Integration with Cloudflare

From ISPWiki
Jump to: navigation, search

Introduction

The CloudFlare module in ISPmanager is a CDN-proxy service which allows to use a wide range of functions to make web-sites run faster and safer. Currently, you can use functions available in a free version of Cloudflare. For more information about the service, please refer to its official Documentation.

In this article you can find the User guide and setup instructions for administrators.

Plug-in setup and configuration

Log in as Administrator to install and configure the plug-in.

Navigate to Modules --> select Cloudflare --> click Install. The control panel will restart, and the plug-in will be ready for setup.

You must have the Host Api Key in order to allow your clients to use Cloudflare. To obtain the key, get registered with Cloudflare Partner program. With the Host Api Key you can send requests to Cloudflare.

Navigate to "Integration" -> "Modules" and click "Settings".

In the form that will open enter the name of the partner organization (case-sensitive) and the Host Api Key that you have received from Cloudflare.

CF setup

Once completed, cloudflare will become available to your users.

Administrator can only view domains that users connect to Cloudflare. Only users can manage domain names.

Plug-in management

Log in as User to use the plug-in's functions.

Registration

In order to register a new user in Cloudflare, navigate to "Tools" -> "Cloudflare". You can either create a new user or add an existing one. Enter his "Mailbox" and "Password".

Cf usermenu-e.png

Cloudflare features

After you have registered a new user, he can add his web-domains to Cloudflare. Navigate to "Tools" -> "Cloudflare", where you can see a list of web-domains that can be added to Cloudflare.

En-isp-cloudflare.png

The list includes only second-level domain names. Domains of lower levels are not supported in Cloudflare.

ISPmanager supports the following operation over domain names:

  • Add - connect to Cloudflare (Cf);
  • Delete - delete from Cf;
  • User - information about Cf;
  • Page rules - add rules for pages;
  • Records - manage domain names;
  • Firewall - add access rules ;
  • Settings - change settings;
  • Logs - list of errors with domain zone;
  • Clear cache - delete cached data;
  • Statistics - statistical information;
  • Update - update information about user's domain zones.

Add

All domains should be added via the control panel. The domains created via Cloudflare client area won't be activated in the Cloudflare module in ISPmanager. To connect a domain zone to Cf, select a "Connection type".

Cloudflare addwww.png

When connected successfully, the status will change from "Domain is not connected to Cloudflare" to "Connection to Cloudflare in progress". Information about domain statuses is updated automatically once in 30 minutes. Or you can update it by clicking the "Update" button.

There are two connection types:

  • Full connection - a domain zone will be connected to Cf in full;
  • Partial connection - only some pages from a domain zone will be connected to Cf:
If you select this type, you also need to provide the following information:
  • CNAME - record for Cf that will point to one of IP addresses of the domain zone you want to connect;
  • Aliases - this field contains all aliases of the domain name in the control panel. You can add more names space separated.

Once completed:

  1. The log will display new domain names of the name server. Change the values in NS-records on the name server that contain the domain zone you want to connect, to those domain names;
  2. The domain status will change from "Domain is not connected to Cloudflare" to "Connection to Cloudflare" in progress. Information about domain statuses is updated automatically once in half-an-hours. Alternatively, you can update it by clicking the "Update" button.

In case of partial connection, in order to make Cf process the aliases specified during connection, their A-records in domain zone should be changed to CNAME-records pointing to the names from Cf response. For example: "www.domain1.ru" : "www.domain1.ru.cdn.cloudflare.net". When you activate the module, it will try o do it automatically, and will display the error notification in case of errors.

How to add records to domain names in ISPmanager

  cloudflare-resolve-a.domain1.ru.    3600     A (Internet v4 address)         172.168.1.1 
  cloudflare-resolve-to.domain1.ru    3600     CNAME (canonical name)      cloudflare-resolve-a.domain1.ru.
  www.domain1.ru.                     3600     CNAME (canonical name)      www.domain1.ru.cdn.cloudflare.net.

You can use the dig utility to check cloudflare performance

  dig www.domain1.ru

If Cf is not active, the result will be as follows:

www.domain1.ru.  10782  IN   CNAME    www.domain1.ru.     

If Cf is active, the result will be as follows:

www.domain1.ru.  10782  IN   CNAME    www.domain1.ru.cdn.cloudflare.net

If '.cdn.cloudflare.net' is present, Cf is active. Once the record is accessible worldwide, the zone status in the control panel will change to "Enabled".

Settings

Initial settings are sent to Cf automatically depending on domain and server configuration:

  • Automatic HTTPS rewrites;
  • IPv6 support;
  • HSTS;
  • SSL;
  • TLS 1.3.

When the form opens, the settings from Cf will be uploaded. Modified settings will be saved in Cf.

You can specify the following parameters in the control panel:

  • Security level - a security level allows to filter users.
    • Off;
    • Under attack - this level is used when your website is under DDoS attack;
    • High - challenge all of the users detected as offending in the past 14 days;
    • Medium - challenge users who pose some threat;
    • Low - challenge users who pose the greatest threat;
    • Essentially off - challenge only the most abusive users.
  • Access time (sec.) - allow a user with previous negative behavior seen from hit IP address to access website during a certain period of time. When that period is over, the visitor will have to pass the challenge again;у;
  • Minify - reduce the file size by removing all unnecessary characters from HTML, JavaScript, and CSS files;
  • SSL - establish an encrypted link between a web server and a browser. :
    • Not installed;
    • Off - no secure connection between your visitor and Cf, and no secure connection between Cf and your web server either. This means that visitors can only view your website over HTTP.
    • Self-signed - secure connection between visitors and Cf, and secure connection (but not authenticated) between Cf and your web server;
    • Flexible - choose this option, if your origin web-server cannot accept secure (HTTPS) connections. Visitors will be able to access HTTPS, but requests to the web-server will be sent through HTTP;
    • Existing - secure connection between visitors and Cf, and secure and authenticated connection between Cf and your web server.
  • Upload DNS-records - all the changes made in DNS-records will be uploaded to Cf;
  • Always online - with this option, when your server goes down, Cloudflare will serve pages from its cache, so visitors still see some of the pages they are trying to visit.;
  • Mobile redirect - this service will automatically redirect mobile device visitors to a mobile-optimized subdomain home page.
    • Alias for redirect - a mobile-optimized subdomain with website pages;
    • Redirect to homepage - enable redirects to the Homepage;
  • Developer mode - send queries directly to the server where website is hosted. This will temporarily suspend Cloudflare's edge caching and minification features. The expiration period for Development Mode is 3 hours;
  • Email obfuscation - email addresses on your web page will be hidden from bots, while keeping them visible to humans;
  • Hotlink protection - select this check box to ensure that other sites cannot suck up your bandwidth by building pages that use images hosted on your site. пSupported images: gif, ico, jpg, jpeg, png;
  • Automatic HTTPS rewrites - allow to rewrite links to unencrypted resources from HTTP to HTTPS;
  • HSTS - security policy mechanism whose primary job is to protect the website’s from protocol downgrade attacks and cookie hijacking. Please note: in order to set HSTS you need to configure HTTPS to meet the HSTS policy. Disabling SSL with other methods (website Flexible SSL or removing website from Cf) can make the site inaccessible for users unless HSTS-heading hash time is over or unless HTTPS is connected again provided that the HSTS heading lifetime is "0".
    • Time (sec.) - period in seconds. Web browsers will cache and enforce HSTS policy for the duration of this value;
    • Enable subdomains - applies HSTS policy to every host in a domain.;
    • No sniff - add the “X-Content-Type-Options: nosniff” option to the header.It prevents browsers (Internet Explorer и Google Chrome) from doing MIME-type sniffing;
  • TLS 1.3 - use TLS 1.3 which optimizes performance and hardens the security of encrypted connections. However this protocol is not supported by old versions of browsersт;
  • SSE - hide sensitive content on your website from suspicious visitors. You will need to wrap the content with the following SSE tags:
  • IPv6 support - activate IPv6 and the corresponding gateway.

Statistics

In this section you can view domain zone statistics over a selected period of time: number of requests, amount of cached traffic, number of threats.

Page rules

You can set up rules for pages. The rules will be executed even if they do not match global settings for a domain zone.

The control panel does not set up the following rules: Cache Level, WebSockets, Opportunistic Encryption, Rocket Loader, Ip Geolocation Please note:

  • If redirect is enabled, you cannot edit other settings
  • You cannot edit priority for already created rule
  • free user can create only 3 rules for pages

Page rules creation form:

  • Page:
    • URL - rules will be created for this page;
    • Priority - set priority to handle page rules;
  • REdirect:
    • HTTPS - this option allows to resolve issues with mixed content by changing "HTTP" into "HTTPS" for all resources and web-site links that can be accessed via "HTTPS".
    • Redirect:
      • Destination - URL of the page that the visitors will be redirected to;
      • Return code - specifies Status Code ("301 - Permanent Redirect", "302 - Temporary Redirect")
  • Settings:
  • Always online - with this option, when your server goes down, Cloudflare will serve pages from its cache, so visitors still see some of the pages they are trying to visit;
  • Automatic HTTPS rewrites -rewrite links to unencrypted resources from HTTP to HTTPS;
    • Browser TTL - how long resources cached by client browsers remain valid. ;
    • Browser integrity check - this option allows Cloudflare to look for common HTTP headers abused most commonly by spammers and denies access to your page. It will also challenge visitors that do not have a user agent or a non standard user agent. Access will be blocked if threat is detected.
    • Caching level:
      • Off;
      • Disabled - disable caching;
      • No query string - Only delivers resources from cache when there is no query string;
      • Ignore query string - Delivers the same resource to everyone independent of the query string;
      • With query parameters - Delivers a different resource each time the query string changes.;
      • Cache all - cache all data;
    • Disable functions - disable any of the functions below:
      • Protection - enable "Email Obfuscation", "SSE (Server Side Excludes)", "WAF", "Rate Limiting", и "Web scraping" ("Scrape Shield");
      • Performance improvement - disable "Minification", "Rocket Loader", "Mirage", "Polish";
      • Applications - disable all СА всех приложений Cf.
  • Email obfuscation - by selecting check box email addresses on your web page will be hidden from bots, while keeping them visible to humans;
  • Security level - a security level allows to filter users.
    • Off;
    • Under attack - this level is used when your website is under DDoS attack;
    • High - challenge all of the users detected as offending in the past 14 days;
    • Medium - challenge users who pose some threat;
    • Low - challenge users who pose the greatest threat;
    • Essentially off - challenge only the most abusive users.
  • SSE - hide sensitive content on your website from suspicious visitors. You will need to wrap the content with the following SSE tags:
  • SSL - establish an encrypted link between a web server and a browser. :
    • Not installed;
    • Off - no secure connection between your visitor and Cf, and no secure connection between Cf and your web server either. This means that visitors can only view your website over HTTP.
    • Self-signed - secure connection between visitors and Cf, and secure connection (but not authenticated) between Cf and your web server;
    • Flexible - choose this option, if your origin web-server cannot accept secure (HTTPS) connections. Visitors will be able to access HTTPS, but requests to the web-server will be sent through HTTP;
    • Existing - secure connection between visitors and Cf, and secure and authenticated connection between Cf and your web server.

DNS-records

Here you can add, edit, and delete domain records. Cf does not support PTR and DNAME records. CAA records are now passing closed beta-testing. Please note: when activating automatic redirect when adding/editing domain records, SRV records should look like this _%service%._%protocol%.domain.

Supported protocols:

  • TCP;
  • UDP;
  • TLS.

When creating a new record you need to provide the following parameters:

  • Type - supported records: A, AAAA, NS, MX, TXT, SRV, CNAME;
  • Name - enter the record name (a domain name or subdomain);
  • TTL - вhow frequently your DNS records get updated;
  • IP-address - this IP-address will be associated with the domain name in the "Name" field;
  • Enable proxy - enable record proxy (CDN).

Firewall

Firewall allows you to block visitors by IP address, two-letter country code, or access rules.

Clicking "Update" will synchronize the rules with Cf.

  • Type:
    • IP or IP range - supports masks /16 or /24 for IPv4 and /64, /48, /32 for IPv6;
    • Country;
  • Source address - possible values: a single IP address, IP ranger, or country code.
  • Action - there are four possible actions:
    • Allow - visitor will always has access to protected website;
    • Check - requires a user to complete a CAPTCHA in order to visit your site.
    • JS-check - during a JavaScript challenge you will be shown an interstitial page for about five seconds while Cf performs a series of mathematical challenges to make sure it is a legitimate human visitor;
    • Block - visitor won't have access to protected website.
  • Comment - optional field. Here you can add any information related to the issue.

Troubleshooting

  1. Data of the domain zone that were modified via the Cf client area, will be displayed in the plug-in only when statuses of the domain zone are updated (the process runs automatically once in 30 minutes). Alternatively, you can update the information manually by clicking the "Update" button;
  2. after deleting the domain in the Cf client area, you won't be able to manage it in the plug-in (any operation will fail with the error: Invalid zone identifier). Once the system updates information about domains statuses, the deleted domain will be disabled.
  3. When using the $_SERVER['REMOTE_ADDR'] variable in user scripts the IP address of proxy servers will be returned. That's why you should use $_SERVER["HTTP_CF_CONNECTING_IP"]