Spaces:

BroBro87
/

CloudChat

Sleeping

App Files Files Community

BroBro87 commited on Jan 26, 2024

Commit

c2df7fb

verified ·

1 Parent(s): fa83d85

Upload Cloudflare.txt

Browse files

Files changed (1) hide show

Cloudflare.txt +1491 -0

Cloudflare.txt ADDED Viewed

	@@ -0,0 +1,1491 @@

+Cloudflare Fundamentals
+What is Cloudflare?
+ 1 min read
+Cloudflare is a global network of servers
+. When you add your application to Cloudflare, we use this network to sit in between
+requests and your origin server.
+This position allows us to do several things — speeding up content delivery and user
+experience ( CDN), protecting your website from malicious activity ( DDoS, Web Application
+Firewall), routing traffic (Load balancing, Waiting Room), and more.
+How Cloudflare works
+ 3 min read
+Fundamentally, Cloudflare is a large network of servers that can improve the security,
+performance, and reliability of anything connected to the Internet.
+Cloudflare does this by serving as a reverse proxy
+for your web traffic. All requests to and from your origin flow through Cloudflare and — as
+these requests pass through our network — we can apply various rules and optimizations to
+improve security, performance, and reliability.
+Life of a request
+Even though it feels pretty instantaneous, there’s a lot happening when you type
+www.example.com into your browser.
+A website’s content does not technically live at a URL like www.example.com, but rather at
+an IP address like 192.0.2.1. It’s similar to how we say that Cloudflare’s headquarters is
+101 Townsend St., San Francisco, CA 94107, but really that address is just a placeholder for
+latitude and longitude coordinates (37.780259, -122.390519). URLs and street addresses
+are much easier for humans to remember.
+The process of converting a human-readable URL (www.example.com) into a
+machine-friendly address (192.0.2.1) is known as a DNS lookup
+.
+Without Cloudflare
+Without Cloudflare, DNS lookups for your application’s URL return the IP address of your
+origin server
+.
+         URL         Returned IP
+                      address
+    example.c   192.0.2.1
+    om
+When using Cloudflare with unproxied DNS records, DNS lookups for unproxied domains or
+subdomains also return your origin’s IP address.
+Another way of thinking about this concept is that visitors directly connect with your origin
+server.
+ConnectionVisitor
+Origin server
+With Cloudflare
+With Cloudflare — meaning your domain or subdomain is using proxied DNS records —
+DNS lookups for your application’s URL will resolve to Cloudflare Anycast IPs
+instead of their original DNS target.
+         URL         Returned IP
+                      address
+    example.c   104.16.77.250
+    om
+This means that all requests intended for proxied hostnames will go to Cloudflare first and
+then be forwarded to your origin server.
+Visitor ← Connection → Cloudflare global network ←Connection→Origin Server
+Cloudflare assigns specific Anycast IPs to your domain dynamically and these IPs may
+change at any time. This is an expected part of the operation of our Anycast network and
+does not affect the proxy behavior described above.
+Benefits
+When your traffic is proxied through Cloudflare before reaching your origin server, your
+application gets additional security, performance, and reliability benefits.
+Security
+Beyond hiding your origin’s IP address from potential attackers, Cloudflare also stops
+malicious traffic before it reaches your origin web server.
+Cloudflare automatically mitigates security risks using our WAF and DDoS protection.
+For additional details on security, refer to our guide on how to Secure your website.
+Performance
+For proxied traffic, Cloudflare also serves as a Content Delivery Network (CDN)
+, caching static resources and otherwise optimizing asset delivery.
+For additional details on performance, refer to our guides on Optimizing Site Speed and
+Caching.
+Reliability
+Cloudflare’s globally distributed Anycast network
+routes visitor requests to the nearest Cloudflare data center.
+Combined together with our CDN
+and DDoS protection, our network helps keep your application online.
+Cloudflare IPs
+ 2 min read
+Cloudflare has several IP address ranges
+which are shared by all proxied hostnames.
+Together, these IP addresses form the backbone of our Anycast network
+, helping distribute traffic amongst various edge network servers.
+Cloudflare uses other IP ranges for various products and services, but these addresses will
+not make connections to your origin.
+Allow Cloudflare IP addresses
+Because of how Cloudflare works, all traffic to proxied DNS records pass through Cloudflare
+before reaching your origin server. This means that your origin server will stop receiving
+traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP
+addresses
+, which are shared by all proxied hostnames.
+This setup can cause issues if your origin server blocks or rate limits connections from
+Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP
+addresses, blocking these IPs — even accidentally — will prevent visitor traffic from
+reaching your application.
+To avoid rate limiting or blocking these requests, you will need to allow Cloudflare IPs at your
+origin server.
+For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once
+Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your
+network, process them, and then output these packets to your origin infrastructure.
+Customize Cloudflare IP addresses
+If they do not want to use Cloudflare IP addresses — which are shared by all proxied
+hostnames — Enterprise customers have two potential alternatives:
+   ●   Bring Your Own IP (BYOIP): Cloudflare announces your IPs in all our locations.
+   ●   Static IP addresses: Cloudflare sets static IP addresses for your domain. For more
+       details, contact your account team.
+Business and Enterprise customers can also reduce the number of Cloudflare IPs that their
+domain shares with other Cloudflare customer domains by uploading a Custom SSL
+certificate.
+Reference architectures
+ 1 min read
+Reference architecture documents and diagrams are designed to provide a foundational
+knowledge of Cloudflare solutioning for a variety of products. Building on the information in
+these documents, you can architect software solutions based on your specific context and
+needs.
+   ●   Content Delivery Network
+   ●   Magic Transit
+   ●   Multi-vender Application Security and Performance
+Account setup
+To create a Cloudflare account:
+      1.   Go to the Sign up page
+      1.   .
+      2.   Enter your Email and Password.
+      3.   Click Create Account.
+Once you create your account, Cloudflare will automatically send an email to your address to
+verify that email address.
+Best practices
+If you are creating an account for your team or a business, we recommend choosing an
+email alias or distribution list for your Email, such as [email protected].
+This email address is the main point of contact for your Cloudflare billing, usage notifications,
+and account recovery.
+Set-up 2FA
+ 2 min read
+Two-factor authentication (2FA) allows user account owners to add an additional layer of
+login security to Cloudflare accounts. This additional authentication step requires you to
+provide both something you know, such as a Cloudflare password, and something you have,
+such as an authentication code from a mobile device.
+Cloudflare user accounts configured to use single sign-on (SSO) cannot configure 2FA.
+Cloudflare offers the option to use either a phishing-resistant security key, like a YubiKey, or
+a Time-Based One-Time password (TOTP) mobile app for authentication, like Google
+Authenticator, or both. If you add both of these authentication methods to your account, you
+are initially prompted to log in with the security key, but can opt-out and use TOTP instead.
+To ensure that you can securely access your account even without your mobile device or
+security keys, Cloudflare also provides backup codes for download.
+Tip
+After downloading your backup codes, we recommend saving them in a secure location.
+As the user account owner, you are automatically assigned the Super Administrator role.
+Once 2FA is enabled, all Cloudflare account members are required to configure 2FA on their
+mobile devices.
+Enable 2FA
+We recommend that all Cloudflare user account holders enable two-factor authentication
+(2FA) to keep your accounts secure.
+2FA can only be enabled successfully on an account with a verified email address. If you do
+not verify your email address first, you may lock yourself out of your account.
+Super Administrators can turn on 2FA Enforcement to require all members to enable 2FA. If
+you are not a Super Administrator, you will be forced to turn on 2FA prior to accepting the
+invitation to join a Cloudflare account as a member.
+To enable two-factor authentication for your Cloudflare login:
+   1.   Log in to the Cloudflare dashboard
+   1.   .
+   2.   Under the My Profile dropdown, select My Profile.
+   3.   Select Authentication.
+   4.   Select Manage in the Two-Factor Authentication card.
+   5.   Configure either a TOTP mobile app or a security key to enable 2FA on your account.
+Additional configurations
+Cloudflare also supports 2FA with device built-in authenticators (Apple Touch ID, Android
+fingerprint, or Windows Hello), Yubikeys and TOTP mobile applications.
+Customize your account
+ 2 min read
+After creating an account, here are a handful of configurations you can customize:
+Account name
+Your account name defaults to <<YOUR_EMAIL_ADDRESS>>'s Account.
+You may want to customize the name of this account, either to help specify its purpose or to
+help associated with multiple accounts.
+To change your account name:
+   1. Log into the Cloudflare dashboard
+   1. .
+    2.   Go to Manage Account > Configurations.
+    3.   For Account Name, select Change Name.
+    4.   Enter a new account name.
+    5.   Select Save.
+Appearance
+If you want to adjust how the Cloudflare dashboard appears on your device, you can adjust
+relevant settings in your account Profile.
+To update appearance preferences:
+    1. Log into the Cloudflare dashboard
+    1. .
+    2. Go to My Profile
+    3. For Appearance, choose a value:
+          ○ Dark: Defaults to darker colors.
+          ○ Light: Defaults to lighter colors.
+          ○ Use system setting: Defaults to whatever is used on your device.
+    4. Your dashboard display will update to the new appearance setting automatically.
+Communication preferences
+When you create an account, Cloudflare automatically chooses your Communication
+Preferences, or when Cloudflare might occasionally send you emails.
+To update the communication preferences for your profile (which requires a verified email
+address):
+    1.   Log into the Cloudflare dashboard
+    1.   .
+    2.   Go to My Profile
+    3.   For Communication Preferences, select Edit.
+    4.   If you want a specific category of emails, make sure its associated box is checked.
+    5.   Select Save.
+Language preferences
+After you create your account, you may want to update your language preference.
+To update the language preference for your profile:
+    1. Log into the Cloudflare dashboard
+.
+Go to My Profile
+For Language Preference, select a value.
+Your dashboard display will update to the new language automatically.
+Add and manage other members
+ 3 min read
+Learn how to add new account members, edit or revoke their permissions and access, and
+resend verifications emails.
+To manage account members, you must have a role of Super Administrator and have a
+verified email address.
+View account members
+To manage account members, you must have a role of Super Administrator and have a
+verified email address.
+Dashboard mode:
+To view members using the dashboard:
+    1. Log in to the Cloudflare dashboard
+and select your account.
+Go to Manage Account > Members.
+API mode:
+To view members using the API, send a GET request.
+Baseurl:
+GET https://api.cloudflare.com/client/v4
+An API key is a token that you provide when making API calls. Include the token in a header parameter called
+X-Auth-Email.
+Example: X-Auth-Email: 123
+An API key is a token that you provide when making API calls. Include the token in a header parameter called
+X-Auth-Key.
+Example: X-Auth-Key: 123
+An API key is a token that you provide when making API calls. Include the token in a header parameter called
+X-Auth-User-Service-Key.
+Example: X-Auth-User-Service-Key: 123
+Provide your bearer token in the Authorization header when making requests to protected resources.
+Example: Authorization: Bearer 123
+Interact with Cloudflare's products and services via the Cloudflare API.
+Using the Cloudflare API requires authentication so that Cloudflare knows who is making
+requests and what permissions you have. Create an API token to grant access to the API to
+perform actions.
+To create an API token, from the Cloudflare dashboard, go to My Profile > API Tokens and
+select Create Token.
+Add account members
+To manage account members, you must have a role of Super Administrator and have a
+verified email address.
+Dashboard mode:
+To add a member to your account:
+    1. Log in to the Cloudflare dashboard
+    1. and select your account.
+    2. Go to Manage Account > Members.
+    3. Select Invite.
+    4. Fill out the following information:
+            ○ Invite members: Enter one or more email addresses (if multiple, separate
+                addresses with commas).
+            ○ Scope: Use a variety of fields to adjust the scope of your roles.
+            ○ Roles: Choose one or more roles to assign your members.
+    5. Select Continue to summary.
+    6. Review the information, then select Invite.
+If a user already has an account with Cloudflare and you have an Enterprise account, you
+can also select Direct Add to add them to your account without sending an email invitation.
+API mode:
+POST https://api.cloudflare.com/client/v4/accounts/{account_identifier}/members
+Request Sample
+curl --request POST \
+ --url https://api.cloudflare.com/client/v4/accounts/account_identifier/members \
+ --header 'Content-Type: application/json' \
+ --header 'X-Auth-Email: ' \
+     --data '{
+     "email": "[email protected]",
+     "roles": [
+      "3536bcfad5faccb999b47003c79917fb"
+     ],
+     "status": "pending"
+}'
+Response Example
+{
+     "errors": [],
+     "messages": [],
+     "result": {
+      "id": "4536bcfad5faccb111b47003c79917fa",
+      "roles": [
+          {
+              "description": "Administrative access to the entire Account",
+              "id": "3536bcfad5faccb999b47003c79917fb",
+              "name": "Account Administrator",
+              "permissions": {
+               "analytics": {
+                "read": true,
+                "write": false
+               },
+               "zones": {
+                "read": true,
+                "write": true
+                 }
+             }
+         }
+     ],
+     "status": null,
+     "user": {
+         "email": "[email protected]",
+         "first_name": "John",
+         "id": "023e105f4ecef8ad9ca31a8372d0c353",
+         "last_name": "Appleseed",
+         "two_factor_authentication_enabled": false
+     },
+     "code": "05dd05cce12bbed97c0d87cd78e89bc2fd41a6cee72f27f6fc84af2e45c0fac0"
+    },
+    "success": true
+}
+Resend an invitation
+If you invited a member to your account but they cannot find the invitation or the invitation
+expires, you can resend the invitation through the Cloudflare dashboard:
+         1. Log in to the Cloudflare dashboard and select your account[^1].
+         2. Go to Manage Account > Members.
+         3. Select a member record where their Status is Invite Pending.
+         4. Select Resend invite
+Create an API token
+    2 min read
+Prerequisite
+Before you begin, find your zone and account IDs.
+   1. From the Cloudflare dashboard, go to My Profile > API Tokens.
+   2. Select Create Token.
+   3. Select a template from the available API token templates or create a custom token.
+      We use the Edit zone DNS template in the following examples.
+   4. Add or edit the token name to describe why or how the token is used. Templates are
+      prefilled with a token name and permissions.
+   5. Modify the token’s permissions. After selecting a permissions group (Account, User,
+      or Zone), choose what level of access to grant the token. Most groups offer Edit or
+       Read options. Edit is full CRUDL (create, read, update, delete, list) access, while
+       Read is the read permission and list where appropriate. Refer to the available token
+       permissions for more information.
+   6. Select which resources the token is authorized to access. For example, granting
+       Zone DNS Read access to a zone example.com will allow the token to read DNS
+       records only for that specific zone. Any other zone will return an error for DNS record
+       reads operations. Any other operation on that zone will also return an error.
+   7. (Optional) Restrict how a token is used in the Client IP Address Filtering and TTL
+       (time to live) fields.
+   8. Select Continue to summary.
+   9. Review the token summary. Select Edit token to make adjustments. You can also
+       edit a token after creation.
+   10. Select Create Token to generate the token’s secret.
+   11. Copy the secret to a secure place.
+Warning
+The token secret is only shown once. Do not store the secret in plaintext where others can
+access it. Anyone with this token can perform the authorized actions against the resources
+that the token has access to.
+The token secret page also includes an example command to test the token. Use the
+/user/tokens/verify endpoint to fetch the current status of the given token.
+$ curl "https://api.cloudflare.com/client/v4/user/tokens/verify" \
+   -H "Authorization: Bearer <API_TOKEN>"
+The result:
+{
+ "result": {
+   "id": "100bf38cc8393103870917dd535e0628",
+   "status": "active"
+},
+"success": true,
+"errors": [],
+"messages": [
+  {
+    "code": 10000,
+    "message": "This API Token is valid and active",
+    "type": null
+  }
+]
+}
+With this you have successfully created an API token and can start working with the
+Cloudflare API. After creating your first API token, you can create additional API tokens via
+the API.
+Add your domain to Cloudflare
+Minimize downtime
+2 min read
+When making any change to the routing of an Internet application, there is always a
+possibility of downtime due to certificate issuance, misconfigured settings, or limitations at
+your origin server. To avoid downtime when going live, it’s important to review the most
+common configurations.
+Update and review DNS records.
+Before activating your domain on Cloudflare (exact steps depend on your DNS setup),
+review the DNS records in your Cloudflare account.
+Start with unproxied records
+With a new domain, make sure all your DNS records have a proxy status of DNS-only.
+This setting prevents Cloudflare from proxying your traffic before you have an active edge
+certificate or before you have allowed Cloudflare IP addresses.
+Confirm record accuracy
+Take extra time to confirm the accuracy of your DNS records before activating your domain,
+paying special attention to:
+   ●   Zone apex records (example.com)
+   ●   Subdomain records (www.example.com or blog.example.com)
+   ●   Email records
+If you add DNS records to your authoritative DNS provider between onboarding your domain
+and activating your domain, you may need to also add these records within Cloudflare.
+Activate your domain.
+Finish the DNS setup for your domain, moving the domain status to Active:
+   ●   Full setups: Update the authoritative nameservers at your registrar and wait for that
+       change to be authenticated.
+   ●   Partial setups: Add the verification TXT record to your authoritative DNS and wait for
+       that change to be authenticated.
+Verify SSL/TLS edge certificates.
+Before proxying your traffic through Cloudflare, verify that Cloudflare has an active Edge
+Certificate for your domain.
+For more details about timing and certificate recommendations, refer to Certificate issuance.
+Optional - Test configuration.
+You may want to test your configuration using your local machine or proxying traffic from a
+development domain or subdomain.
+If you experience issues, you should make sure that you have allowed Cloudflare IP
+addresses at your origin server.
+Update proxy status.
+Once you have verified that your SSL/TLS edge certificate is active and you have allowed
+Cloudflare IP addresses, change the proxy status of appropriate DNS records to Proxied.
+Allow Cloudflare IP addresses
+ 2 min read
+Because of how Cloudflare works, all traffic to proxied DNS records pass through Cloudflare
+before reaching your origin server. This means that your origin server will stop receiving
+traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP
+addresses
+, which are shared by all proxied hostnames.
+This setup can cause issues if your origin server blocks or rate limits connections from
+Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP
+addresses, blocking these IPs — even accidentally — will prevent visitor traffic from
+reaching your application.
+To avoid rate limiting or blocking these requests, you will need to allow Cloudflare IPs at your
+origin server.
+For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once
+Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your
+network, process them, and then output these packets to your origin infrastructure.
+Review external tools
+To avoid blocking Cloudflare IP addresses unintentionally, review your external tools to
+check that:
+   ●   Any security plugins — such as those for WordPress — allow Cloudflare IP
+       addresses.
+   ●   The mod_security
+   ●   plugin is up to date.
+Configure origin server
+Allowlist Cloudflare IP addresses
+To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare
+IP addresses at your origin web server.
+You can explicitly allow these IP addresses with a .htaccess file or by using iptables.
+The following example demonstrates how your could use an iptables rule to allow a
+Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address
+ranges
+# For IPv4 addresses
+iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
+# For IPv6 addresses
+ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
+Block other IP addresses (recommended)
+As a best practice, we also recommend that you explicitly block all traffic that does not come
+from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or
+applications.
+For example, you might update your iptables
+with the following commands:
+#for IPv4
+iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
+#for IPv6
+ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
+Disable DNSSEC
+ 2 min read
+DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring
+requests are not routed to a spoofed domain.
+Disable DNSSEC
+If you are onboarding an existing domain to Cloudflare, make sure DNSSEC is disabled at
+your registrar (where you purchased your domain name). Otherwise, your domain will
+experience connectivity errors when you change your nameservers.
+Why do I have to disable DNSSEC?
+When your domain has DNSSEC enabled, your DNS provider digitally signs all your DNS
+records. This action prevents anyone else from issuing false DNS records on your behalf
+and redirecting traffic intended for your domain.
+However, having a single set of signed records also prevents Cloudflare from issuing new
+DNS records on your behalf (which is part of using Cloudflare for your authoritative
+nameservers). So if you change your nameservers without disabling DNSSEC, DNSSEC will
+prevent Cloudflare’s DNS records from resolving properly.
+Add a site
+ 2 min read
+   1. Log in to the Cloudflare dashboard.
+   2. In the top navigation bar, click Add site.
+   3. Enter your website’s apex domain (example.com) and then click Add Site.
+If Cloudflare is unable to identify your domain as a registered domain, make sure you are
+using an existing top-level domain
+(.com, .net, .biz, or others).
+Additionally, Cloudflare requires your apex domain to be one level below a valid TLD
+defined in the Public Suffix List (PSL).
+   1. Select your plan level. For more details on features and pricing, refer to our Plans
+      page
+      .
+   2. Review your DNS records.
+      When you add a new site to Cloudflare, Cloudflare automatically scans for common
+      records and adds them to the DNS zone. The records show up under the respective
+      zone DNS > Records page.
+   3. Since this scan is not guaranteed to find all existing DNS records, you need to review
+      your records, paying special attention to the following record types:
+         a. Zone apex records (example.com)
+           b. Subdomain records (www.example.com or blog.example.com)
+           c. Email records
+   4. If you activate your domain on Cloudflare without setting up the correct DNS records
+      for your domain and subdomain, your visitors may experience
+      DNS_PROBE_FINISHED_NXDOMAIN errors.
+   5. If you find any missing records, manually add those records.
+   6. Depending on your site setup, you may want to adjust the proxy status for certain A,
+      AAAA, or CNAME records.
+   7. Click Continue.
+   8. Go through the Quick Start Guide and when you have finished, click Finish.
+Update your nameservers
+ 1 min read
+Once you have added a domain (also known as a zone) to Cloudflare, that domain will
+receive two assigned authoritative nameservers.
+Before your domain can begin using Cloudflare for DNS resolution, you need to add these
+nameservers at your registrar. Make sure DNSSEC is disabled at this point.
+Domain Resolution
+Ensure all your traffic is proxying through Cloudflare successfully.
+Objectives
+By the end of this module, you will be able to:
+   ●   Confirm your zone is set up correctly on Cloudflare
+   ●   Recognize and troubleshoot issues with your DNS records and SSL/TLS certificates
+Review DNS records
+ 1 min read
+When you add a new site to Cloudflare, Cloudflare automatically scans for common records
+and adds them to the DNS zone. The records show up under the respective zone DNS >
+Records page.
+The DNS records quick scan is not automatically invoked in the following cases:
+   ●   If you choose Enterprise plan and, instead of the Quick Scan, choose to upload a
+       DNS zone file or add records manually.
+   ●   If you add a zone via the API.
+You can manually invoke the quick scan via API with the Scan DNS Records endpoint. Note
+that the quick scan is a best effort attempt based on a predefined list of commonly used
+record names and types. You can read more about this in the reference page.
+Since this scan is not guaranteed to find all existing DNS records, you need to review your
+records, paying special attention to the following record types:
+   ●   Zone apex records (example.com)
+   ●   Subdomain records (www.example.com or blog.example.com)
+   ●   Email records
+If you want more control over which DNS records are imported and how, import a zone file.
+If your domain is added to Cloudflare by a hosting partner, manage your DNS records via the
+hosting partner.
+Proxy status
+ 3 min read
+The Proxy status of a DNS record affects how Cloudflare treats incoming traffic to that
+record. Cloudflare recommends enabling our proxy for all A, AAAA, and CNAME records.
+Proxied records
+Note that if you have multiple A/AAAA records on the same name and at least one of them is
+proxied, Cloudflare will treat all A/AAAA records on this name as being proxied.
+When you proxy specific DNS records through Cloudflare - specifically A, AAAA, or CNAME
+records — DNS queries for these will resolve to Cloudflare Anycast IPs instead of their
+original DNS target. This means that all requests intended for proxied hostnames will go to
+Cloudflare first and then be forwarded to your origin server.
+This behavior allows Cloudflare to optimize, cache, and protect all requests to your
+application, as well as protect your origin server from DDoS attacks
+Because requests to proxied hostnames go through Cloudflare before reaching your origin
+server, all requests will appear to be coming from Cloudflare’s IP addresses (and could
+potentially be blocked or rate limited). If you use proxied records, you may need to adjust
+your server configuration to allow Cloudflare IPs.
+Cloudflare Anycast IPs used to proxy traffic on your domain are assigned automatically.
+These IPs might change at any time for operational reasons. If you need to allowlist
+Cloudflare IPs on your infrastructure or hosting provider, include the full list of Cloudflare
+Anycast IPs
+As an Enterprise customer, you have the option to get static IPs or bring your own IPs
+(BYOIP).
+Limitations
+Record types
+By default, Cloudflare only supports proxied A, AAAA, and CNAME records. You cannot proxy
+other record types.
+If you encounter a CNAME record that you cannot proxy — usually associated with another
+CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is
+purposely preventing that record from being proxied to protect you from a misconfiguration.
+Ports and protocols
+By default, Cloudflare only proxies HTTP and HTTPS traffic.
+If you need to connect to your origin using a non-HTTP protocol (SSH, FTP, SMTP) or the
+traffic targets an unsupported port at the origin, either leave your records unproxied
+(DNS-only) or use Cloudflare Spectrum.
+Pending domains
+When you add a domain to Cloudflare, Cloudflare protection will be in a pending state until
+we can verify ownership. This could take up to 24 hours to complete.
+This means that DNS records - even those set to proxy traffic through Cloudflare – will be
+DNS-only until your zone has been activated and any requests to your DNS records will
+return your origin server’s IP address.
+If this warning is still present after 24 hours, refer to Troubleshooting.
+For enhanced security, we recommend rolling your origin IP addresses at your hosting
+provider after your zone has been activated. This action prevents your origin IPs from being
+leaked during onboarding.
+Windows authentication
+Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate
+HTTP/1.1 specifications, they are not compatible with proxied DNS records.
+Enable DNSSEC
+    2 min read
+DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring
+requests are not routed to a spoofed domain.
+For additional background on DNSSEC, visit the Cloudflare Learning Center
+.
+When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys,
+and generates your DS record.
+Step 1 - Activate DNSSEC in Cloudflare
+      1.   Log in to the Cloudflare dashboard
+      1.   and select your account and domain.
+      2.   Go to DNS > Settings.
+      3.   For DNSSEC, click Enable DNSSEC.
+      4.   In the dialog, you have access to several necessary values to help you create a DS
+           record at your registrar. Once you close the dialog, you can access this information
+           by clicking DS record on the DNSSEC card.
+Step 2 — Add DS record to your registrar
+Add the DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is
+not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.
+Provider-specific instructions
+Note:
+Cloudflare automatically adds DS records for domains using Cloudflare Registrar or those
+using .ch and .cz top-level domains.
+Create a subdomain
+ 1 min read
+Most subdomains serve a specific purpose within the overall context of your website. For
+example, blog.example.com might be your blog, support.example.com could be your
+customer help portal, and store.example.com would be your e-commerce site.
+Subdomain records
+To create a new subdomain, you would first add the subdomain content at your host.
+Then, you would create a corresponding A, AAAA, or CNAME record for that subdomain
+(blog, store).
+ Type     Name        IPv4           Proxy
+                    address          status
+ A        www     192.0.2.1      Proxied
+Set up email records
+ 1 min read
+Receive email
+If you only need to receive emails, Cloudflare offers Email Routing for free email forwarding
+to custom email addresses.
+Send and receive email
+To send and receive emails from your domain, you need:
+     ●   An SMTP provider.
+     ●   To create two DNS records within Cloudflare.
+To route emails through Cloudflare and to your mail server:
+   1. Get the IP address and MX record details from your SMTP provider (vendor-specific
+      guidelines).
+2.    Add an A or AAAA record for your mail subdomain that points to the IP address of
+your mail server.
+ Type   Name         IPv4             Proxy
+                   address            status
+ A      mail     192.0.2.1          DNS only
+   3. API example
+4.    Add an MX record that points to that subdomain.
+ Type   Name        Mail server         TTL
+ MX     @        mail.example. Auto
+                 com
+API Example:
+Request:
+curl -sX POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records" \
+-H 'x-auth-email: <EMAIL>' \
+-H 'x-auth-key: <API_KEY>' \
+-H "Content-Type: application/json" \
+--data '{
+ "type":"MX",
+ "name":"example.com",
+ "content":"mail.example.com",
+ "ttl":3600
+}'
+Response:
+{
+ "result": {
+   "id": "<ID>",
+   "zone_id": "<ZONE_ID>",
+   "zone_name": "example.com",
+   "name": "example.com",
+   "type": "MX",
+   "content": "mail.example.com",
+   "priority": 10,
+   "proxiable": false,
+   "proxied": false,
+   "ttl": 3600,
+   "locked": false,
+  "meta": {
+    "auto_added": false,
+    "managed_by_apps": false,
+    "managed_by_argo_tunnel": false,
+    "source": "primary"
+  },
+  "comment": null,
+  "tags": [],
+  "created_on": "2023-01-17T20:54:23.660869Z",
+  "modified_on": "2023-01-17T20:54:23.660869Z"
+},
+"success": true,
+"errors": [],
+"messages": []
+}
+Default improvements
+    1 min read
+When your DNS records are proxied through Cloudflare, Cloudflare provides free and
+unmetered DDoS protection and other protection measures through the Web Application
+Firewall (WAF).
+DDoS protection
+A distributed denial-of-service (DDoS) attack is where a large number of computers or
+devices, usually controlled by a single attacker, attempt to access a website or online service
+all at once. This flood of traffic can overwhelm the website’s origin servers, causing the site
+to slow down or even crash.
+For more information about DDoS attacks and Cloudflare DDoS protection, refer to Prevent
+DDoS attacks.
+Managed rulesets
+All customers have access to the Cloudflare Free Managed Ruleset, which provides
+mitigations against high and wide-impacting vulnerabilities.
+For more details, refer to the WAF documentation.
+SSL/TLS settings
+ 2 min read
+Once you make sure that your Cloudflare SSL/TLS is working correctly, you will likely want
+to customize your SSL/TLS setup.
+Encryption mode
+Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections:
+one between your visitors and Cloudflare, and the other between Cloudflare and your origin
+server.
+Basic setup
+The simplest way to choose your encryption mode is to enable the SSL/TLS
+Recommender, which scans your domain and recommends the appropriate setting.
+To make sure you do not inadvertently block the SSL/TLS Recommender, review your
+settings to make sure your domain:
+   ●    Is accessible.
+   ●    Is not blocking requests from our bot (which uses a user agent of
+        Cloudflare-SSLDetector).
+   ●    Does not have any active, SSL-specific Page Rules or Configuration rules.
+Then, you can enable SSL/TLS recommendations in the dashboard:
+   1.   Log in to the Cloudflare dashboard
+   1.   and select your account and application.
+   2.   Go to SSL/TLS.
+   3.   For SSL/TLS Recommender, switch the toggle to On.
+Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent
+Cloudflare-SSLDetector and ignores your robots.txt file (except for rules explicitly
+targeting the user agent).
+Based on this initial scan, the Recommender may decide that you could use a stronger SSL
+encryption mode. It will never recommend a weaker option than what is currently configured.
+If so, it will send the application owner an email with the recommended option and add a
+Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required
+to use this recommendation.
+If you do not receive an email, keep your current SSL encryption mode.
+Secure setup
+If possible, Cloudflare recommends using Full or Full (strict) modes to prevent malicious
+connections to your origin.
+These modes usually require additional setup and can be more technically challenging.
+Enforce HTTPS connections
+Even if your application has an active edge certificate, visitors can still access resources
+over unsecured HTTP connections.
+Using various Cloudflare settings, however, you can force all or most visitor connections to
+use HTTPS.
+Evaluate additional features
+After you have chosen your encryption mode and enforced HTTPS connections, evaluate
+the following settings:
+   ●   Edge certificates: Customize different aspects of your edge certificates, from enabling
+       Opportunistic Encryption to specifying a Minimum TLS Version.
+   ●   Authenticated origin pull: Ensure all requests to your origin server originate from the
+       Cloudflare network.
+   ●   Notifications: Set up alerts related to certificate validation status, issuance,
+       deployment, renewal, and expiration.
+Bot Fight Mode
+ 1 min read
+Bot Fight Mode is a simple, free product that helps detect and mitigate bot traffic on your
+domain. When enabled, the product:
+   ●   Identifies traffic matching patterns of known bots
+   ●   Issues computationally expensive challenges in response to these bots
+   ●   Notifies Bandwidth Alliance
+   ●   partners (if applicable) to disable bots
+Considerations
+Bot Fight Mode has a few limitations, including that it:
+   ●   Protects entire domains without endpoint restrictions.
+   ●   Cannot be customized, adjusted, or reconfigured via WAF custom rules.
+If these limitations could cause issues with your application, do not enable this feature.
+For more granular control - including the ability to use the Skip action for bot mitigation -
+consider using Super Bot Fight Mode.
+Setup
+To start using Bot Fight Mode:
+   1. Log in to the Cloudflare dashboard
+and select your account and domain.
+Go to Security > Bots.
+For Bot Fight Mode, select On.
+Secure your origin
+ 4 min read
+Your origin server
+is a physical or virtual machine that is not owned by Cloudflare and hosts your application
+content (data, webpages, etc.).
+Receiving too many requests can be bad for your origin. These requests might increase
+latency for visitors, incur higher costs — particularly for cloud-based machines — and could
+knock your application offline.
+Secure origin connections
+When you secure origin connections, it prevents attackers from discovering and overloading
+your origin server with requests.
+   ●   DNS:
+         1. Proxy records (when possible): Set up proxied (orange-clouded) DNS
+            records to hide your origin IP addresses and provide DDoS protection. As
+            part of this, you should allow Cloudflare IP addresses at your origin to prevent
+            requests from being blocked.
+         2. Review DNS-only records: Audit existing DNS-only records (SPF, TXT, and
+            more) to make sure they do not contain origin IP information.
+         3. Evaluate mail infrastructure: If possible, do not host a mail service on the
+            same server as the web resource you want to protect, since emails sent to
+              non-existent addresses get bounced back to the attacker and reveal the mail
+              server IP.
+           4. Rotate origin IPs: Once onboarded, rotate your origin IPs, as DNS records
+              are in the public domain. Historical records are kept and would contain IP
+              addresses prior to joining Cloudflare
+Application layer
+   1. Cloudflare Tunnel (HTTP/WebSockets)
+Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP
+address, by creating an outbound-only connections to Cloudflare’s global network.
+   ●   Security: Very secure.
+   ●   Availability: All customers.
+   ●   Challenges: Requires installing the cloudflared daemon on origin server or
+       virtual machine.
+   2. HTTP Header Validation
+Only allow traffic with specific (and secret) HTTP headers.
+   ●   Security: Moderately secure.
+   ●   Availability: All customers.
+   ●   Challenges:
+          1. Requires more configuration efforts on application- and server-side to accept
+              those headers.
+          2. Basic authentication is vulnerable to replay attacks. Because basic
+              authentication does not encrypt user credentials, it is important that traffic
+              always be sent over an encrypted SSL session.
+          3. There might be valid use cases for a mismatch in SNI / Host headers such as
+              through Page Rules, Load Balancing, or Workers, which all offer HTTP Host
+              Header overrides.
+   ●   Process:
+          1. Use Transform rules or Workers to add an HTTP Auth Header.
+          2. Configure your origin server to restrict access based on the HTTP Auth
+              Header (or perform HTTP Basic Authentication).
+          3. Configure your origin server to restrict access based on the HTTP Host
+              Header. Specifically, only allow requests which contain expected HTTP Host
+              Header values, and reject all other requests.
+       3. JSON Web Tokens (JWT) Validation
+Only allow traffic with the appropriate JWT.
+   ●   Security: Very secure.
+   ●   Availability: Some customers.
+   ●   Challenges:
+          ○ Requires either installing incremental software or modifying application code.
+          ○ Lots of manual work.
+   ●   Resources:
+          ○ Validate JWTs for an Access application
+          ○ Validate JWTs for an API
+Transport Layer
+Authenticated Origin Pulls
+Authenticated Origin Pulls helps ensure requests to your origin server come from the
+Cloudflare network.
+   ●   Security: Very secure.
+   ●   Availability: All customers.
+   ●   Challenges:
+          ○ Requires Full or Full (strict) encryption modes.
+          ○ Requires more configuration efforts for application and server, such as
+              uploading a certificate and configuring the server to use it.
+          ○ For more strict security, you should upload your own certificate. Although
+              Cloudflare provides you a certificate for easy configuration, this certificate
+              only guarantees that a request is coming from the Cloudflare network.
+          ○ Not scalable for large numbers of origin servers.
+Cloudflare Tunnel (SSH / RDP)
+Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP
+address, by creating an outbound-only connections to Cloudflare’s global network.
+   ●   Security: Very secure.
+   ●   Availability: All customers.
+   ●   Challenges: Requires installing the cloudflared daemon on origin server or
+       virtual machine.
+Network Layer
+Allowlist Cloudflare IP addresses
+Explicitly block all traffic that does not come from Cloudflare IP addresses (or the IP
+addresses of your trusted partners, vendors, or applications).
+   ●   Security: Moderately secure.
+   ●   Availability: All customers.
+   ●   Challenges:
+          ○ Requires allowlisting Cloudflare IP ranges at your origin server.
+          ○ Vulnerable to IP spoofing.
+Cloudflare Network Interconnect
+Cloudflare Network Interconnect allows you to connect your network infrastructure directly
+with Cloudflare – rather than using the public Internet – for a more reliable and secure
+experience.
+   ●    Security: Very secure.
+   ●    Availability: Enterprise-only.
+   ●    Challenges
+           ○ Requires some networking knowledge.
+           ○ Only applies to some customer use cases.
+Cloudflare Aegis
+Cloudflare Aegis
+prevents external connections by providing dedicated egress IP addresses.
+   ●    Security: Very secure.
+   ●    Availability: Enterprise-only.
+   ●    Challenges: Requires network-level firewall policies.
+Security Center
+ 1 min read
+Cloudflare Security Center brings together our suite of security products, our security
+expertise, and unique Internet intelligence as a unified security intelligence solution. Security
+Center enables you to strengthen your security posture by:
+   ●    Mapping your cyber attack surface
+   ●    Providing asset inventory and discovery
+   ●    Identifying potential security risks, misconfigurations, and vulnerabilities
+   ●    Helping you to mitigate these risks through remediation in a few clicks
+For additional details and help, refer to the Security Center documentation.
+Setup
+To enable Security Insights and perform an initial security scan:
+   1.   Log in to the Cloudflare dashboard
+   1.   and select your account.
+   2.   In the Account Home, go to Security Center > Security Insights.
+   3.   Under Enable Security Center scans, select Start scan.
+The initial Security Insights scan will start. The initial scan time depends on the number of IT
+assets in all the domains of your Cloudflare account. When the scan is complete, the status
+of the page will change from Scan in Progress to Last scan performed on:
+<DATE_TIME>.
+Performance
+Improve your application’s performance by enabling and optimizing your sites settings.
+Objectives
+By the end of this module, you will be able to:
+      ●   Explain how - just by using Cloudflare - you can increase application performance
+      ●   Optimize caching using various Cloudflare settings
+      ●   Improve performance using different settings within Speed settings
+      ●   Set up Cloudflare Web Analytics for free, privacy-first analytics
+      ●   Evaluate other, add-on products that can improve application performance
+Default improvements
+    1 min read
+Cloudflare provides a variety of speed improvements by default.
+DNS resolution
+When your site is using Cloudflare, your site always benefits from Cloudflare’s lightning-fast
+DNS resolution
+.
+Caching
+When your DNS records are proxied through Cloudflare, Cloudflare caches certain types of
+resources automatically (which improves application performance).
+How does caching improve performance?
+Caching is the process of storing copies of files in a cache, or temporary storage location, so
+that they can be accessed more quickly.
+When Cloudflare stores content in its cache, the request never needs to go to your
+application or origin server, which reduces the number of requests and gets content to the
+user more quickly.
+Optimize caching
+ 1 min read
+Beyond default caching settings, you can further optimize your cache using different
+Cloudflare settings.
+A few ways to optimize Cloudflare caching include:
+   ●   Creating cache rules to customize the cache properties of specific HTTP requests.
+   ●   Enabling the Tiered Cache feature, which dramatically increases cache hit ratios.
+   ●   Reviewing our other various configuration options, which may vary based on your
+       plan and application setup.
+Optimize analytics
+ 2 min read
+Web analytics let you measure user behavior - pageviews, sessions, and custom events - on
+your application.
+Cloudflare offers two ways to improve the privacy and performance of the way you gather
+these analytics.
+Cloudflare Web Analytics
+If you want analytics without using third-party tools, check out Cloudflare Web Analytics.
+Cloudflare Web Analytics provides free, privacy-first analytics for your website without
+changing your DNS or using Cloudflare’s proxy. Cloudflare Web Analytics helps you
+understand the performance of your web pages as experienced by your site visitors.
+All you need to enable Cloudflare Web Analytics is a Cloudflare account and a JavaScript
+snippet on your page to start getting information on page views and visitors. The JavaScript
+snippet (also known as a beacon) collects metrics using the Performance API, which is
+available in all major web browsers.
+Setup
+So long as your traffic is proxied through Cloudflare, setting up Web Analytics only involves a
+few steps:
+   1.   Log in to the Cloudflare dashboard
+   1.   , and select your account.
+   2.   Select the Analytics & Logs drop-down and choose Web Analytics.
+   3.   Under Quick Actions, select Add a site.
+   4.   Select a hostname from the drop-down menu > Done.
+Access
+Once you have enabled Web Analytics, you can review analytics at any time:
+   1.   Log in to the Cloudflare dashboard
+   1.   , and select your account.
+   2.   Select the Analytics & Logs drop-down and choose Web Analytics.
+   3.   Select your zone.
+   4.   Review the various metrics provided by Cloudflare.
+Notifications
+Web Analytics uses Cloudflare’s Notification service. When enabled, Web Analytics sends
+you a weekly report with aggregate visits, page views and median page load time for all your
+sites, so you can monitor their performance.
+To get started, add Web Analytics notification on your Cloudflare dashboard. Refer to
+Cloudflare Notifications to learn more.
+Cloudflare Zaraz
+If you already use third-party tools on your website, check out Cloudflare Zaraz.
+Cloudflare Zaraz gives you complete control over third-party tools and services for your
+website, and allows you to offload them to Cloudflare’s edge, improving the speed and
+security of your website. With Cloudflare Zaraz you can load tools such as analytics tools,
+advertising pixels and scripts, chatbots, marketing automation tools, and more, in the most
+optimized way.
+Cloudflare Zaraz is built for speed, privacy, and security, and you can use it to load as many
+tools as you need, with a near-zero performance hit.