How to use integration with Cloudflare Prindi

  • 0

Cloudflare functions

CloudFlare is a proxy service which allows using a wide range of functions to make websites run faster and safer. Web traffic to the sites is passed through the Cloudflare network. The integration allows ispmanager users to work with the functionality of the free version of Cloudflare.

The main functions of the free Cloudflare version:

  • increases website responsiveness;
  • checks users sending requests to the website. E.g. their IP addresses, requested resources, the frequency of requests, etc. Thus, Cloudflare protects websites from different threads, allows to decrease the usage of website resources;
  • if the server is not accessible, Cloudflare allows users to access it using a static copy from the Cloudflare cache;
  • displays statistics of Cloudflare usage for a domain.

For more information please refer to its official website.

Connecting a domain to Cloudflare

Perform the following steps to connect a domain to Cloudflare:

  1. Log in to ISPmanager as User. 
  2. Navigate to Sites→…→Cloudflare.
  3. At the first login register a new Cloudflare account or enter the existing token.
  4. Go to Sites → …→Cloudflare → select the domain you want to connect → Add.

    Note!
    You can connect only second-level domains to Cloudflare.

  5. Select the Connection type:
    • Full connection — the domain zone is fully connected to Cloudflare;
    • Partial connection — subdomains are selectively connected to Cloudflare. Enter the CNAME record for Cloudflare. It is needed to redirect requests to one of the IP addresses of the connected domain zone. Enter all Aliases of the WWW-domain name, separated by a space. By default, it includes all the aliases created in ISPmanager. 
  6. Click Ok.
  7. The status of the connection in Sites →…→ Cloudflare → the column Status  will change to "Connection to Cloudflare is in progress". This process may take several minutes. The information about domain statuses is updated automatically once in half-an-hour. Click the Update button to update it manually. Status change history is saved in the Event Log. At the last stage of the connection, an entry will appear in the log "To complete integration with Cloudflare, change the NS records of the domain zone", in which there will be Cloudflare NS servers. Specify them in the NS-records of the domain zone registrar.
  8. When the registrar's information is updated, the connection status will change to "The domain is connected to Cloudflare". The Cloudflare functions will become available for the domain. The initial settings are sent to Cloudflare depending on domain and server configuration:
    • Automatic HTTPS rewrites;
    • IPv6 support;
    • HSTS;
    • SSL;
    • TLS 1.3.

Note!
Connections for the domains added through the Cloudflare client area won't be displayed in ispmanager.

Generating Api Token

To create an Api Token in Cloudflare, you need to create an account. If you already have an account, you need to log in.

  1. Create an account and log in to Cloudflare.
  2. Click My Profile.
  3. Select the tab API Tokens.
  4. In the form that opens, click on Create Token.
  5. At the bottom of the templates list, click Get Started opposite Create Custom Token.
  6. Set the token name in the field Token name and add the necessary permissions.
  7. After adding the necessary settings, click Continue to summary at the bottom.
  8. The form will open with a description of all the added permissions for the token.
  9. If everything is correct, click Create Token, otherwise click Edit token and add permissions.
  10. After clicking on the Create Token button, a page with a ready-to-use token will open.

Permissions

For the correct work of the Cloudflare plugin, select the following permissions:

  1. Account, Account Firewall Access Rules, Read
  2. Zone, Cache Rules, Edit
  3. Zone, Zone Settings, Read, Edit
  4. Zone, Zone DNS, Read, Edit
  5. Zone, Zone, Edit
  6. Zone, Cache Purge, Purge
  7. Zone, Firewall Services, Read, Edit

Configure individual Cloudflare rules for website pages

You can set up individual Cloudflare rules for website pages. The rules will be executed even if they do not match global settings for a domain zone.

Note!The Cloudflare free license allows you to create only three sets of rules. Only one set can be created for one page.

To create a rule for the page:

  1. Log in to ISPmanager as the User.
  2. Check that the domain is connected to Cloudflare. For more information, please refer to the article Connecting a domain to Cloudflare.
  3. Go to Sites → Cloudflare → Page rules → Add.
  4. Enter the Page address that the rule will be created for.
  5. To redirect to another page:
    1. Enable the option Redirect.
    2. Enter the Destination.
    3. Enter the Return code.
  6. Enable the HTTPS option to configure redirection to a secure protocol.

    Note!
    You can provide the page settings only if the options Redirect and HTTPS are disabled.

  7. Enable the option Automatic HTTPS rewrites to rewrite links to unencrypted resources from HTTP to HTTPS.
  8. In the Browser TTL field select the time during which cached files will remain in the cache of users' browsers. The time is set in seconds.
  9. Browser integrity check — this option allows Cloudflare to detect requests with HTTP headers, which are usually used by spammers, bots and scanners, and block them. These include, for example, requests with a missing or non-standard client application (User agent).
  10. Set the page Caching level:
    • Disabled — disable caching;
    • No query string — data is cached only when the query string is missing;
    • Ignore query string — regardless of the query string, the same cached data is used;
    • With query parameters — new data is cached for each new query string;
    • Cache all — cache all data.
  11. In the Disable functions field select the functions that will be disabled for the page: 
    • Protection — Protection — disables Mailbox obfuscation (Email Obfuscation), SSE (Server Side Excludes), Web Application Firewall (WAF), Rate Limiting, protection against Web scraping attacks (Scrape Shield);
    • Performance improvement — disables Minification, Rocket Loader, Mirage, Polish;
    • Applications — disables all Cloudflare applications.
  12. Select the checkbox Email obfuscation to hide email addresses on your web page from bots. At the same time, no visible changes are made for users.
  13. Select the Security level. It determines which users are considered suspicious:
    • Off-user verification is disabled;
    • Under attack — a level of security that is worth using only if the website is under DDoS attack;
    • High — all users who have shown suspicious behavior in the last 14 days are checked;
    • Medium — only users who pose a dangerous or moderate threat are checked
    • Low — only users who pose a very dangerous threat are checked;
    • Essentially off — only users who pose a critical threat are checked.
  14. Enable the option SSE if you want to hide certain content on your website from suspicious visitors. You will need to wrap the content with the following tags. E.g.:

    Hidden content
    <!--sse-->Hiddent content<!--/sse-->


  15. To set up a secure connection for a site, select the type of SSL certificate for the domain:
    • Off — the site is not accessible via the secure HTTPS protocol. Redirection from HTTPS to HTTP is enabled;;
    • Self-signed — the server with the website supports HTTPS, but the installed certificate does not match the domain or is self-signed;
    • Flexible — visitors can access the site via HTTPS, but requests to the server with the website will be sent via HTTP protocol;
    • Existing — a certificate is installed on the server with the website, valid and signed by a trusted certification authority or Cloudflare certification authority. Cloudflare will provide HTTPS access and verify the certificate with each request.
  16. Click Ok to save the changes in Cloudflare.

Configure the Cloudflare firewall

The firewall allows you to block visitors according to certain rules. Perform the following steps to create a new rule:

  1. Log in to ISPmanager as the User.
  2. Go to Sites → Cloudflare → Firewall.
  3. Select the parameter that the firewall will check in the Source type field:
    • IP or IP range — Cloudflare will check the user IP address. Enter an IP address or IP range in the format "/" in the field Source address. The supported prefixes are "/16" and "/24" for IPv4, "/64", "/48" and "/32" for IPv6;
    • Country — Cloudflare will check the user country. Enter the country code in the Source address field. You can find the list of country codes at the Cloudflare website.
  4. If the user parameter matches or is included in the range specified in the Source address field, the following Action is performed:
    • Allow — the visitor will always have access to the protected website;
    • Check — requires the user to complete CAPTCHA verification in order to visit your site;
    • JS-check — within five seconds, Cloudflare determines whether the user's browser is real. For verification, it sends a mathematical problem that takes a little time to calculate. If the response is successful, Cloudflare will remember the browser and allow access to the user;
    • Block — the visitor will never have access to the protected website;
    • Comment — optional field. Here you can add any information related to the issue.
  5. If necessary, leave a Comment to the rule. It is displayed in the list of rules → Comment column
  6. Click Ok to save the settings in Cloudflare.

Manage resource DNS-records of the domain in Cloudflare

Resource records contain information about a domain zone. Cloudflare manages A, AAAA, NS, MX, TXT, SRV, CNAME.

To create a resource record for the domain zone in Cloudflare:

  1. Go to Sites → Cloudflare → DNS-records Add.
  2. Enter a Name of the subdomain of the domain zone for which this record will be created. 
  3. Enter TTL — the lifetime of the resource record, i.e. the time during which the data about the resource record can be stored in the cache. The value is specified in seconds.
  4. Select the Type of the resource record.
  5. Fill in the necessary data for the record of the selected type.
  6. Click Ok to save the changes in Cloudflare.

A-record

An A-record defines an IPv4 address that corresponds to a domain name. Enter the IP-address. Activate the option Enable proxy to redirect the traffic for the domain specified in the resource record through Cloudflare.

AAAA-record

An AAAA-record defines an IPv6-address that corresponds to a domain name. Enter the IP-address. Activate the option Enable proxy to redirect the traffic for the domain specified in the resource record through Cloudflare.

NS-record

NS record — domain name of the authorized DNS server for the domain. May contain several servers, including the master one. Enter the  Domain of the DNS-server.

MX-record

An MX-record defines the address of the mail gateway for the domain and its priority. The MX-record is used for routing mail on the network. Enter the Domain — a subdomain of the domain zone which is a mail gateway.  Set Priority — enter a figure. The larger value means the lower priority. 

TXT-record

A TXT-record is a text string. TXT-records are used only by some protocols for which it is necessary. Enter the required information in Value.

SRV-record

A SRV record - defines the host name and port of the domain server.  It allows using several servers for one domain. SRV-records are used only by some protocols, e.g. SIP and XMPP.

Enter a Domain associated with the resource record. 

Enter Priority and Weight of the server. Priority is a number, the larger it is, the lower the priority. The client first tries to connect to the server with the highest priority. If it is not accessible, it will try to connect to the next one, etc. If servers have the same priority, the request will be sent to the server with the larger weight. If only one server has certain priority, its weight should be set as 0.  

Enter a Port of the server the request will be sent to.

CNAME-record

The CNAME record defines the canonical name for the alias. Used to redirect a request to a domain name alias. The domain name alias must not have other resource records.

Specify the Domain to which the request will be redirected.

Activate the Enable proxy option so that traffic for the domain specified in the resource record was routed through Cloudflare.

Configure domain optimization and protection through Cloudflare

Perform the following steps to configure a domain in Cloudflare:

  1. Log in to ISPmanager as the User.
  2. Check that the domain is connected to Cloudflare.
  3. Go to Sites → … → Cloudflare → Settings. In the form that opens the domain settings from Cloudflare are loaded.
  4. Select a Security level. It determines which users are considered suspicious:
    • Off -user verification is disabled;
    • Under attack — is a security level that should be used only if the website is under DDoS attack;
    • High — all users who have shown suspicious behavior in the last 14 days are checked.;
    • Medium — only users who pose a dangerous or moderate threat are checked;
    • Low — only users who pose a very dangerous threat are checked;
    • Essentially off — only users who pose a critical threat are checked.
  5. Specify the Access time (sec.) to the protected website for users with bad IP reputation who have passed verification. When that period is over, the visitor will have to pass the verification again.
  6. To reduce the size of cached site files, select the file formats in which unnecessary characters will be deleted in the Minify field.
  7. To set up a secure connection for a site, select the type of SSL certificate for the domain:
    • Off — the site is unavailable over the secure HTTPS protocol. Redirection from HTTPS to HTTP is enabled;
    • Self-signed —the server with the website supports HTTPS, but the installed certificate does not match the domain or is self-signed;
    • Flexible — visitors can access the site via HTTPS, but requests to the server with the website will be sent via HTTP protocol;
    • Existing — a certificate is installed on the server with the website, valid and signed by a trusted certification authority or Cloudflare certification authority. Cloudflare will provide HTTPS access and verify the certificate with each request.
  8. To force a secure connection when trying to open a site over an unprotected connection:
    • Select the checkbox Automatic HTTPS rewrites;
    • Enable HSTS option. This redirection is triggered only if the user's browser has already connected to the site via a secure connection and has remembered it;
    • Specify the Time (sec.) during which HSTS is cached and enforced by the web browser;
    • Enable subdomains — applies HSTS policy to subdomains;
    • No sniff — add the “X-Content-Type-Options: nosniff” option to the header. It prevents browsers (Internet Explorer и Google Chrome) from doing MIME-type sniffing.
  9. To upload changes to the domain zone resource records made in ISPmanager to Cloudflare, enable the Upload DNS records option.
  10. Mobile redirect — this service will automatically redirect mobile device visitors to a mobile-optimized subdomain home page. Enter the Alias for redirect (a subdomain of the domain zone on which the pages of the website optimized for mobile devices are located) and enable the option Redirect to homepage.
  11. Enable the option Developer mode to temporarily disable redirecting all requests to a website to the Cloudflare network. This allows you to check all changes on the site before caching them. Developer Mode is automatically disabled 3 hours after it is turned on.
  12. Select the checkbox Email obfuscation to hide email addresses on your web page from bots. At the same time, no visible changes are made for users.
  13. Select the checkbox Hotlink protection to prohibit the use of images from your site on other sites. This allows you to prevent bandwidth reduction due to links on sites such as Google Images, Pinterest, etc. Supported image formats: gif, ico, jpg, jpeg, png.

14. To use TLS protocol version 1.3 to access the site, enable the TLS 1.3 option. This is the most secure protocol, but it may not be supported by older versions of browsers. When enabled, the option will be used only if the client's browser supports it.
15. Enable the SSE option if you want to hide certain content on your website from suspicious visitors. You will need to wrap the content with the tags.

E.g.:

Hidden content
<!--sse-->hidden content<!--/sse-->

16. If the domain uses an IPv6 address, enable the IPv6 Support option.

 17. Click Ok to save the changes in Cloudflare. 

Cloudflare statistics for the domain

To get statistics for the domain connected to Cloudflare:

  1. Go to Tools → Cloudflare → Statistics.
  2. Select a Period to display statistics.
  3. Click on Ok.
  4. You will see the following information:
    1. The number of Requests to the domain processed by Cloudflare.
    2. Cached traffic over the selected period.
    3. The number of blocked Threads.

Kas see vastus oli kasulik?

« Tagasi