BroBro87 commited on
Commit
c2df7fb
1 Parent(s): fa83d85

Upload Cloudflare.txt

Browse files
Files changed (1) hide show
  1. Cloudflare.txt +1491 -0
Cloudflare.txt ADDED
@@ -0,0 +1,1491 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ Cloudflare Fundamentals
2
+
3
+ What is Cloudflare?
4
+ 1 min read
5
+
6
+ Cloudflare is a global network of servers
7
+
8
+ . When you add your application to Cloudflare, we use this network to sit in between
9
+ requests and your origin server.
10
+
11
+ This position allows us to do several things — speeding up content delivery and user
12
+ experience ( CDN), protecting your website from malicious activity ( DDoS, Web Application
13
+ Firewall), routing traffic (Load balancing, Waiting Room), and more.
14
+
15
+
16
+
17
+ How Cloudflare works
18
+ 3 min read
19
+
20
+ Fundamentally, Cloudflare is a large network of servers that can improve the security,
21
+ performance, and reliability of anything connected to the Internet.
22
+
23
+ Cloudflare does this by serving as a reverse proxy
24
+
25
+ for your web traffic. All requests to and from your origin flow through Cloudflare and — as
26
+ these requests pass through our network — we can apply various rules and optimizations to
27
+ improve security, performance, and reliability.
28
+
29
+
30
+ ​Life of a request
31
+ Even though it feels pretty instantaneous, there’s a lot happening when you type
32
+ www.example.com into your browser.
33
+
34
+ A website’s content does not technically live at a URL like www.example.com, but rather at
35
+ an IP address like 192.0.2.1. It’s similar to how we say that Cloudflare’s headquarters is
36
+ 101 Townsend St., San Francisco, CA 94107, but really that address is just a placeholder for
37
+ latitude and longitude coordinates (37.780259, -122.390519). URLs and street addresses
38
+ are much easier for humans to remember.
39
+
40
+ The process of converting a human-readable URL (www.example.com) into a
41
+ machine-friendly address (192.0.2.1) is known as a DNS lookup
42
+ .
43
+
44
+ ​Without Cloudflare
45
+
46
+ Without Cloudflare, DNS lookups for your application’s URL return the IP address of your
47
+ origin server
48
+
49
+ .
50
+
51
+ URL Returned IP
52
+ address
53
+
54
+ example.c 192.0.2.1
55
+ om
56
+
57
+ When using Cloudflare with unproxied DNS records, DNS lookups for unproxied domains or
58
+ subdomains also return your origin’s IP address.
59
+
60
+ Another way of thinking about this concept is that visitors directly connect with your origin
61
+ server.
62
+
63
+ ConnectionVisitor
64
+ Origin server
65
+
66
+ ​With Cloudflare
67
+
68
+ With Cloudflare — meaning your domain or subdomain is using proxied DNS records —
69
+ DNS lookups for your application’s URL will resolve to Cloudflare Anycast IPs
70
+
71
+ instead of their original DNS target.
72
+
73
+ URL Returned IP
74
+ address
75
+
76
+ example.c 104.16.77.250
77
+ om
78
+
79
+ This means that all requests intended for proxied hostnames will go to Cloudflare first and
80
+ then be forwarded to your origin server.
81
+
82
+ Visitor ← Connection → Cloudflare global network ←Connection→Origin Server
83
+
84
+ Cloudflare assigns specific Anycast IPs to your domain dynamically and these IPs may
85
+ change at any time. This is an expected part of the operation of our Anycast network and
86
+ does not affect the proxy behavior described above.
87
+
88
+
89
+ ​Benefits
90
+ When your traffic is proxied through Cloudflare before reaching your origin server, your
91
+ application gets additional security, performance, and reliability benefits.
92
+
93
+ ​Security
94
+
95
+ Beyond hiding your origin’s IP address from potential attackers, Cloudflare also stops
96
+ malicious traffic before it reaches your origin web server.
97
+
98
+ Cloudflare automatically mitigates security risks using our WAF and DDoS protection.
99
+
100
+ For additional details on security, refer to our guide on how to Secure your website.
101
+
102
+ ​Performance
103
+
104
+ For proxied traffic, Cloudflare also serves as a Content Delivery Network (CDN)
105
+
106
+ , caching static resources and otherwise optimizing asset delivery.
107
+
108
+ For additional details on performance, refer to our guides on Optimizing Site Speed and
109
+ Caching.
110
+
111
+ ​Reliability
112
+
113
+ Cloudflare’s globally distributed Anycast network
114
+
115
+ routes visitor requests to the nearest Cloudflare data center.
116
+
117
+ Combined together with our CDN
118
+
119
+ and DDoS protection, our network helps keep your application online.
120
+
121
+
122
+
123
+
124
+ Cloudflare IPs
125
+ 2 min read
126
+
127
+ Cloudflare has several IP address ranges
128
+
129
+ which are shared by all proxied hostnames.
130
+
131
+ Together, these IP addresses form the backbone of our Anycast network
132
+
133
+ , helping distribute traffic amongst various edge network servers.
134
+
135
+ Cloudflare uses other IP ranges for various products and services, but these addresses will
136
+ not make connections to your origin.
137
+
138
+
139
+ ​Allow Cloudflare IP addresses
140
+ Because of how Cloudflare works, all traffic to proxied DNS records pass through Cloudflare
141
+ before reaching your origin server. This means that your origin server will stop receiving
142
+ traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP
143
+ addresses
144
+
145
+ , which are shared by all proxied hostnames.
146
+
147
+ This setup can cause issues if your origin server blocks or rate limits connections from
148
+ Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP
149
+ addresses, blocking these IPs — even accidentally — will prevent visitor traffic from
150
+ reaching your application.
151
+
152
+ To avoid rate limiting or blocking these requests, you will need to allow Cloudflare IPs at your
153
+ origin server.
154
+
155
+ For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once
156
+ Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your
157
+ network, process them, and then output these packets to your origin infrastructure.
158
+
159
+
160
+ ​Customize Cloudflare IP addresses
161
+ If they do not want to use Cloudflare IP addresses — which are shared by all proxied
162
+ hostnames — Enterprise customers have two potential alternatives:
163
+
164
+ ● Bring Your Own IP (BYOIP): Cloudflare announces your IPs in all our locations.
165
+ ● Static IP addresses: Cloudflare sets static IP addresses for your domain. For more
166
+ details, contact your account team.
167
+
168
+ Business and Enterprise customers can also reduce the number of Cloudflare IPs that their
169
+ domain shares with other Cloudflare customer domains by uploading a Custom SSL
170
+ certificate.
171
+
172
+
173
+
174
+ Reference architectures
175
+ 1 min read
176
+
177
+ Reference architecture documents and diagrams are designed to provide a foundational
178
+ knowledge of Cloudflare solutioning for a variety of products. Building on the information in
179
+ these documents, you can architect software solutions based on your specific context and
180
+ needs.
181
+
182
+ ● Content Delivery Network
183
+ ● Magic Transit
184
+ ● Multi-vender Application Security and Performance
185
+ Account setup
186
+ To create a Cloudflare account:
187
+
188
+ 1. Go to the Sign up page
189
+ 1. .
190
+ 2. Enter your Email and Password.
191
+ 3. Click Create Account.
192
+
193
+ Once you create your account, Cloudflare will automatically send an email to your address to
194
+ verify that email address.
195
+
196
+
197
+ ​Best practices
198
+ If you are creating an account for your team or a business, we recommend choosing an
199
+ email alias or distribution list for your Email, such as cloudflare@example.com.
200
+
201
+ This email address is the main point of contact for your Cloudflare billing, usage notifications,
202
+ and account recovery.
203
+
204
+
205
+
206
+ Set-up 2FA
207
+ 2 min read
208
+
209
+ Two-factor authentication (2FA) allows user account owners to add an additional layer of
210
+ login security to Cloudflare accounts. This additional authentication step requires you to
211
+ provide both something you know, such as a Cloudflare password, and something you have,
212
+ such as an authentication code from a mobile device.
213
+
214
+ Cloudflare user accounts configured to use single sign-on (SSO) cannot configure 2FA.
215
+
216
+ Cloudflare offers the option to use either a phishing-resistant security key, like a YubiKey, or
217
+ a Time-Based One-Time password (TOTP) mobile app for authentication, like Google
218
+ Authenticator, or both. If you add both of these authentication methods to your account, you
219
+ are initially prompted to log in with the security key, but can opt-out and use TOTP instead.
220
+
221
+ To ensure that you can securely access your account even without your mobile device or
222
+ security keys, Cloudflare also provides backup codes for download.
223
+
224
+ Tip
225
+
226
+ After downloading your backup codes, we recommend saving them in a secure location.
227
+
228
+ As the user account owner, you are automatically assigned the Super Administrator role.
229
+ Once 2FA is enabled, all Cloudflare account members are required to configure 2FA on their
230
+ mobile devices.
231
+ ​Enable 2FA
232
+ We recommend that all Cloudflare user account holders enable two-factor authentication
233
+ (2FA) to keep your accounts secure.
234
+
235
+ 2FA can only be enabled successfully on an account with a verified email address. If you do
236
+ not verify your email address first, you may lock yourself out of your account.
237
+
238
+ Super Administrators can turn on 2FA Enforcement to require all members to enable 2FA. If
239
+ you are not a Super Administrator, you will be forced to turn on 2FA prior to accepting the
240
+ invitation to join a Cloudflare account as a member.
241
+
242
+ To enable two-factor authentication for your Cloudflare login:
243
+
244
+ 1. Log in to the Cloudflare dashboard
245
+ 1. .
246
+ 2. Under the My Profile dropdown, select My Profile.
247
+ 3. Select Authentication.
248
+ 4. Select Manage in the Two-Factor Authentication card.
249
+ 5. Configure either a TOTP mobile app or a security key to enable 2FA on your account.
250
+
251
+
252
+ ​Additional configurations
253
+ Cloudflare also supports 2FA with device built-in authenticators (Apple Touch ID, Android
254
+ fingerprint, or Windows Hello), Yubikeys and TOTP mobile applications.
255
+
256
+
257
+
258
+ Customize your account
259
+ 2 min read
260
+
261
+ After creating an account, here are a handful of configurations you can customize:
262
+
263
+
264
+ ​Account name
265
+ Your account name defaults to <<YOUR_EMAIL_ADDRESS>>'s Account.
266
+
267
+ You may want to customize the name of this account, either to help specify its purpose or to
268
+ help associated with multiple accounts.
269
+
270
+ To change your account name:
271
+
272
+ 1. Log into the Cloudflare dashboard
273
+ 1. .
274
+ 2. Go to Manage Account > Configurations.
275
+ 3. For Account Name, select Change Name.
276
+ 4. Enter a new account name.
277
+ 5. Select Save.
278
+
279
+
280
+ ​Appearance
281
+ If you want to adjust how the Cloudflare dashboard appears on your device, you can adjust
282
+ relevant settings in your account Profile.
283
+
284
+ To update appearance preferences:
285
+
286
+ 1. Log into the Cloudflare dashboard
287
+ 1. .
288
+ 2. Go to My Profile
289
+ 3. For Appearance, choose a value:
290
+ ○ Dark: Defaults to darker colors.
291
+ ○ Light: Defaults to lighter colors.
292
+ ○ Use system setting: Defaults to whatever is used on your device.
293
+ 4. Your dashboard display will update to the new appearance setting automatically.
294
+
295
+
296
+ ​Communication preferences
297
+ When you create an account, Cloudflare automatically chooses your Communication
298
+ Preferences, or when Cloudflare might occasionally send you emails.
299
+
300
+ To update the communication preferences for your profile (which requires a verified email
301
+ address):
302
+
303
+ 1. Log into the Cloudflare dashboard
304
+ 1. .
305
+ 2. Go to My Profile
306
+ 3. For Communication Preferences, select Edit.
307
+ 4. If you want a specific category of emails, make sure its associated box is checked.
308
+ 5. Select Save.
309
+
310
+
311
+ ​Language preferences
312
+ After you create your account, you may want to update your language preference.
313
+
314
+ To update the language preference for your profile:
315
+
316
+ 1. Log into the Cloudflare dashboard
317
+
318
+ .
319
+
320
+ Go to My Profile
321
+ For Language Preference, select a value.
322
+
323
+ Your dashboard display will update to the new language automatically.
324
+
325
+
326
+
327
+ Add and manage other members
328
+ 3 min read
329
+
330
+ Learn how to add new account members, edit or revoke their permissions and access, and
331
+ resend verifications emails.
332
+
333
+ To manage account members, you must have a role of Super Administrator and have a
334
+ verified email address.
335
+
336
+
337
+ ​View account members
338
+ To manage account members, you must have a role of Super Administrator and have a
339
+ verified email address.
340
+
341
+ Dashboard mode:
342
+
343
+ To view members using the dashboard:
344
+
345
+ 1. Log in to the Cloudflare dashboard
346
+
347
+ and select your account.
348
+
349
+ Go to Manage Account > Members.
350
+
351
+ API mode:
352
+
353
+ To view members using the API, send a GET request.
354
+
355
+ Baseurl:
356
+
357
+ GET https://api.cloudflare.com/client/v4
358
+
359
+ An API key is a token that you provide when making API calls. Include the token in a header parameter called
360
+ X-Auth-Email.
361
+
362
+ Example: X-Auth-Email: 123
363
+
364
+ An API key is a token that you provide when making API calls. Include the token in a header parameter called
365
+ X-Auth-Key.
366
+
367
+ Example: X-Auth-Key: 123
368
+
369
+ An API key is a token that you provide when making API calls. Include the token in a header parameter called
370
+ X-Auth-User-Service-Key.
371
+
372
+ Example: X-Auth-User-Service-Key: 123
373
+ Provide your bearer token in the Authorization header when making requests to protected resources.
374
+
375
+ Example: Authorization: Bearer 123
376
+
377
+ Interact with Cloudflare's products and services via the Cloudflare API.
378
+
379
+ Using the Cloudflare API requires authentication so that Cloudflare knows who is making
380
+ requests and what permissions you have. Create an API token to grant access to the API to
381
+ perform actions.
382
+
383
+ To create an API token, from the Cloudflare dashboard, go to My Profile > API Tokens and
384
+ select Create Token.
385
+
386
+
387
+ Add account members
388
+ To manage account members, you must have a role of Super Administrator and have a
389
+ verified email address.
390
+
391
+ Dashboard mode:
392
+
393
+ To add a member to your account:
394
+
395
+ 1. Log in to the Cloudflare dashboard
396
+ 1. and select your account.
397
+ 2. Go to Manage Account > Members.
398
+ 3. Select Invite.
399
+ 4. Fill out the following information:
400
+ ○ Invite members: Enter one or more email addresses (if multiple, separate
401
+ addresses with commas).
402
+ ○ Scope: Use a variety of fields to adjust the scope of your roles.
403
+ ○ Roles: Choose one or more roles to assign your members.
404
+ 5. Select Continue to summary.
405
+ 6. Review the information, then select Invite.
406
+
407
+ If a user already has an account with Cloudflare and you have an Enterprise account, you
408
+ can also select Direct Add to add them to your account without sending an email invitation.
409
+
410
+ API mode:
411
+
412
+ POST https://api.cloudflare.com/client/v4/accounts/{account_identifier}/members
413
+
414
+ Request Sample
415
+
416
+ curl --request POST \
417
+
418
+ --url https://api.cloudflare.com/client/v4/accounts/account_identifier/members \
419
+
420
+ --header 'Content-Type: application/json' \
421
+
422
+ --header 'X-Auth-Email: ' \
423
+ --data '{
424
+
425
+ "email": "user@example.com",
426
+
427
+ "roles": [
428
+
429
+ "3536bcfad5faccb999b47003c79917fb"
430
+
431
+ ],
432
+
433
+ "status": "pending"
434
+
435
+ }'
436
+
437
+ Response Example
438
+
439
+ {
440
+
441
+ "errors": [],
442
+
443
+ "messages": [],
444
+
445
+ "result": {
446
+
447
+ "id": "4536bcfad5faccb111b47003c79917fa",
448
+
449
+ "roles": [
450
+
451
+ {
452
+
453
+ "description": "Administrative access to the entire Account",
454
+
455
+ "id": "3536bcfad5faccb999b47003c79917fb",
456
+
457
+ "name": "Account Administrator",
458
+
459
+ "permissions": {
460
+
461
+ "analytics": {
462
+
463
+ "read": true,
464
+
465
+ "write": false
466
+
467
+ },
468
+
469
+ "zones": {
470
+
471
+ "read": true,
472
+
473
+ "write": true
474
+ }
475
+
476
+ }
477
+
478
+ }
479
+
480
+ ],
481
+
482
+ "status": null,
483
+
484
+ "user": {
485
+
486
+ "email": "user@example.com",
487
+
488
+ "first_name": "John",
489
+
490
+ "id": "023e105f4ecef8ad9ca31a8372d0c353",
491
+
492
+ "last_name": "Appleseed",
493
+
494
+ "two_factor_authentication_enabled": false
495
+
496
+ },
497
+
498
+ "code": "05dd05cce12bbed97c0d87cd78e89bc2fd41a6cee72f27f6fc84af2e45c0fac0"
499
+
500
+ },
501
+
502
+ "success": true
503
+
504
+ }
505
+
506
+
507
+ Resend an invitation
508
+ If you invited a member to your account but they cannot find the invitation or the invitation
509
+ expires, you can resend the invitation through the Cloudflare dashboard:
510
+
511
+ 1. Log in to the Cloudflare dashboard and select your account[^1].
512
+
513
+ 2. Go to Manage Account > Members.
514
+
515
+ 3. Select a member record where their Status is Invite Pending.
516
+
517
+ 4. Select Resend invite
518
+
519
+
520
+
521
+ Create an API token
522
+ 2 min read
523
+ Prerequisite
524
+
525
+ Before you begin, find your zone and account IDs.
526
+
527
+ 1. From the Cloudflare dashboard, go to My Profile > API Tokens.
528
+ 2. Select Create Token.
529
+ 3. Select a template from the available API token templates or create a custom token.
530
+ We use the Edit zone DNS template in the following examples.
531
+ 4. Add or edit the token name to describe why or how the token is used. Templates are
532
+ prefilled with a token name and permissions.
533
+ 5. Modify the token’s permissions. After selecting a permissions group (Account, User,
534
+ or Zone), choose what level of access to grant the token. Most groups offer Edit or
535
+ Read options. Edit is full CRUDL (create, read, update, delete, list) access, while
536
+ Read is the read permission and list where appropriate. Refer to the available token
537
+ permissions for more information.
538
+ 6. Select which resources the token is authorized to access. For example, granting
539
+ Zone DNS Read access to a zone example.com will allow the token to read DNS
540
+ records only for that specific zone. Any other zone will return an error for DNS record
541
+ reads operations. Any other operation on that zone will also return an error.
542
+ 7. (Optional) Restrict how a token is used in the Client IP Address Filtering and TTL
543
+ (time to live) fields.
544
+ 8. Select Continue to summary.
545
+ 9. Review the token summary. Select Edit token to make adjustments. You can also
546
+ edit a token after creation.
547
+ 10. Select Create Token to generate the token’s secret.
548
+ 11. Copy the secret to a secure place.
549
+
550
+ Warning
551
+
552
+ The token secret is only shown once. Do not store the secret in plaintext where others can
553
+ access it. Anyone with this token can perform the authorized actions against the resources
554
+ that the token has access to.
555
+
556
+ The token secret page also includes an example command to test the token. Use the
557
+ /user/tokens/verify endpoint to fetch the current status of the given token.
558
+
559
+
560
+ $ curl "https://api.cloudflare.com/client/v4/user/tokens/verify" \
561
+ -H "Authorization: Bearer <API_TOKEN>"
562
+
563
+
564
+ The result:
565
+
566
+
567
+ {
568
+ "result": {
569
+ "id": "100bf38cc8393103870917dd535e0628",
570
+ "status": "active"
571
+ },
572
+ "success": true,
573
+ "errors": [],
574
+ "messages": [
575
+ {
576
+ "code": 10000,
577
+ "message": "This API Token is valid and active",
578
+ "type": null
579
+ }
580
+ ]
581
+
582
+ }
583
+
584
+ With this you have successfully created an API token and can start working with the
585
+ Cloudflare API. After creating your first API token, you can create additional API tokens via
586
+ the API.
587
+
588
+
589
+
590
+
591
+ Add your domain to Cloudflare
592
+
593
+
594
+ Minimize downtime
595
+
596
+ 2 min read
597
+
598
+ When making any change to the routing of an Internet application, there is always a
599
+ possibility of downtime due to certificate issuance, misconfigured settings, or limitations at
600
+ your origin server. To avoid downtime when going live, it’s important to review the most
601
+ common configurations.
602
+
603
+
604
+ ​Update and review DNS records.
605
+ Before activating your domain on Cloudflare (exact steps depend on your DNS setup),
606
+ review the DNS records in your Cloudflare account.
607
+
608
+ ​Start with unproxied records
609
+
610
+ With a new domain, make sure all your DNS records have a proxy status of DNS-only.
611
+
612
+ This setting prevents Cloudflare from proxying your traffic before you have an active edge
613
+ certificate or before you have allowed Cloudflare IP addresses.
614
+ ​Confirm record accuracy
615
+
616
+ Take extra time to confirm the accuracy of your DNS records before activating your domain,
617
+ paying special attention to:
618
+
619
+ ● Zone apex records (example.com)
620
+ ● Subdomain records (www.example.com or blog.example.com)
621
+ ● Email records
622
+
623
+ If you add DNS records to your authoritative DNS provider between onboarding your domain
624
+ and activating your domain, you may need to also add these records within Cloudflare.
625
+
626
+
627
+ ​Activate your domain.
628
+ Finish the DNS setup for your domain, moving the domain status to Active:
629
+
630
+ ● Full setups: Update the authoritative nameservers at your registrar and wait for that
631
+ change to be authenticated.
632
+ ● Partial setups: Add the verification TXT record to your authoritative DNS and wait for
633
+ that change to be authenticated.
634
+
635
+
636
+ ​Verify SSL/TLS edge certificates.
637
+ Before proxying your traffic through Cloudflare, verify that Cloudflare has an active Edge
638
+ Certificate for your domain.
639
+
640
+ For more details about timing and certificate recommendations, refer to Certificate issuance.
641
+
642
+
643
+ ​Optional - Test configuration.
644
+ You may want to test your configuration using your local machine or proxying traffic from a
645
+ development domain or subdomain.
646
+
647
+ If you experience issues, you should make sure that you have allowed Cloudflare IP
648
+ addresses at your origin server.
649
+
650
+
651
+ ​Update proxy status.
652
+ Once you have verified that your SSL/TLS edge certificate is active and you have allowed
653
+ Cloudflare IP addresses, change the proxy status of appropriate DNS records to Proxied.
654
+
655
+
656
+
657
+
658
+ Allow Cloudflare IP addresses
659
+ 2 min read
660
+ Because of how Cloudflare works, all traffic to proxied DNS records pass through Cloudflare
661
+ before reaching your origin server. This means that your origin server will stop receiving
662
+ traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP
663
+ addresses
664
+
665
+ , which are shared by all proxied hostnames.
666
+
667
+ This setup can cause issues if your origin server blocks or rate limits connections from
668
+ Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP
669
+ addresses, blocking these IPs — even accidentally — will prevent visitor traffic from
670
+ reaching your application.
671
+
672
+ To avoid rate limiting or blocking these requests, you will need to allow Cloudflare IPs at your
673
+ origin server.
674
+
675
+ For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once
676
+ Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your
677
+ network, process them, and then output these packets to your origin infrastructure.
678
+
679
+
680
+ ​Review external tools
681
+ To avoid blocking Cloudflare IP addresses unintentionally, review your external tools to
682
+ check that:
683
+
684
+ ● Any security plugins — such as those for WordPress — allow Cloudflare IP
685
+ addresses.
686
+ ● The mod_security
687
+ ● plugin is up to date.
688
+
689
+
690
+ ​Configure origin server
691
+ ​Allowlist Cloudflare IP addresses
692
+
693
+ To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare
694
+ IP addresses at your origin web server.
695
+
696
+ You can explicitly allow these IP addresses with a .htaccess file or by using iptables.
697
+
698
+ The following example demonstrates how your could use an iptables rule to allow a
699
+ Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address
700
+ ranges
701
+
702
+ # For IPv4 addresses
703
+ iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
704
+ # For IPv6 addresses
705
+ ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
706
+ Block other IP addresses (recommended)
707
+
708
+ As a best practice, we also recommend that you explicitly block all traffic that does not come
709
+ from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or
710
+ applications.
711
+
712
+ For example, you might update your iptables
713
+
714
+ with the following commands:
715
+ #for IPv4
716
+ iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
717
+ #for IPv6
718
+ ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
719
+
720
+
721
+
722
+
723
+ Disable DNSSEC
724
+ 2 min read
725
+
726
+ DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring
727
+ requests are not routed to a spoofed domain.
728
+
729
+
730
+ Disable DNSSEC
731
+ If you are onboarding an existing domain to Cloudflare, make sure DNSSEC is disabled at
732
+ your registrar (where you purchased your domain name). Otherwise, your domain will
733
+ experience connectivity errors when you change your nameservers.
734
+
735
+ Why do I have to disable DNSSEC?
736
+
737
+ When your domain has DNSSEC enabled, your DNS provider digitally signs all your DNS
738
+ records. This action prevents anyone else from issuing false DNS records on your behalf
739
+ and redirecting traffic intended for your domain.
740
+
741
+ However, having a single set of signed records also prevents Cloudflare from issuing new
742
+ DNS records on your behalf (which is part of using Cloudflare for your authoritative
743
+ nameservers). So if you change your nameservers without disabling DNSSEC, DNSSEC will
744
+ prevent Cloudflare’s DNS records from resolving properly.
745
+
746
+
747
+
748
+ Add a site
749
+ 2 min read
750
+
751
+ 1. Log in to the Cloudflare dashboard.
752
+ 2. In the top navigation bar, click Add site.
753
+ 3. Enter your website’s apex domain (example.com) and then click Add Site.
754
+
755
+ If Cloudflare is unable to identify your domain as a registered domain, make sure you are
756
+ using an existing top-level domain
757
+
758
+ (.com, .net, .biz, or others).
759
+
760
+ Additionally, Cloudflare requires your apex domain to be one level below a valid TLD
761
+ defined in the Public Suffix List (PSL).
762
+
763
+ 1. Select your plan level. For more details on features and pricing, refer to our Plans
764
+ page
765
+ .
766
+ 2. Review your DNS records.
767
+ When you add a new site to Cloudflare, Cloudflare automatically scans for common
768
+ records and adds them to the DNS zone. The records show up under the respective
769
+ zone DNS > Records page.
770
+
771
+ 3. Since this scan is not guaranteed to find all existing DNS records, you need to review
772
+ your records, paying special attention to the following record types:
773
+ a. Zone apex records (example.com)
774
+ b. Subdomain records (www.example.com or blog.example.com)
775
+ c. Email records
776
+ 4. If you activate your domain on Cloudflare without setting up the correct DNS records
777
+ for your domain and subdomain, your visitors may experience
778
+ DNS_PROBE_FINISHED_NXDOMAIN errors.
779
+ 5. If you find any missing records, manually add those records.
780
+ 6. Depending on your site setup, you may want to adjust the proxy status for certain A,
781
+ AAAA, or CNAME records.
782
+ 7. Click Continue.
783
+ 8. Go through the Quick Start Guide and when you have finished, click Finish.
784
+
785
+
786
+
787
+ Update your nameservers
788
+ 1 min read
789
+
790
+ Once you have added a domain (also known as a zone) to Cloudflare, that domain will
791
+ receive two assigned authoritative nameservers.
792
+
793
+ Before your domain can begin using Cloudflare for DNS resolution, you need to add these
794
+ nameservers at your registrar. Make sure DNSSEC is disabled at this point.
795
+
796
+
797
+
798
+ Domain Resolution
799
+ Ensure all your traffic is proxying through Cloudflare successfully.
800
+
801
+
802
+ ​Objectives
803
+ By the end of this module, you will be able to:
804
+
805
+ ● Confirm your zone is set up correctly on Cloudflare
806
+ ● Recognize and troubleshoot issues with your DNS records and SSL/TLS certificates
807
+
808
+
809
+
810
+ Review DNS records
811
+ 1 min read
812
+
813
+ When you add a new site to Cloudflare, Cloudflare automatically scans for common records
814
+ and adds them to the DNS zone. The records show up under the respective zone DNS >
815
+ Records page.
816
+
817
+ The DNS records quick scan is not automatically invoked in the following cases:
818
+
819
+ ● If you choose Enterprise plan and, instead of the Quick Scan, choose to upload a
820
+ DNS zone file or add records manually.
821
+ ● If you add a zone via the API.
822
+
823
+ You can manually invoke the quick scan via API with the Scan DNS Records endpoint. Note
824
+ that the quick scan is a best effort attempt based on a predefined list of commonly used
825
+ record names and types. You can read more about this in the reference page.
826
+
827
+ Since this scan is not guaranteed to find all existing DNS records, you need to review your
828
+ records, paying special attention to the following record types:
829
+
830
+ ● Zone apex records (example.com)
831
+ ● Subdomain records (www.example.com or blog.example.com)
832
+ ● Email records
833
+
834
+ If you want more control over which DNS records are imported and how, import a zone file.
835
+
836
+ If your domain is added to Cloudflare by a hosting partner, manage your DNS records via the
837
+ hosting partner.
838
+
839
+
840
+
841
+ Proxy status
842
+ 3 min read
843
+
844
+ The Proxy status of a DNS record affects how Cloudflare treats incoming traffic to that
845
+ record. Cloudflare recommends enabling our proxy for all A, AAAA, and CNAME records.
846
+ Proxied records
847
+ Note that if you have multiple A/AAAA records on the same name and at least one of them is
848
+ proxied, Cloudflare will treat all A/AAAA records on this name as being proxied.
849
+
850
+ When you proxy specific DNS records through Cloudflare - specifically A, AAAA, or CNAME
851
+ records — DNS queries for these will resolve to Cloudflare Anycast IPs instead of their
852
+ original DNS target. This means that all requests intended for proxied hostnames will go to
853
+ Cloudflare first and then be forwarded to your origin server.
854
+
855
+ This behavior allows Cloudflare to optimize, cache, and protect all requests to your
856
+ application, as well as protect your origin server from DDoS attacks
857
+
858
+ Because requests to proxied hostnames go through Cloudflare before reaching your origin
859
+ server, all requests will appear to be coming from Cloudflare’s IP addresses (and could
860
+ potentially be blocked or rate limited). If you use proxied records, you may need to adjust
861
+ your server configuration to allow Cloudflare IPs.
862
+
863
+ Cloudflare Anycast IPs used to proxy traffic on your domain are assigned automatically.
864
+ These IPs might change at any time for operational reasons. If you need to allowlist
865
+ Cloudflare IPs on your infrastructure or hosting provider, include the full list of Cloudflare
866
+ Anycast IPs
867
+
868
+ As an Enterprise customer, you have the option to get static IPs or bring your own IPs
869
+ (BYOIP).
870
+
871
+
872
+ ​Limitations
873
+ Record types
874
+
875
+ By default, Cloudflare only supports proxied A, AAAA, and CNAME records. You cannot proxy
876
+ other record types.
877
+
878
+ If you encounter a CNAME record that you cannot proxy — usually associated with another
879
+ CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is
880
+ purposely preventing that record from being proxied to protect you from a misconfiguration.
881
+
882
+ ​Ports and protocols
883
+
884
+ By default, Cloudflare only proxies HTTP and HTTPS traffic.
885
+
886
+ If you need to connect to your origin using a non-HTTP protocol (SSH, FTP, SMTP) or the
887
+ traffic targets an unsupported port at the origin, either leave your records unproxied
888
+ (DNS-only) or use Cloudflare Spectrum.
889
+
890
+ ​Pending domains
891
+
892
+ When you add a domain to Cloudflare, Cloudflare protection will be in a pending state until
893
+ we can verify ownership. This could take up to 24 hours to complete.
894
+ This means that DNS records - even those set to proxy traffic through Cloudflare – will be
895
+ DNS-only until your zone has been activated and any requests to your DNS records will
896
+ return your origin server’s IP address.
897
+
898
+ If this warning is still present after 24 hours, refer to Troubleshooting.
899
+
900
+ For enhanced security, we recommend rolling your origin IP addresses at your hosting
901
+ provider after your zone has been activated. This action prevents your origin IPs from being
902
+ leaked during onboarding.
903
+
904
+ ​Windows authentication
905
+
906
+ Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate
907
+ HTTP/1.1 specifications, they are not compatible with proxied DNS records.
908
+
909
+
910
+
911
+ Enable DNSSEC
912
+ 2 min read
913
+
914
+ DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring
915
+ requests are not routed to a spoofed domain.
916
+
917
+ For additional background on DNSSEC, visit the Cloudflare Learning Center
918
+
919
+ .
920
+
921
+ When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys,
922
+ and generates your DS record.
923
+
924
+
925
+ ​Step 1 - Activate DNSSEC in Cloudflare
926
+ 1. Log in to the Cloudflare dashboard
927
+ 1. and select your account and domain.
928
+ 2. Go to DNS > Settings.
929
+ 3. For DNSSEC, click Enable DNSSEC.
930
+ 4. In the dialog, you have access to several necessary values to help you create a DS
931
+ record at your registrar. Once you close the dialog, you can access this information
932
+ by clicking DS record on the DNSSEC card.
933
+
934
+
935
+ ​Step 2 — Add DS record to your registrar
936
+ Add the DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is
937
+ not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.
938
+
939
+ Provider-specific instructions
940
+ Note:
941
+ Cloudflare automatically adds DS records for domains using Cloudflare Registrar or those
942
+ using .ch and .cz top-level domains.
943
+
944
+
945
+
946
+
947
+ Create a subdomain
948
+ 1 min read
949
+
950
+ Most subdomains serve a specific purpose within the overall context of your website. For
951
+ example, blog.example.com might be your blog, support.example.com could be your
952
+ customer help portal, and store.example.com would be your e-commerce site.
953
+
954
+
955
+ ​Subdomain records
956
+ To create a new subdomain, you would first add the subdomain content at your host.
957
+
958
+ Then, you would create a corresponding A, AAAA, or CNAME record for that subdomain
959
+ (blog, store).
960
+
961
+ Type Name IPv4 Proxy
962
+ address status
963
+
964
+ A www 192.0.2.1 Proxied
965
+
966
+
967
+
968
+
969
+ Set up email records
970
+ 1 min read
971
+
972
+
973
+ ​Receive email
974
+ If you only need to receive emails, Cloudflare offers Email Routing for free email forwarding
975
+ to custom email addresses.
976
+
977
+
978
+ ​Send and receive email
979
+ To send and receive emails from your domain, you need:
980
+
981
+ ● An SMTP provider.
982
+ ● To create two DNS records within Cloudflare.
983
+
984
+ To route emails through Cloudflare and to your mail server:
985
+ 1. Get the IP address and MX record details from your SMTP provider (vendor-specific
986
+ guidelines).
987
+ 2. Add an A or AAAA record for your mail subdomain that points to the IP address of
988
+ your mail server.
989
+ Type Name IPv4 Proxy
990
+ address status
991
+
992
+ A mail 192.0.2.1 DNS only
993
+
994
+
995
+ 3. API example
996
+ 4. Add an MX record that points to that subdomain.
997
+ Type Name Mail server TTL
998
+
999
+ MX @ mail.example. Auto
1000
+ com
1001
+ API Example:
1002
+
1003
+ Request:
1004
+ curl -sX POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records" \
1005
+
1006
+ -H 'x-auth-email: <EMAIL>' \
1007
+
1008
+ -H 'x-auth-key: <API_KEY>' \
1009
+
1010
+ -H "Content-Type: application/json" \
1011
+
1012
+ --data '{
1013
+ "type":"MX",
1014
+ "name":"example.com",
1015
+ "content":"mail.example.com",
1016
+ "ttl":3600
1017
+ }'
1018
+ Response:
1019
+ {
1020
+ "result": {
1021
+ "id": "<ID>",
1022
+ "zone_id": "<ZONE_ID>",
1023
+ "zone_name": "example.com",
1024
+ "name": "example.com",
1025
+ "type": "MX",
1026
+ "content": "mail.example.com",
1027
+ "priority": 10,
1028
+ "proxiable": false,
1029
+ "proxied": false,
1030
+ "ttl": 3600,
1031
+ "locked": false,
1032
+ "meta": {
1033
+ "auto_added": false,
1034
+ "managed_by_apps": false,
1035
+ "managed_by_argo_tunnel": false,
1036
+ "source": "primary"
1037
+ },
1038
+ "comment": null,
1039
+ "tags": [],
1040
+ "created_on": "2023-01-17T20:54:23.660869Z",
1041
+ "modified_on": "2023-01-17T20:54:23.660869Z"
1042
+ },
1043
+ "success": true,
1044
+ "errors": [],
1045
+ "messages": []
1046
+
1047
+ }
1048
+
1049
+
1050
+
1051
+
1052
+ Default improvements
1053
+ 1 min read
1054
+
1055
+ When your DNS records are proxied through Cloudflare, Cloudflare provides free and
1056
+ unmetered DDoS protection and other protection measures through the Web Application
1057
+ Firewall (WAF).
1058
+
1059
+
1060
+ ​DDoS protection
1061
+ A distributed denial-of-service (DDoS) attack is where a large number of computers or
1062
+ devices, usually controlled by a single attacker, attempt to access a website or online service
1063
+ all at once. This flood of traffic can overwhelm the website’s origin servers, causing the site
1064
+ to slow down or even crash.
1065
+
1066
+ For more information about DDoS attacks and Cloudflare DDoS protection, refer to Prevent
1067
+ DDoS attacks.
1068
+
1069
+
1070
+ ​Managed rulesets
1071
+ All customers have access to the Cloudflare Free Managed Ruleset, which provides
1072
+ mitigations against high and wide-impacting vulnerabilities.
1073
+
1074
+ For more details, refer to the WAF documentation.
1075
+
1076
+
1077
+
1078
+ SSL/TLS settings
1079
+ 2 min read
1080
+
1081
+ Once you make sure that your Cloudflare SSL/TLS is working correctly, you will likely want
1082
+ to customize your SSL/TLS setup.
1083
+
1084
+
1085
+
1086
+
1087
+ ​Encryption mode
1088
+ Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections:
1089
+ one between your visitors and Cloudflare, and the other between Cloudflare and your origin
1090
+ server.
1091
+
1092
+ Basic setup
1093
+
1094
+ The simplest way to choose your encryption mode is to enable the SSL/TLS
1095
+ Recommender, which scans your domain and recommends the appropriate setting.
1096
+
1097
+ To make sure you do not inadvertently block the SSL/TLS Recommender, review your
1098
+ settings to make sure your domain:
1099
+
1100
+ ● Is accessible.
1101
+ ● Is not blocking requests from our bot (which uses a user agent of
1102
+ Cloudflare-SSLDetector).
1103
+ ● Does not have any active, SSL-specific Page Rules or Configuration rules.
1104
+
1105
+ Then, you can enable SSL/TLS recommendations in the dashboard:
1106
+
1107
+ 1. Log in to the Cloudflare dashboard
1108
+ 1. and select your account and application.
1109
+ 2. Go to SSL/TLS.
1110
+ 3. For SSL/TLS Recommender, switch the toggle to On.
1111
+
1112
+ Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent
1113
+ Cloudflare-SSLDetector and ignores your robots.txt file (except for rules explicitly
1114
+ targeting the user agent).
1115
+
1116
+ Based on this initial scan, the Recommender may decide that you could use a stronger SSL
1117
+ encryption mode. It will never recommend a weaker option than what is currently configured.
1118
+
1119
+ If so, it will send the application owner an email with the recommended option and add a
1120
+ Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required
1121
+ to use this recommendation.
1122
+
1123
+ If you do not receive an email, keep your current SSL encryption mode.
1124
+
1125
+ ​Secure setup
1126
+ If possible, Cloudflare recommends using Full or Full (strict) modes to prevent malicious
1127
+ connections to your origin.
1128
+
1129
+ These modes usually require additional setup and can be more technically challenging.
1130
+
1131
+
1132
+
1133
+
1134
+ ​Enforce HTTPS connections
1135
+ Even if your application has an active edge certificate, visitors can still access resources
1136
+ over unsecured HTTP connections.
1137
+
1138
+ Using various Cloudflare settings, however, you can force all or most visitor connections to
1139
+ use HTTPS.
1140
+
1141
+
1142
+
1143
+
1144
+ ​Evaluate additional features
1145
+ After you have chosen your encryption mode and enforced HTTPS connections, evaluate
1146
+ the following settings:
1147
+
1148
+ ● Edge certificates: Customize different aspects of your edge certificates, from enabling
1149
+ Opportunistic Encryption to specifying a Minimum TLS Version.
1150
+ ● Authenticated origin pull: Ensure all requests to your origin server originate from the
1151
+ Cloudflare network.
1152
+ ● Notifications: Set up alerts related to certificate validation status, issuance,
1153
+ deployment, renewal, and expiration.
1154
+
1155
+
1156
+
1157
+ Bot Fight Mode
1158
+ 1 min read
1159
+
1160
+ Bot Fight Mode is a simple, free product that helps detect and mitigate bot traffic on your
1161
+ domain. When enabled, the product:
1162
+
1163
+ ● Identifies traffic matching patterns of known bots
1164
+ ● Issues computationally expensive challenges in response to these bots
1165
+ ● Notifies Bandwidth Alliance
1166
+ ● partners (if applicable) to disable bots
1167
+
1168
+
1169
+ ​Considerations
1170
+ Bot Fight Mode has a few limitations, including that it:
1171
+
1172
+ ● Protects entire domains without endpoint restrictions.
1173
+ ● Cannot be customized, adjusted, or reconfigured via WAF custom rules.
1174
+
1175
+ If these limitations could cause issues with your application, do not enable this feature.
1176
+
1177
+ For more granular control - including the ability to use the Skip action for bot mitigation -
1178
+ consider using Super Bot Fight Mode.
1179
+
1180
+
1181
+ ​Setup
1182
+ To start using Bot Fight Mode:
1183
+
1184
+ 1. Log in to the Cloudflare dashboard
1185
+
1186
+ and select your account and domain.
1187
+ Go to Security > Bots.
1188
+ For Bot Fight Mode, select On.
1189
+
1190
+
1191
+
1192
+
1193
+ Secure your origin
1194
+ 4 min read
1195
+
1196
+ Your origin server
1197
+
1198
+ is a physical or virtual machine that is not owned by Cloudflare and hosts your application
1199
+ content (data, webpages, etc.).
1200
+
1201
+ Receiving too many requests can be bad for your origin. These requests might increase
1202
+ latency for visitors, incur higher costs — particularly for cloud-based machines — and could
1203
+ knock your application offline.
1204
+
1205
+
1206
+ ​Secure origin connections
1207
+ When you secure origin connections, it prevents attackers from discovering and overloading
1208
+ your origin server with requests.
1209
+
1210
+ ● DNS:
1211
+ 1. Proxy records (when possible): Set up proxied (orange-clouded) DNS
1212
+ records to hide your origin IP addresses and provide DDoS protection. As
1213
+ part of this, you should allow Cloudflare IP addresses at your origin to prevent
1214
+ requests from being blocked.
1215
+ 2. Review DNS-only records: Audit existing DNS-only records (SPF, TXT, and
1216
+ more) to make sure they do not contain origin IP information.
1217
+ 3. Evaluate mail infrastructure: If possible, do not host a mail service on the
1218
+ same server as the web resource you want to protect, since emails sent to
1219
+ non-existent addresses get bounced back to the attacker and reveal the mail
1220
+ server IP.
1221
+ 4. Rotate origin IPs: Once onboarded, rotate your origin IPs, as DNS records
1222
+ are in the public domain. Historical records are kept and would contain IP
1223
+ addresses prior to joining Cloudflare
1224
+
1225
+ Application layer
1226
+
1227
+ 1. Cloudflare Tunnel (HTTP/WebSockets)
1228
+
1229
+
1230
+ Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP
1231
+ address, by creating an outbound-only connections to Cloudflare’s global network.
1232
+
1233
+ ● Security: Very secure.
1234
+ ● Availability: All customers.
1235
+ ● Challenges: Requires installing the cloudflared daemon on origin server or
1236
+ virtual machine.
1237
+
1238
+
1239
+
1240
+ 2. HTTP Header Validation
1241
+
1242
+ Only allow traffic with specific (and secret) HTTP headers.
1243
+
1244
+ ● Security: Moderately secure.
1245
+ ● Availability: All customers.
1246
+ ● Challenges:
1247
+ 1. Requires more configuration efforts on application- and server-side to accept
1248
+ those headers.
1249
+ 2. Basic authentication is vulnerable to replay attacks. Because basic
1250
+ authentication does not encrypt user credentials, it is important that traffic
1251
+ always be sent over an encrypted SSL session.
1252
+ 3. There might be valid use cases for a mismatch in SNI / Host headers such as
1253
+ through Page Rules, Load Balancing, or Workers, which all offer HTTP Host
1254
+ Header overrides.
1255
+ ● Process:
1256
+ 1. Use Transform rules or Workers to add an HTTP Auth Header.
1257
+ 2. Configure your origin server to restrict access based on the HTTP Auth
1258
+ Header (or perform HTTP Basic Authentication).
1259
+ 3. Configure your origin server to restrict access based on the HTTP Host
1260
+ Header. Specifically, only allow requests which contain expected HTTP Host
1261
+ Header values, and reject all other requests.
1262
+
1263
+ 3. JSON Web Tokens (JWT) Validation
1264
+
1265
+ Only allow traffic with the appropriate JWT.
1266
+
1267
+ ● Security: Very secure.
1268
+ ● Availability: Some customers.
1269
+ ● Challenges:
1270
+ ○ Requires either installing incremental software or modifying application code.
1271
+ ○ Lots of manual work.
1272
+ ● Resources:
1273
+ ○ Validate JWTs for an Access application
1274
+ ○ Validate JWTs for an API
1275
+
1276
+ Transport Layer
1277
+
1278
+ Authenticated Origin Pulls
1279
+
1280
+ Authenticated Origin Pulls helps ensure requests to your origin server come from the
1281
+ Cloudflare network.
1282
+
1283
+ ● Security: Very secure.
1284
+ ● Availability: All customers.
1285
+ ● Challenges:
1286
+ ○ Requires Full or Full (strict) encryption modes.
1287
+ ○ Requires more configuration efforts for application and server, such as
1288
+ uploading a certificate and configuring the server to use it.
1289
+ ○ For more strict security, you should upload your own certificate. Although
1290
+ Cloudflare provides you a certificate for easy configuration, this certificate
1291
+ only guarantees that a request is coming from the Cloudflare network.
1292
+ ○ Not scalable for large numbers of origin servers.
1293
+
1294
+ Cloudflare Tunnel (SSH / RDP)
1295
+
1296
+ Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP
1297
+ address, by creating an outbound-only connections to Cloudflare’s global network.
1298
+
1299
+ ● Security: Very secure.
1300
+ ● Availability: All customers.
1301
+ ● Challenges: Requires installing the cloudflared daemon on origin server or
1302
+ virtual machine.
1303
+
1304
+ Network Layer
1305
+
1306
+ Allowlist Cloudflare IP addresses
1307
+
1308
+ Explicitly block all traffic that does not come from Cloudflare IP addresses (or the IP
1309
+ addresses of your trusted partners, vendors, or applications).
1310
+
1311
+ ● Security: Moderately secure.
1312
+ ● Availability: All customers.
1313
+ ● Challenges:
1314
+ ○ Requires allowlisting Cloudflare IP ranges at your origin server.
1315
+ ○ Vulnerable to IP spoofing.
1316
+ Cloudflare Network Interconnect
1317
+
1318
+ Cloudflare Network Interconnect allows you to connect your network infrastructure directly
1319
+ with Cloudflare – rather than using the public Internet – for a more reliable and secure
1320
+ experience.
1321
+
1322
+ ● Security: Very secure.
1323
+ ● Availability: Enterprise-only.
1324
+ ● Challenges
1325
+ ○ Requires some networking knowledge.
1326
+ ○ Only applies to some customer use cases.
1327
+
1328
+ Cloudflare Aegis
1329
+
1330
+ Cloudflare Aegis
1331
+
1332
+ prevents external connections by providing dedicated egress IP addresses.
1333
+
1334
+ ● Security: Very secure.
1335
+ ● Availability: Enterprise-only.
1336
+ ● Challenges: Requires network-level firewall policies.
1337
+
1338
+
1339
+
1340
+ Security Center
1341
+ 1 min read
1342
+
1343
+ Cloudflare Security Center brings together our suite of security products, our security
1344
+ expertise, and unique Internet intelligence as a unified security intelligence solution. Security
1345
+ Center enables you to strengthen your security posture by:
1346
+
1347
+ ● Mapping your cyber attack surface
1348
+ ● Providing asset inventory and discovery
1349
+ ● Identifying potential security risks, misconfigurations, and vulnerabilities
1350
+ ● Helping you to mitigate these risks through remediation in a few clicks
1351
+
1352
+ For additional details and help, refer to the Security Center documentation.
1353
+
1354
+
1355
+ ​Setup
1356
+ To enable Security Insights and perform an initial security scan:
1357
+
1358
+ 1. Log in to the Cloudflare dashboard
1359
+ 1. and select your account.
1360
+ 2. In the Account Home, go to Security Center > Security Insights.
1361
+ 3. Under Enable Security Center scans, select Start scan.
1362
+ The initial Security Insights scan will start. The initial scan time depends on the number of IT
1363
+ assets in all the domains of your Cloudflare account. When the scan is complete, the status
1364
+ of the page will change from Scan in Progress to Last scan performed on:
1365
+ <DATE_TIME>.
1366
+
1367
+
1368
+
1369
+ Performance
1370
+ Improve your application’s performance by enabling and optimizing your sites settings.
1371
+
1372
+
1373
+ ​Objectives
1374
+ By the end of this module, you will be able to:
1375
+
1376
+ ● Explain how - just by using Cloudflare - you can increase application performance
1377
+ ● Optimize caching using various Cloudflare settings
1378
+ ● Improve performance using different settings within Speed settings
1379
+ ● Set up Cloudflare Web Analytics for free, privacy-first analytics
1380
+ ● Evaluate other, add-on products that can improve application performance
1381
+
1382
+
1383
+
1384
+ Default improvements
1385
+ 1 min read
1386
+
1387
+ Cloudflare provides a variety of speed improvements by default.
1388
+
1389
+
1390
+ ​DNS resolution
1391
+ When your site is using Cloudflare, your site always benefits from Cloudflare’s lightning-fast
1392
+ DNS resolution
1393
+
1394
+ .
1395
+
1396
+
1397
+ ​Caching
1398
+ When your DNS records are proxied through Cloudflare, Cloudflare caches certain types of
1399
+ resources automatically (which improves application performance).
1400
+
1401
+ How does caching improve performance?
1402
+
1403
+ Caching is the process of storing copies of files in a cache, or temporary storage location, so
1404
+ that they can be accessed more quickly.
1405
+ When Cloudflare stores content in its cache, the request never needs to go to your
1406
+ application or origin server, which reduces the number of requests and gets content to the
1407
+ user more quickly.
1408
+
1409
+
1410
+
1411
+ Optimize caching
1412
+ 1 min read
1413
+
1414
+ Beyond default caching settings, you can further optimize your cache using different
1415
+ Cloudflare settings.
1416
+
1417
+ A few ways to optimize Cloudflare caching include:
1418
+
1419
+ ● Creating cache rules to customize the cache properties of specific HTTP requests.
1420
+ ● Enabling the Tiered Cache feature, which dramatically increases cache hit ratios.
1421
+ ● Reviewing our other various configuration options, which may vary based on your
1422
+ plan and application setup.
1423
+
1424
+
1425
+
1426
+ Optimize analytics
1427
+ 2 min read
1428
+
1429
+ Web analytics let you measure user behavior - pageviews, sessions, and custom events - on
1430
+ your application.
1431
+
1432
+ Cloudflare offers two ways to improve the privacy and performance of the way you gather
1433
+ these analytics.
1434
+
1435
+
1436
+ ​Cloudflare Web Analytics
1437
+ If you want analytics without using third-party tools, check out Cloudflare Web Analytics.
1438
+
1439
+ Cloudflare Web Analytics provides free, privacy-first analytics for your website without
1440
+ changing your DNS or using Cloudflare’s proxy. Cloudflare Web Analytics helps you
1441
+ understand the performance of your web pages as experienced by your site visitors.
1442
+
1443
+ All you need to enable Cloudflare Web Analytics is a Cloudflare account and a JavaScript
1444
+ snippet on your page to start getting information on page views and visitors. The JavaScript
1445
+ snippet (also known as a beacon) collects metrics using the Performance API, which is
1446
+ available in all major web browsers.
1447
+
1448
+ ​Setup
1449
+
1450
+ So long as your traffic is proxied through Cloudflare, setting up Web Analytics only involves a
1451
+ few steps:
1452
+ 1. Log in to the Cloudflare dashboard
1453
+ 1. , and select your account.
1454
+ 2. Select the Analytics & Logs drop-down and choose Web Analytics.
1455
+ 3. Under Quick Actions, select Add a site.
1456
+ 4. Select a hostname from the drop-down menu > Done.
1457
+
1458
+ ​Access
1459
+
1460
+ Once you have enabled Web Analytics, you can review analytics at any time:
1461
+
1462
+ 1. Log in to the Cloudflare dashboard
1463
+ 1. , and select your account.
1464
+ 2. Select the Analytics & Logs drop-down and choose Web Analytics.
1465
+ 3. Select your zone.
1466
+ 4. Review the various metrics provided by Cloudflare.
1467
+
1468
+ ​Notifications
1469
+
1470
+ Web Analytics uses Cloudflare’s Notification service. When enabled, Web Analytics sends
1471
+ you a weekly report with aggregate visits, page views and median page load time for all your
1472
+ sites, so you can monitor their performance.
1473
+
1474
+ To get started, add Web Analytics notification on your Cloudflare dashboard. Refer to
1475
+ Cloudflare Notifications to learn more.
1476
+
1477
+
1478
+
1479
+
1480
+ ​Cloudflare Zaraz
1481
+ If you already use third-party tools on your website, check out Cloudflare Zaraz.
1482
+
1483
+ Cloudflare Zaraz gives you complete control over third-party tools and services for your
1484
+ website, and allows you to offload them to Cloudflare’s edge, improving the speed and
1485
+ security of your website. With Cloudflare Zaraz you can load tools such as analytics tools,
1486
+ advertising pixels and scripts, chatbots, marketing automation tools, and more, in the most
1487
+ optimized way.
1488
+
1489
+ Cloudflare Zaraz is built for speed, privacy, and security, and you can use it to load as many
1490
+ tools as you need, with a near-zero performance hit.
1491
+