Cloudflare Setup Guide
Configure Cloudflare as a DNS provider and CDN/proxy for the NoETL Gateway.
Overview
Cloudflare provides:
- DNS Management: Manage DNS records for your domain
- CDN/Proxy: Cache and protect your gateway
- SSL/TLS: Free SSL certificates
- DDoS Protection: Protect against attacks
- WAF: Web Application Firewall rules
Prerequisites
- Domain registered and nameservers pointed to Cloudflare
- NoETL Gateway deployed with a static IP address
- Cloudflare account (free tier is sufficient)
Current Production Configuration
| Setting | Value |
|---|---|
| Domain | mestumre.dev |
| Subdomain | gateway.mestumre.dev |
| Static IP | 34.46.180.136 |
| SSL Mode | Flexible |
DNS Configuration
Add A Record for Gateway
- Log into Cloudflare Dashboard
- Select your domain (e.g.,
mestumre.dev) - Go to DNS > Records
- Click Add record (or Edit existing)
- Configure:
| Field | Value |
|---|---|
| Type | A |
| Name | gateway |
| IPv4 address | 34.46.180.136 |
| Proxy status | Proxied (orange cloud) |
| TTL | Auto |
- Click Save
DNS Propagation
DNS changes typically propagate within minutes when using Cloudflare. Verify:
# Check DNS resolution
dig gateway.mestumre.dev
# Should return Cloudflare proxy IPs (not your static IP - that's expected when proxied)
nslookup gateway.mestumre.dev
SSL/TLS Configuration
Encryption Mode
- Go to SSL/TLS > Overview
- Select encryption mode:
| Mode | Description | When to Use |
|---|---|---|
| Off | No encryption | Never (insecure) |
| Flexible | HTTPS to Cloudflare, HTTP to origin | LoadBalancer without TLS (current setup) |
| Full | HTTPS to origin (self-signed OK) | Origin has any certificate |
| Full (strict) | HTTPS to origin (valid cert required) | Origin has valid certificate |
Recommended for NoETL Gateway: Use Flexible when using a LoadBalancer service without TLS termination (HTTP on port 80). Use Full or Full (strict) if using GKE Ingress with managed certificates.
Edge Certificates
Cloudflare automatically provisions SSL certificates for proxied domains. Verify:
- Go to SSL/TLS > Edge Certificates
- Ensure "Universal SSL" is active
- Check certificate covers
gateway.yourdomain.com
Always Use HTTPS
- Go to SSL/TLS > Edge Certificates
- Enable Always Use HTTPS
This redirects all HTTP requests to HTTPS.
Caching Configuration
API and OPTIONS Caching (Disable) - Required for CORS
API endpoints and OPTIONS preflight requests must not be cached. Create a Cache Rule:
- Go to Caching > Cache Rules
- Click Create rule
- Configure:
- Rule name:
Bypass API and OPTIONS - When incoming requests match (use "Edit expression"):
(http.request.uri.path contains "/api") or (http.request.method eq "OPTIONS") - Then: Bypass cache
- Rule name:
- Click Deploy
This rule is critical for CORS to work. Without it, Cloudflare may cache OPTIONS preflight responses without the required CORS headers, causing authentication to fail.
Static Assets (Optional)
If serving static files through gateway, enable caching:
- Create another Cache Rule
- Match: URI Path ends with
.js,.css,.html - Then: Cache with TTL
Security Configuration
Firewall Rules
Block Bad Bots
- Go to Security > WAF > Custom rules
- Create rule:
- Name: Block bad bots
- Expression:
(cf.client.bot) - Action: Block
Rate Limiting
- Go to Security > WAF > Rate limiting rules
- Create rule:
- Name: API rate limit
- Expression:
(http.request.uri.path contains "/api/") - Requests: 100 per 10 seconds
- Action: Block
DDoS Protection
DDoS protection is automatically enabled. Adjust sensitivity:
- Go to Security > DDoS
- Review L7 DDoS settings
- Adjust if needed (default usually fine)
CORS Considerations
Cloudflare and CORS
When Cloudflare proxies requests:
- CORS headers from origin are passed through
- Cloudflare doesn't add or remove CORS headers by default
Preflight Caching Issue
If CORS preflight (OPTIONS) requests fail after working initially:
Cause: Cloudflare may cache the preflight response without CORS headers
Solution: Create a Cache Rule to bypass OPTIONS requests:
- Go to Caching > Cache Rules
- Create rule:
- Name: Bypass OPTIONS cache
- Expression:
(http.request.method eq "OPTIONS") - Then: Bypass cache
- Deploy
Gateway CORS Configuration
Ensure gateway allows Cloudflare-proxied requests. Current configuration:
# automation/helm/gateway/values.yaml
env:
corsAllowedOrigins: "http://localhost:8080,http://localhost:8090,http://localhost:3000,https://gateway.mestumre.dev"
This allows:
- Local development on ports 8080, 8090, 3000
- Production requests via
https://gateway.mestumre.dev
Page Rules (Legacy)
For fine-grained control, use Page Rules:
Bypass Cache for API
- Go to Rules > Page Rules
- Create rule:
- URL:
gateway.yourdomain.com/api/* - Setting: Cache Level = Bypass
- URL:
Security Level for API
- Create rule:
- URL:
gateway.yourdomain.com/api/* - Setting: Security Level = High
- URL:
Monitoring
Analytics
- Go to Analytics > Traffic
- Monitor:
- Total requests
- Cached vs uncached
- Threats blocked
- Response codes
Logs (Enterprise)
Enterprise plans can stream logs to external services:
- Go to Analytics > Logs
- Configure log destination
Health Checks (Pro+)
- Go to Traffic > Health Checks
- Create check:
- Name: Gateway health
- Address: gateway.yourdomain.com
- Path: /health
- Interval: 60 seconds
Troubleshooting
DNS Not Resolving
# Check Cloudflare nameservers
dig NS yourdomain.com
# Should show Cloudflare nameservers
# Example: xxx.ns.cloudflare.com
SSL Certificate Errors
Error: "Invalid SSL certificate"
Solutions:
- Wait for certificate provisioning (up to 24 hours)
- Check domain is active in Cloudflare
- Verify SSL mode matches your origin setup
Gateway Unreachable
Error: "Error 521 - Web server is down"
Cause: Cloudflare can't reach your origin
Solutions:
- Verify gateway LoadBalancer has external IP
- Check gateway health:
curl http://YOUR_STATIC_IP/health - Verify firewall rules allow Cloudflare IPs
Cloudflare IP Ranges
Allow Cloudflare IPs in your firewall:
# Get current Cloudflare IP ranges
curl https://www.cloudflare.com/ips-v4
curl https://www.cloudflare.com/ips-v6
"Error 522 - Connection Timed Out"
Cause: Origin is slow to respond
Solutions:
- Check gateway pod health
- Increase gateway resources
- Check network policies in GKE
"Error 524 - A Timeout Occurred"
Cause: Request takes too long (>100s)
Solutions:
- Optimize slow API endpoints
- Consider async processing for long operations
- Enterprise: Increase timeout limits
Best Practices
Security
- Enable "Always Use HTTPS"
- Set SSL mode to "Full (strict)" when possible
- Enable bot protection
- Configure rate limiting
Performance
- Use caching rules appropriately
- Enable Brotli compression (Settings > Speed > Optimization)
- Consider Argo Smart Routing (paid feature)
Reliability
- Set up health checks (Pro+)
- Configure load balancing if multiple origins
- Enable origin error page customization
Quick Reference
DNS Record (mestumre.dev)
| Type | Name | Content | Proxy | TTL |
|---|---|---|---|---|
| A | gateway | 34.46.180.136 | Proxied | Auto |
| A | @ | 35.226.162.30 | Proxied | Auto |
Apex Conflict Note
Cloudflare cannot keep both of these at the same time for mestumre.dev:
CNAME @ -> c.storage.googleapis.comA @ -> 35.226.162.30
If you want GUI on https://mestumre.dev, remove the existing apex CNAME and use the apex A record above.
If you must keep the apex CNAME, use gui.mestumre.dev for GUI and point that subdomain to 35.226.162.30.
Required Settings
| Setting | Location | Value |
|---|---|---|
| SSL Mode | SSL/TLS > Overview | Flexible (for HTTP LoadBalancer) |
| Always HTTPS | SSL/TLS > Edge Certificates | On |
| Cache Bypass | Caching > Cache Rules | (http.request.uri.path contains "/api") or (http.request.method eq "OPTIONS") |
Verification Commands
# Test DNS
dig gateway.mestumre.dev
# Test health endpoint
curl https://gateway.mestumre.dev/health
# Test CORS preflight
curl -I -X OPTIONS https://gateway.mestumre.dev/api/auth/login \
-H "Origin: http://localhost:8090" \
-H "Access-Control-Request-Method: POST"