eu
|
|
# Should show Cloudflare headers
|
|
|
|
# Check certificate
|
|
echo | openssl s_client -servername lemonlink.eu -connect lemonlink.eu:443 2>/dev/null | openssl x509 -noout -text | grep -A2 "Subject Alternative Name"
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### "Too Many Redirects" Error
|
|
- Check SSL/TLS mode is **Full (strict)**, not Flexible
|
|
- Verify no redirect loops in Traefik config
|
|
|
|
### Certificate Errors
|
|
- Ensure `CF_API_EMAIL` and `CF_API_KEY` are correct in `.env`
|
|
- Check Traefik logs for ACME errors
|
|
- Verify DNS propagation: `dig @1.1.1.1 lemonlink.eu`
|
|
|
|
### Cloudflare IP in Logs (Not Client IP)
|
|
- Ensure `forwardedHeaders.trustedIPs` includes all Cloudflare IPs in `traefik.yml`
|
|
- Check `X-Forwarded-For` header is being passed
|
|
|
|
## Cloudflare IPs (Keep Updated!)
|
|
|
|
Traefik config includes Cloudflare IPs, but verify they're current:
|
|
https://www.cloudflare.com/ips/
|
|
|
|
Update `traefik/traefik.yml` if IPs change.
|