Fuelerchat

Sleeping

App Files Files Community

BroBro87 commited on Feb 12, 2024

Commit

3f44de3

verified ·

1 Parent(s): 3d6d112

Delete Cloudflare.txt

Browse files

Files changed (1) hide show

Cloudflare.txt +0 -1491

Cloudflare.txt DELETED Viewed

@@ -1,1491 +0,0 @@
-Cloudflare Fundamentals
-What is Cloudflare?
- 1 min read
-Cloudflare is a global network of servers
-. When you add your application to Cloudflare, we use this network to sit in between
-requests and your origin server.
-This position allows us to do several things — speeding up content delivery and user
-experience ( CDN), protecting your website from malicious activity ( DDoS, Web Application
-Firewall), routing traffic (Load balancing, Waiting Room), and more.
-How Cloudflare works
- 3 min read
-Fundamentally, Cloudflare is a large network of servers that can improve the security,
-performance, and reliability of anything connected to the Internet.
-Cloudflare does this by serving as a reverse proxy
-for your web traffic. All requests to and from your origin flow through Cloudflare and — as
-these requests pass through our network — we can apply various rules and optimizations to
-improve security, performance, and reliability.
-Life of a request
-Even though it feels pretty instantaneous, there’s a lot happening when you type
-www.example.com into your browser.
-A website’s content does not technically live at a URL like www.example.com, but rather at
-an IP address like 192.0.2.1. It’s similar to how we say that Cloudflare’s headquarters is
-101 Townsend St., San Francisco, CA 94107, but really that address is just a placeholder for
-latitude and longitude coordinates (37.780259, -122.390519). URLs and street addresses
-are much easier for humans to remember.
-The process of converting a human-readable URL (www.example.com) into a
-machine-friendly address (192.0.2.1) is known as a DNS lookup
-.
-Without Cloudflare
-Without Cloudflare, DNS lookups for your application’s URL return the IP address of your
-origin server
-.
-         URL         Returned IP
-                      address
-    example.c   192.0.2.1
-    om
-When using Cloudflare with unproxied DNS records, DNS lookups for unproxied domains or
-subdomains also return your origin’s IP address.
-Another way of thinking about this concept is that visitors directly connect with your origin
-server.
-ConnectionVisitor
-Origin server
-With Cloudflare
-With Cloudflare — meaning your domain or subdomain is using proxied DNS records —
-DNS lookups for your application’s URL will resolve to Cloudflare Anycast IPs
-instead of their original DNS target.
-         URL         Returned IP
-                      address
-    example.c   104.16.77.250
-    om
-This means that all requests intended for proxied hostnames will go to Cloudflare first and
-then be forwarded to your origin server.
-Visitor ← Connection → Cloudflare global network ←Connection→Origin Server
-Cloudflare assigns specific Anycast IPs to your domain dynamically and these IPs may
-change at any time. This is an expected part of the operation of our Anycast network and
-does not affect the proxy behavior described above.
-Benefits
-When your traffic is proxied through Cloudflare before reaching your origin server, your
-application gets additional security, performance, and reliability benefits.
-Security
-Beyond hiding your origin’s IP address from potential attackers, Cloudflare also stops
-malicious traffic before it reaches your origin web server.
-Cloudflare automatically mitigates security risks using our WAF and DDoS protection.
-For additional details on security, refer to our guide on how to Secure your website.
-Performance
-For proxied traffic, Cloudflare also serves as a Content Delivery Network (CDN)
-, caching static resources and otherwise optimizing asset delivery.
-For additional details on performance, refer to our guides on Optimizing Site Speed and
-Caching.
-Reliability
-Cloudflare’s globally distributed Anycast network
-routes visitor requests to the nearest Cloudflare data center.
-Combined together with our CDN
-and DDoS protection, our network helps keep your application online.
-Cloudflare IPs
- 2 min read
-Cloudflare has several IP address ranges
-which are shared by all proxied hostnames.
-Together, these IP addresses form the backbone of our Anycast network
-, helping distribute traffic amongst various edge network servers.
-Cloudflare uses other IP ranges for various products and services, but these addresses will
-not make connections to your origin.
-Allow Cloudflare IP addresses
-Because of how Cloudflare works, all traffic to proxied DNS records pass through Cloudflare
-before reaching your origin server. This means that your origin server will stop receiving
-traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP
-addresses
-, which are shared by all proxied hostnames.
-This setup can cause issues if your origin server blocks or rate limits connections from
-Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP
-addresses, blocking these IPs — even accidentally — will prevent visitor traffic from
-reaching your application.
-To avoid rate limiting or blocking these requests, you will need to allow Cloudflare IPs at your
-origin server.
-For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once
-Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your
-network, process them, and then output these packets to your origin infrastructure.
-Customize Cloudflare IP addresses
-If they do not want to use Cloudflare IP addresses — which are shared by all proxied
-hostnames — Enterprise customers have two potential alternatives:
-   ●   Bring Your Own IP (BYOIP): Cloudflare announces your IPs in all our locations.
-   ●   Static IP addresses: Cloudflare sets static IP addresses for your domain. For more
-       details, contact your account team.
-Business and Enterprise customers can also reduce the number of Cloudflare IPs that their
-domain shares with other Cloudflare customer domains by uploading a Custom SSL
-certificate.
-Reference architectures
- 1 min read
-Reference architecture documents and diagrams are designed to provide a foundational
-knowledge of Cloudflare solutioning for a variety of products. Building on the information in
-these documents, you can architect software solutions based on your specific context and
-needs.
-   ●   Content Delivery Network
-   ●   Magic Transit
-   ●   Multi-vender Application Security and Performance
-Account setup
-To create a Cloudflare account:
-      1.   Go to the Sign up page
-      1.   .
-      2.   Enter your Email and Password.
-      3.   Click Create Account.
-Once you create your account, Cloudflare will automatically send an email to your address to
-verify that email address.
-Best practices
-If you are creating an account for your team or a business, we recommend choosing an
-email alias or distribution list for your Email, such as [email protected].
-This email address is the main point of contact for your Cloudflare billing, usage notifications,
-and account recovery.
-Set-up 2FA
- 2 min read
-Two-factor authentication (2FA) allows user account owners to add an additional layer of
-login security to Cloudflare accounts. This additional authentication step requires you to
-provide both something you know, such as a Cloudflare password, and something you have,
-such as an authentication code from a mobile device.
-Cloudflare user accounts configured to use single sign-on (SSO) cannot configure 2FA.
-Cloudflare offers the option to use either a phishing-resistant security key, like a YubiKey, or
-a Time-Based One-Time password (TOTP) mobile app for authentication, like Google
-Authenticator, or both. If you add both of these authentication methods to your account, you
-are initially prompted to log in with the security key, but can opt-out and use TOTP instead.
-To ensure that you can securely access your account even without your mobile device or
-security keys, Cloudflare also provides backup codes for download.
-Tip
-After downloading your backup codes, we recommend saving them in a secure location.
-As the user account owner, you are automatically assigned the Super Administrator role.
-Once 2FA is enabled, all Cloudflare account members are required to configure 2FA on their
-mobile devices.
-Enable 2FA
-We recommend that all Cloudflare user account holders enable two-factor authentication
-(2FA) to keep your accounts secure.
-2FA can only be enabled successfully on an account with a verified email address. If you do
-not verify your email address first, you may lock yourself out of your account.
-Super Administrators can turn on 2FA Enforcement to require all members to enable 2FA. If
-you are not a Super Administrator, you will be forced to turn on 2FA prior to accepting the
-invitation to join a Cloudflare account as a member.
-To enable two-factor authentication for your Cloudflare login:
-   1.   Log in to the Cloudflare dashboard
-   1.   .
-   2.   Under the My Profile dropdown, select My Profile.
-   3.   Select Authentication.
-   4.   Select Manage in the Two-Factor Authentication card.
-   5.   Configure either a TOTP mobile app or a security key to enable 2FA on your account.
-Additional configurations
-Cloudflare also supports 2FA with device built-in authenticators (Apple Touch ID, Android
-fingerprint, or Windows Hello), Yubikeys and TOTP mobile applications.
-Customize your account
- 2 min read
-After creating an account, here are a handful of configurations you can customize:
-Account name
-Your account name defaults to <<YOUR_EMAIL_ADDRESS>>'s Account.
-You may want to customize the name of this account, either to help specify its purpose or to
-help associated with multiple accounts.
-To change your account name:
-   1. Log into the Cloudflare dashboard
-   1. .
-    2.   Go to Manage Account > Configurations.
-    3.   For Account Name, select Change Name.
-    4.   Enter a new account name.
-    5.   Select Save.
-Appearance
-If you want to adjust how the Cloudflare dashboard appears on your device, you can adjust
-relevant settings in your account Profile.
-To update appearance preferences:
-    1. Log into the Cloudflare dashboard
-    1. .
-    2. Go to My Profile
-    3. For Appearance, choose a value:
-          ○ Dark: Defaults to darker colors.
-          ○ Light: Defaults to lighter colors.
-          ○ Use system setting: Defaults to whatever is used on your device.
-    4. Your dashboard display will update to the new appearance setting automatically.
-Communication preferences
-When you create an account, Cloudflare automatically chooses your Communication
-Preferences, or when Cloudflare might occasionally send you emails.
-To update the communication preferences for your profile (which requires a verified email
-address):
-    1.   Log into the Cloudflare dashboard
-    1.   .
-    2.   Go to My Profile
-    3.   For Communication Preferences, select Edit.
-    4.   If you want a specific category of emails, make sure its associated box is checked.
-    5.   Select Save.
-Language preferences
-After you create your account, you may want to update your language preference.
-To update the language preference for your profile:
-    1. Log into the Cloudflare dashboard
-.
-Go to My Profile
-For Language Preference, select a value.
-Your dashboard display will update to the new language automatically.
-Add and manage other members
- 3 min read
-Learn how to add new account members, edit or revoke their permissions and access, and
-resend verifications emails.
-To manage account members, you must have a role of Super Administrator and have a
-verified email address.
-View account members
-To manage account members, you must have a role of Super Administrator and have a
-verified email address.
-Dashboard mode:
-To view members using the dashboard:
-    1. Log in to the Cloudflare dashboard
-and select your account.
-Go to Manage Account > Members.
-API mode:
-To view members using the API, send a GET request.
-Baseurl:
-GET https://api.cloudflare.com/client/v4
-An API key is a token that you provide when making API calls. Include the token in a header parameter called
-X-Auth-Email.
-Example: X-Auth-Email: 123
-An API key is a token that you provide when making API calls. Include the token in a header parameter called
-X-Auth-Key.
-Example: X-Auth-Key: 123
-An API key is a token that you provide when making API calls. Include the token in a header parameter called
-X-Auth-User-Service-Key.
-Example: X-Auth-User-Service-Key: 123
-Provide your bearer token in the Authorization header when making requests to protected resources.
-Example: Authorization: Bearer 123
-Interact with Cloudflare's products and services via the Cloudflare API.
-Using the Cloudflare API requires authentication so that Cloudflare knows who is making
-requests and what permissions you have. Create an API token to grant access to the API to
-perform actions.
-To create an API token, from the Cloudflare dashboard, go to My Profile > API Tokens and
-select Create Token.
-Add account members
-To manage account members, you must have a role of Super Administrator and have a
-verified email address.
-Dashboard mode:
-To add a member to your account:
-    1. Log in to the Cloudflare dashboard
-    1. and select your account.
-    2. Go to Manage Account > Members.
-    3. Select Invite.
-    4. Fill out the following information:
-            ○ Invite members: Enter one or more email addresses (if multiple, separate
-                addresses with commas).
-            ○ Scope: Use a variety of fields to adjust the scope of your roles.
-            ○ Roles: Choose one or more roles to assign your members.
-    5. Select Continue to summary.
-    6. Review the information, then select Invite.
-If a user already has an account with Cloudflare and you have an Enterprise account, you
-can also select Direct Add to add them to your account without sending an email invitation.
-API mode:
-POST https://api.cloudflare.com/client/v4/accounts/{account_identifier}/members
-Request Sample
-curl --request POST \
- --url https://api.cloudflare.com/client/v4/accounts/account_identifier/members \
- --header 'Content-Type: application/json' \
- --header 'X-Auth-Email: ' \
-     --data '{
-     "email": "[email protected]",
-     "roles": [
-      "3536bcfad5faccb999b47003c79917fb"
-     ],
-     "status": "pending"
-}'
-Response Example
-{
-     "errors": [],
-     "messages": [],
-     "result": {
-      "id": "4536bcfad5faccb111b47003c79917fa",
-      "roles": [
-          {
-              "description": "Administrative access to the entire Account",
-              "id": "3536bcfad5faccb999b47003c79917fb",
-              "name": "Account Administrator",
-              "permissions": {
-               "analytics": {
-                "read": true,
-                "write": false
-               },
-               "zones": {
-                "read": true,
-                "write": true
-                 }
-             }
-         }
-     ],
-     "status": null,
-     "user": {
-         "email": "[email protected]",
-         "first_name": "John",
-         "id": "023e105f4ecef8ad9ca31a8372d0c353",
-         "last_name": "Appleseed",
-         "two_factor_authentication_enabled": false
-     },
-     "code": "05dd05cce12bbed97c0d87cd78e89bc2fd41a6cee72f27f6fc84af2e45c0fac0"
-    },
-    "success": true
-}
-Resend an invitation
-If you invited a member to your account but they cannot find the invitation or the invitation
-expires, you can resend the invitation through the Cloudflare dashboard:
-         1. Log in to the Cloudflare dashboard and select your account[^1].
-         2. Go to Manage Account > Members.
-         3. Select a member record where their Status is Invite Pending.
-         4. Select Resend invite
-Create an API token
-    2 min read
-Prerequisite
-Before you begin, find your zone and account IDs.
-   1. From the Cloudflare dashboard, go to My Profile > API Tokens.
-   2. Select Create Token.
-   3. Select a template from the available API token templates or create a custom token.
-      We use the Edit zone DNS template in the following examples.
-   4. Add or edit the token name to describe why or how the token is used. Templates are
-      prefilled with a token name and permissions.
-   5. Modify the token’s permissions. After selecting a permissions group (Account, User,
-      or Zone), choose what level of access to grant the token. Most groups offer Edit or
-       Read options. Edit is full CRUDL (create, read, update, delete, list) access, while
-       Read is the read permission and list where appropriate. Refer to the available token
-       permissions for more information.
-   6. Select which resources the token is authorized to access. For example, granting
-       Zone DNS Read access to a zone example.com will allow the token to read DNS
-       records only for that specific zone. Any other zone will return an error for DNS record
-       reads operations. Any other operation on that zone will also return an error.
-   7. (Optional) Restrict how a token is used in the Client IP Address Filtering and TTL
-       (time to live) fields.
-   8. Select Continue to summary.
-   9. Review the token summary. Select Edit token to make adjustments. You can also
-       edit a token after creation.
-   10. Select Create Token to generate the token’s secret.
-   11. Copy the secret to a secure place.
-Warning
-The token secret is only shown once. Do not store the secret in plaintext where others can
-access it. Anyone with this token can perform the authorized actions against the resources
-that the token has access to.
-The token secret page also includes an example command to test the token. Use the
-/user/tokens/verify endpoint to fetch the current status of the given token.
-$ curl "https://api.cloudflare.com/client/v4/user/tokens/verify" \
-   -H "Authorization: Bearer <API_TOKEN>"
-The result:
-{
- "result": {
-   "id": "100bf38cc8393103870917dd535e0628",
-   "status": "active"
-},
-"success": true,
-"errors": [],
-"messages": [
-  {
-    "code": 10000,
-    "message": "This API Token is valid and active",
-    "type": null
-  }
-]
-}
-With this you have successfully created an API token and can start working with the
-Cloudflare API. After creating your first API token, you can create additional API tokens via
-the API.
-Add your domain to Cloudflare
-Minimize downtime
-2 min read
-When making any change to the routing of an Internet application, there is always a
-possibility of downtime due to certificate issuance, misconfigured settings, or limitations at
-your origin server. To avoid downtime when going live, it’s important to review the most
-common configurations.
-Update and review DNS records.
-Before activating your domain on Cloudflare (exact steps depend on your DNS setup),
-review the DNS records in your Cloudflare account.
-Start with unproxied records
-With a new domain, make sure all your DNS records have a proxy status of DNS-only.
-This setting prevents Cloudflare from proxying your traffic before you have an active edge
-certificate or before you have allowed Cloudflare IP addresses.
-Confirm record accuracy
-Take extra time to confirm the accuracy of your DNS records before activating your domain,
-paying special attention to:
-   ●   Zone apex records (example.com)
-   ●   Subdomain records (www.example.com or blog.example.com)
-   ●   Email records
-If you add DNS records to your authoritative DNS provider between onboarding your domain
-and activating your domain, you may need to also add these records within Cloudflare.
-Activate your domain.
-Finish the DNS setup for your domain, moving the domain status to Active:
-   ●   Full setups: Update the authoritative nameservers at your registrar and wait for that
-       change to be authenticated.
-   ●   Partial setups: Add the verification TXT record to your authoritative DNS and wait for
-       that change to be authenticated.
-Verify SSL/TLS edge certificates.
-Before proxying your traffic through Cloudflare, verify that Cloudflare has an active Edge
-Certificate for your domain.
-For more details about timing and certificate recommendations, refer to Certificate issuance.
-Optional - Test configuration.
-You may want to test your configuration using your local machine or proxying traffic from a
-development domain or subdomain.
-If you experience issues, you should make sure that you have allowed Cloudflare IP
-addresses at your origin server.
-Update proxy status.
-Once you have verified that your SSL/TLS edge certificate is active and you have allowed
-Cloudflare IP addresses, change the proxy status of appropriate DNS records to Proxied.
-Allow Cloudflare IP addresses
- 2 min read
-Because of how Cloudflare works, all traffic to proxied DNS records pass through Cloudflare
-before reaching your origin server. This means that your origin server will stop receiving
-traffic from individual visitor IP addresses and instead receive traffic from Cloudflare IP
-addresses
-, which are shared by all proxied hostnames.
-This setup can cause issues if your origin server blocks or rate limits connections from
-Cloudflare IP addresses. Because all visitor traffic will appear to come from Cloudflare IP
-addresses, blocking these IPs — even accidentally — will prevent visitor traffic from
-reaching your application.
-To avoid rate limiting or blocking these requests, you will need to allow Cloudflare IPs at your
-origin server.
-For Magic Transit customers, Cloudflare routes the traffic instead of proxying it. Once
-Cloudflare starts advertising your IP prefixes, it will accept IP packets destined for your
-network, process them, and then output these packets to your origin infrastructure.
-Review external tools
-To avoid blocking Cloudflare IP addresses unintentionally, review your external tools to
-check that:
-   ●   Any security plugins — such as those for WordPress — allow Cloudflare IP
-       addresses.
-   ●   The mod_security
-   ●   plugin is up to date.
-Configure origin server
-Allowlist Cloudflare IP addresses
-To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare
-IP addresses at your origin web server.
-You can explicitly allow these IP addresses with a .htaccess file or by using iptables.
-The following example demonstrates how your could use an iptables rule to allow a
-Cloudflare IP address range. Replace $ip below with one of the Cloudflare IP address
-ranges
-# For IPv4 addresses
-iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
-# For IPv6 addresses
-ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
-Block other IP addresses (recommended)
-As a best practice, we also recommend that you explicitly block all traffic that does not come
-from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or
-applications.
-For example, you might update your iptables
-with the following commands:
-#for IPv4
-iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
-#for IPv6
-ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
-Disable DNSSEC
- 2 min read
-DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring
-requests are not routed to a spoofed domain.
-Disable DNSSEC
-If you are onboarding an existing domain to Cloudflare, make sure DNSSEC is disabled at
-your registrar (where you purchased your domain name). Otherwise, your domain will
-experience connectivity errors when you change your nameservers.
-Why do I have to disable DNSSEC?
-When your domain has DNSSEC enabled, your DNS provider digitally signs all your DNS
-records. This action prevents anyone else from issuing false DNS records on your behalf
-and redirecting traffic intended for your domain.
-However, having a single set of signed records also prevents Cloudflare from issuing new
-DNS records on your behalf (which is part of using Cloudflare for your authoritative
-nameservers). So if you change your nameservers without disabling DNSSEC, DNSSEC will
-prevent Cloudflare’s DNS records from resolving properly.
-Add a site
- 2 min read
-   1. Log in to the Cloudflare dashboard.
-   2. In the top navigation bar, click Add site.
-   3. Enter your website’s apex domain (example.com) and then click Add Site.
-If Cloudflare is unable to identify your domain as a registered domain, make sure you are
-using an existing top-level domain
-(.com, .net, .biz, or others).
-Additionally, Cloudflare requires your apex domain to be one level below a valid TLD
-defined in the Public Suffix List (PSL).
-   1. Select your plan level. For more details on features and pricing, refer to our Plans
-      page
-      .
-   2. Review your DNS records.
-      When you add a new site to Cloudflare, Cloudflare automatically scans for common
-      records and adds them to the DNS zone. The records show up under the respective
-      zone DNS > Records page.
-   3. Since this scan is not guaranteed to find all existing DNS records, you need to review
-      your records, paying special attention to the following record types:
-         a. Zone apex records (example.com)
-           b. Subdomain records (www.example.com or blog.example.com)
-           c. Email records
-   4. If you activate your domain on Cloudflare without setting up the correct DNS records
-      for your domain and subdomain, your visitors may experience
-      DNS_PROBE_FINISHED_NXDOMAIN errors.
-   5. If you find any missing records, manually add those records.
-   6. Depending on your site setup, you may want to adjust the proxy status for certain A,
-      AAAA, or CNAME records.
-   7. Click Continue.
-   8. Go through the Quick Start Guide and when you have finished, click Finish.
-Update your nameservers
- 1 min read
-Once you have added a domain (also known as a zone) to Cloudflare, that domain will
-receive two assigned authoritative nameservers.
-Before your domain can begin using Cloudflare for DNS resolution, you need to add these
-nameservers at your registrar. Make sure DNSSEC is disabled at this point.
-Domain Resolution
-Ensure all your traffic is proxying through Cloudflare successfully.
-Objectives
-By the end of this module, you will be able to:
-   ●   Confirm your zone is set up correctly on Cloudflare
-   ●   Recognize and troubleshoot issues with your DNS records and SSL/TLS certificates
-Review DNS records
- 1 min read
-When you add a new site to Cloudflare, Cloudflare automatically scans for common records
-and adds them to the DNS zone. The records show up under the respective zone DNS >
-Records page.
-The DNS records quick scan is not automatically invoked in the following cases:
-   ●   If you choose Enterprise plan and, instead of the Quick Scan, choose to upload a
-       DNS zone file or add records manually.
-   ●   If you add a zone via the API.
-You can manually invoke the quick scan via API with the Scan DNS Records endpoint. Note
-that the quick scan is a best effort attempt based on a predefined list of commonly used
-record names and types. You can read more about this in the reference page.
-Since this scan is not guaranteed to find all existing DNS records, you need to review your
-records, paying special attention to the following record types:
-   ●   Zone apex records (example.com)
-   ●   Subdomain records (www.example.com or blog.example.com)
-   ●   Email records
-If you want more control over which DNS records are imported and how, import a zone file.
-If your domain is added to Cloudflare by a hosting partner, manage your DNS records via the
-hosting partner.
-Proxy status
- 3 min read
-The Proxy status of a DNS record affects how Cloudflare treats incoming traffic to that
-record. Cloudflare recommends enabling our proxy for all A, AAAA, and CNAME records.
-Proxied records
-Note that if you have multiple A/AAAA records on the same name and at least one of them is
-proxied, Cloudflare will treat all A/AAAA records on this name as being proxied.
-When you proxy specific DNS records through Cloudflare - specifically A, AAAA, or CNAME
-records — DNS queries for these will resolve to Cloudflare Anycast IPs instead of their
-original DNS target. This means that all requests intended for proxied hostnames will go to
-Cloudflare first and then be forwarded to your origin server.
-This behavior allows Cloudflare to optimize, cache, and protect all requests to your
-application, as well as protect your origin server from DDoS attacks
-Because requests to proxied hostnames go through Cloudflare before reaching your origin
-server, all requests will appear to be coming from Cloudflare’s IP addresses (and could
-potentially be blocked or rate limited). If you use proxied records, you may need to adjust
-your server configuration to allow Cloudflare IPs.
-Cloudflare Anycast IPs used to proxy traffic on your domain are assigned automatically.
-These IPs might change at any time for operational reasons. If you need to allowlist
-Cloudflare IPs on your infrastructure or hosting provider, include the full list of Cloudflare
-Anycast IPs
-As an Enterprise customer, you have the option to get static IPs or bring your own IPs
-(BYOIP).
-Limitations
-Record types
-By default, Cloudflare only supports proxied A, AAAA, and CNAME records. You cannot proxy
-other record types.
-If you encounter a CNAME record that you cannot proxy — usually associated with another
-CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is
-purposely preventing that record from being proxied to protect you from a misconfiguration.
-Ports and protocols
-By default, Cloudflare only proxies HTTP and HTTPS traffic.
-If you need to connect to your origin using a non-HTTP protocol (SSH, FTP, SMTP) or the
-traffic targets an unsupported port at the origin, either leave your records unproxied
-(DNS-only) or use Cloudflare Spectrum.
-Pending domains
-When you add a domain to Cloudflare, Cloudflare protection will be in a pending state until
-we can verify ownership. This could take up to 24 hours to complete.
-This means that DNS records - even those set to proxy traffic through Cloudflare – will be
-DNS-only until your zone has been activated and any requests to your DNS records will
-return your origin server’s IP address.
-If this warning is still present after 24 hours, refer to Troubleshooting.
-For enhanced security, we recommend rolling your origin IP addresses at your hosting
-provider after your zone has been activated. This action prevents your origin IPs from being
-leaked during onboarding.
-Windows authentication
-Because Microsoft Integrated Windows Authentication, NTLM, and Kerberos violate
-HTTP/1.1 specifications, they are not compatible with proxied DNS records.
-Enable DNSSEC
-    2 min read
-DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS, ensuring
-requests are not routed to a spoofed domain.
-For additional background on DNSSEC, visit the Cloudflare Learning Center
-.
-When you enable DNSSEC, Cloudflare signs your zone, publishes your public signing keys,
-and generates your DS record.
-Step 1 - Activate DNSSEC in Cloudflare
-      1.   Log in to the Cloudflare dashboard
-      1.   and select your account and domain.
-      2.   Go to DNS > Settings.
-      3.   For DNSSEC, click Enable DNSSEC.
-      4.   In the dialog, you have access to several necessary values to help you create a DS
-           record at your registrar. Once you close the dialog, you can access this information
-           by clicking DS record on the DNSSEC card.
-Step 2 — Add DS record to your registrar
-Add the DS record to your registrar. If Algorithm 13 - Cloudflare’s preferred cipher choice - is
-not listed by your registrar, it may also be called ECDSA Curve P-256 with SHA-256.
-Provider-specific instructions
-Note:
-Cloudflare automatically adds DS records for domains using Cloudflare Registrar or those
-using .ch and .cz top-level domains.
-Create a subdomain
- 1 min read
-Most subdomains serve a specific purpose within the overall context of your website. For
-example, blog.example.com might be your blog, support.example.com could be your
-customer help portal, and store.example.com would be your e-commerce site.
-Subdomain records
-To create a new subdomain, you would first add the subdomain content at your host.
-Then, you would create a corresponding A, AAAA, or CNAME record for that subdomain
-(blog, store).
- Type     Name        IPv4           Proxy
-                    address          status
- A        www     192.0.2.1      Proxied
-Set up email records
- 1 min read
-Receive email
-If you only need to receive emails, Cloudflare offers Email Routing for free email forwarding
-to custom email addresses.
-Send and receive email
-To send and receive emails from your domain, you need:
-     ●   An SMTP provider.
-     ●   To create two DNS records within Cloudflare.
-To route emails through Cloudflare and to your mail server:
-   1. Get the IP address and MX record details from your SMTP provider (vendor-specific
-      guidelines).
-2.    Add an A or AAAA record for your mail subdomain that points to the IP address of
-your mail server.
- Type   Name         IPv4             Proxy
-                   address            status
- A      mail     192.0.2.1          DNS only
-   3. API example
-4.    Add an MX record that points to that subdomain.
- Type   Name        Mail server         TTL
- MX     @        mail.example. Auto
-                 com
-API Example:
-Request:
-curl -sX POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records" \
--H 'x-auth-email: <EMAIL>' \
--H 'x-auth-key: <API_KEY>' \
--H "Content-Type: application/json" \
---data '{
- "type":"MX",
- "name":"example.com",
- "content":"mail.example.com",
- "ttl":3600
-}'
-Response:
-{
- "result": {
-   "id": "<ID>",
-   "zone_id": "<ZONE_ID>",
-   "zone_name": "example.com",
-   "name": "example.com",
-   "type": "MX",
-   "content": "mail.example.com",
-   "priority": 10,
-   "proxiable": false,
-   "proxied": false,
-   "ttl": 3600,
-   "locked": false,
-  "meta": {
-    "auto_added": false,
-    "managed_by_apps": false,
-    "managed_by_argo_tunnel": false,
-    "source": "primary"
-  },
-  "comment": null,
-  "tags": [],
-  "created_on": "2023-01-17T20:54:23.660869Z",
-  "modified_on": "2023-01-17T20:54:23.660869Z"
-},
-"success": true,
-"errors": [],
-"messages": []
-}
-Default improvements
-    1 min read
-When your DNS records are proxied through Cloudflare, Cloudflare provides free and
-unmetered DDoS protection and other protection measures through the Web Application
-Firewall (WAF).
-DDoS protection
-A distributed denial-of-service (DDoS) attack is where a large number of computers or
-devices, usually controlled by a single attacker, attempt to access a website or online service
-all at once. This flood of traffic can overwhelm the website’s origin servers, causing the site
-to slow down or even crash.
-For more information about DDoS attacks and Cloudflare DDoS protection, refer to Prevent
-DDoS attacks.
-Managed rulesets
-All customers have access to the Cloudflare Free Managed Ruleset, which provides
-mitigations against high and wide-impacting vulnerabilities.
-For more details, refer to the WAF documentation.
-SSL/TLS settings
- 2 min read
-Once you make sure that your Cloudflare SSL/TLS is working correctly, you will likely want
-to customize your SSL/TLS setup.
-Encryption mode
-Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections:
-one between your visitors and Cloudflare, and the other between Cloudflare and your origin
-server.
-Basic setup
-The simplest way to choose your encryption mode is to enable the SSL/TLS
-Recommender, which scans your domain and recommends the appropriate setting.
-To make sure you do not inadvertently block the SSL/TLS Recommender, review your
-settings to make sure your domain:
-   ●    Is accessible.
-   ●    Is not blocking requests from our bot (which uses a user agent of
-        Cloudflare-SSLDetector).
-   ●    Does not have any active, SSL-specific Page Rules or Configuration rules.
-Then, you can enable SSL/TLS recommendations in the dashboard:
-   1.   Log in to the Cloudflare dashboard
-   1.   and select your account and application.
-   2.   Go to SSL/TLS.
-   3.   For SSL/TLS Recommender, switch the toggle to On.
-Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent
-Cloudflare-SSLDetector and ignores your robots.txt file (except for rules explicitly
-targeting the user agent).
-Based on this initial scan, the Recommender may decide that you could use a stronger SSL
-encryption mode. It will never recommend a weaker option than what is currently configured.
-If so, it will send the application owner an email with the recommended option and add a
-Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required
-to use this recommendation.
-If you do not receive an email, keep your current SSL encryption mode.
-Secure setup
-If possible, Cloudflare recommends using Full or Full (strict) modes to prevent malicious
-connections to your origin.
-These modes usually require additional setup and can be more technically challenging.
-Enforce HTTPS connections
-Even if your application has an active edge certificate, visitors can still access resources
-over unsecured HTTP connections.
-Using various Cloudflare settings, however, you can force all or most visitor connections to
-use HTTPS.
-Evaluate additional features
-After you have chosen your encryption mode and enforced HTTPS connections, evaluate
-the following settings:
-   ●   Edge certificates: Customize different aspects of your edge certificates, from enabling
-       Opportunistic Encryption to specifying a Minimum TLS Version.
-   ●   Authenticated origin pull: Ensure all requests to your origin server originate from the
-       Cloudflare network.
-   ●   Notifications: Set up alerts related to certificate validation status, issuance,
-       deployment, renewal, and expiration.
-Bot Fight Mode
- 1 min read
-Bot Fight Mode is a simple, free product that helps detect and mitigate bot traffic on your
-domain. When enabled, the product:
-   ●   Identifies traffic matching patterns of known bots
-   ●   Issues computationally expensive challenges in response to these bots
-   ●   Notifies Bandwidth Alliance
-   ●   partners (if applicable) to disable bots
-Considerations
-Bot Fight Mode has a few limitations, including that it:
-   ●   Protects entire domains without endpoint restrictions.
-   ●   Cannot be customized, adjusted, or reconfigured via WAF custom rules.
-If these limitations could cause issues with your application, do not enable this feature.
-For more granular control - including the ability to use the Skip action for bot mitigation -
-consider using Super Bot Fight Mode.
-Setup
-To start using Bot Fight Mode:
-   1. Log in to the Cloudflare dashboard
-and select your account and domain.
-Go to Security > Bots.
-For Bot Fight Mode, select On.
-Secure your origin
- 4 min read
-Your origin server
-is a physical or virtual machine that is not owned by Cloudflare and hosts your application
-content (data, webpages, etc.).
-Receiving too many requests can be bad for your origin. These requests might increase
-latency for visitors, incur higher costs — particularly for cloud-based machines — and could
-knock your application offline.
-Secure origin connections
-When you secure origin connections, it prevents attackers from discovering and overloading
-your origin server with requests.
-   ●   DNS:
-         1. Proxy records (when possible): Set up proxied (orange-clouded) DNS
-            records to hide your origin IP addresses and provide DDoS protection. As
-            part of this, you should allow Cloudflare IP addresses at your origin to prevent
-            requests from being blocked.
-         2. Review DNS-only records: Audit existing DNS-only records (SPF, TXT, and
-            more) to make sure they do not contain origin IP information.
-         3. Evaluate mail infrastructure: If possible, do not host a mail service on the
-            same server as the web resource you want to protect, since emails sent to
-              non-existent addresses get bounced back to the attacker and reveal the mail
-              server IP.
-           4. Rotate origin IPs: Once onboarded, rotate your origin IPs, as DNS records
-              are in the public domain. Historical records are kept and would contain IP
-              addresses prior to joining Cloudflare
-Application layer
-   1. Cloudflare Tunnel (HTTP/WebSockets)
-Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP
-address, by creating an outbound-only connections to Cloudflare’s global network.
-   ●   Security: Very secure.
-   ●   Availability: All customers.
-   ●   Challenges: Requires installing the cloudflared daemon on origin server or
-       virtual machine.
-   2. HTTP Header Validation
-Only allow traffic with specific (and secret) HTTP headers.
-   ●   Security: Moderately secure.
-   ●   Availability: All customers.
-   ●   Challenges:
-          1. Requires more configuration efforts on application- and server-side to accept
-              those headers.
-          2. Basic authentication is vulnerable to replay attacks. Because basic
-              authentication does not encrypt user credentials, it is important that traffic
-              always be sent over an encrypted SSL session.
-          3. There might be valid use cases for a mismatch in SNI / Host headers such as
-              through Page Rules, Load Balancing, or Workers, which all offer HTTP Host
-              Header overrides.
-   ●   Process:
-          1. Use Transform rules or Workers to add an HTTP Auth Header.
-          2. Configure your origin server to restrict access based on the HTTP Auth
-              Header (or perform HTTP Basic Authentication).
-          3. Configure your origin server to restrict access based on the HTTP Host
-              Header. Specifically, only allow requests which contain expected HTTP Host
-              Header values, and reject all other requests.
-       3. JSON Web Tokens (JWT) Validation
-Only allow traffic with the appropriate JWT.
-   ●   Security: Very secure.
-   ●   Availability: Some customers.
-   ●   Challenges:
-          ○ Requires either installing incremental software or modifying application code.
-          ○ Lots of manual work.
-   ●   Resources:
-          ○ Validate JWTs for an Access application
-          ○ Validate JWTs for an API
-Transport Layer
-Authenticated Origin Pulls
-Authenticated Origin Pulls helps ensure requests to your origin server come from the
-Cloudflare network.
-   ●   Security: Very secure.
-   ●   Availability: All customers.
-   ●   Challenges:
-          ○ Requires Full or Full (strict) encryption modes.
-          ○ Requires more configuration efforts for application and server, such as
-              uploading a certificate and configuring the server to use it.
-          ○ For more strict security, you should upload your own certificate. Although
-              Cloudflare provides you a certificate for easy configuration, this certificate
-              only guarantees that a request is coming from the Cloudflare network.
-          ○ Not scalable for large numbers of origin servers.
-Cloudflare Tunnel (SSH / RDP)
-Cloudflare Tunnel connects your resources to Cloudflare without a publicly routable IP
-address, by creating an outbound-only connections to Cloudflare’s global network.
-   ●   Security: Very secure.
-   ●   Availability: All customers.
-   ●   Challenges: Requires installing the cloudflared daemon on origin server or
-       virtual machine.
-Network Layer
-Allowlist Cloudflare IP addresses
-Explicitly block all traffic that does not come from Cloudflare IP addresses (or the IP
-addresses of your trusted partners, vendors, or applications).
-   ●   Security: Moderately secure.
-   ●   Availability: All customers.
-   ●   Challenges:
-          ○ Requires allowlisting Cloudflare IP ranges at your origin server.
-          ○ Vulnerable to IP spoofing.
-Cloudflare Network Interconnect
-Cloudflare Network Interconnect allows you to connect your network infrastructure directly
-with Cloudflare – rather than using the public Internet – for a more reliable and secure
-experience.
-   ●    Security: Very secure.
-   ●    Availability: Enterprise-only.
-   ●    Challenges
-           ○ Requires some networking knowledge.
-           ○ Only applies to some customer use cases.
-Cloudflare Aegis
-Cloudflare Aegis
-prevents external connections by providing dedicated egress IP addresses.
-   ●    Security: Very secure.
-   ●    Availability: Enterprise-only.
-   ●    Challenges: Requires network-level firewall policies.
-Security Center
- 1 min read
-Cloudflare Security Center brings together our suite of security products, our security
-expertise, and unique Internet intelligence as a unified security intelligence solution. Security
-Center enables you to strengthen your security posture by:
-   ●    Mapping your cyber attack surface
-   ●    Providing asset inventory and discovery
-   ●    Identifying potential security risks, misconfigurations, and vulnerabilities
-   ●    Helping you to mitigate these risks through remediation in a few clicks
-For additional details and help, refer to the Security Center documentation.
-Setup
-To enable Security Insights and perform an initial security scan:
-   1.   Log in to the Cloudflare dashboard
-   1.   and select your account.
-   2.   In the Account Home, go to Security Center > Security Insights.
-   3.   Under Enable Security Center scans, select Start scan.
-The initial Security Insights scan will start. The initial scan time depends on the number of IT
-assets in all the domains of your Cloudflare account. When the scan is complete, the status
-of the page will change from Scan in Progress to Last scan performed on:
-<DATE_TIME>.
-Performance
-Improve your application’s performance by enabling and optimizing your sites settings.
-Objectives
-By the end of this module, you will be able to:
-      ●   Explain how - just by using Cloudflare - you can increase application performance
-      ●   Optimize caching using various Cloudflare settings
-      ●   Improve performance using different settings within Speed settings
-      ●   Set up Cloudflare Web Analytics for free, privacy-first analytics
-      ●   Evaluate other, add-on products that can improve application performance
-Default improvements
-    1 min read
-Cloudflare provides a variety of speed improvements by default.
-DNS resolution
-When your site is using Cloudflare, your site always benefits from Cloudflare’s lightning-fast
-DNS resolution
-.
-Caching
-When your DNS records are proxied through Cloudflare, Cloudflare caches certain types of
-resources automatically (which improves application performance).
-How does caching improve performance?
-Caching is the process of storing copies of files in a cache, or temporary storage location, so
-that they can be accessed more quickly.
-When Cloudflare stores content in its cache, the request never needs to go to your
-application or origin server, which reduces the number of requests and gets content to the
-user more quickly.
-Optimize caching
- 1 min read
-Beyond default caching settings, you can further optimize your cache using different
-Cloudflare settings.
-A few ways to optimize Cloudflare caching include:
-   ●   Creating cache rules to customize the cache properties of specific HTTP requests.
-   ●   Enabling the Tiered Cache feature, which dramatically increases cache hit ratios.
-   ●   Reviewing our other various configuration options, which may vary based on your
-       plan and application setup.
-Optimize analytics
- 2 min read
-Web analytics let you measure user behavior - pageviews, sessions, and custom events - on
-your application.
-Cloudflare offers two ways to improve the privacy and performance of the way you gather
-these analytics.
-Cloudflare Web Analytics
-If you want analytics without using third-party tools, check out Cloudflare Web Analytics.
-Cloudflare Web Analytics provides free, privacy-first analytics for your website without
-changing your DNS or using Cloudflare’s proxy. Cloudflare Web Analytics helps you
-understand the performance of your web pages as experienced by your site visitors.
-All you need to enable Cloudflare Web Analytics is a Cloudflare account and a JavaScript
-snippet on your page to start getting information on page views and visitors. The JavaScript
-snippet (also known as a beacon) collects metrics using the Performance API, which is
-available in all major web browsers.
-Setup
-So long as your traffic is proxied through Cloudflare, setting up Web Analytics only involves a
-few steps:
-   1.   Log in to the Cloudflare dashboard
-   1.   , and select your account.
-   2.   Select the Analytics & Logs drop-down and choose Web Analytics.
-   3.   Under Quick Actions, select Add a site.
-   4.   Select a hostname from the drop-down menu > Done.
-Access
-Once you have enabled Web Analytics, you can review analytics at any time:
-   1.   Log in to the Cloudflare dashboard
-   1.   , and select your account.
-   2.   Select the Analytics & Logs drop-down and choose Web Analytics.
-   3.   Select your zone.
-   4.   Review the various metrics provided by Cloudflare.
-Notifications
-Web Analytics uses Cloudflare’s Notification service. When enabled, Web Analytics sends
-you a weekly report with aggregate visits, page views and median page load time for all your
-sites, so you can monitor their performance.
-To get started, add Web Analytics notification on your Cloudflare dashboard. Refer to
-Cloudflare Notifications to learn more.
-Cloudflare Zaraz
-If you already use third-party tools on your website, check out Cloudflare Zaraz.
-Cloudflare Zaraz gives you complete control over third-party tools and services for your
-website, and allows you to offload them to Cloudflare’s edge, improving the speed and
-security of your website. With Cloudflare Zaraz you can load tools such as analytics tools,
-advertising pixels and scripts, chatbots, marketing automation tools, and more, in the most
-optimized way.
-Cloudflare Zaraz is built for speed, privacy, and security, and you can use it to load as many
-tools as you need, with a near-zero performance hit.