Cloudflare DNS Configuration for Zerops
This guide provides step-by-step instructions for configuring Cloudflare to work with your Zerops applications, covering DNS records, proxy settings, SSL/TLS configuration, and common troubleshooting scenarios.
Prerequisites​
Before starting, ensure you have:
- A Cloudflare account
- A registered domain name
- Access to your Zerops project with domain access configured
- Your Zerops IP addresses (IPv4 and/or IPv6) from the Zerops GUI
DNS Record Configuration​
Configure your DNS records in Cloudflare using one of these approaches based on your needs:
With Cloudflare Proxy​
IPv6 only​
Cloudflare handles IPv4 to IPv6 translation, making your service accessible to both IPv4 and IPv6 users. Uses Zerops' free dedicated IPv6 address.
Do not add a proxied A record with shared IPv4 when using this setup, as it would prevent proper IPv4 traffic routing.
Dedicated IPv4​
Uses your dedicated IPv4 address with Cloudflare's proxy features.
Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
Shared IPv4 (not recommended)​
Creates inconsistent security posture by mixing direct and proxied connections. Consider using IPv6 only or dedicated IPv4 configurations instead.
DNS-Only Configuration (Without Cloudflare Proxy)​
If you prefer direct connections without Cloudflare's proxy features:
Shared IPv4​
Uses Zerops' free shared IPv4.
Adding AAAA record is essential for shared IPv4 configuration as it serves as a security measure to prevent unauthorized domain claims.
Dedicated IPv4​
Uses your dedicated IPv4 address.
Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
IPv6 only​
Uses only Zerops' free dedicated IPv6.
This configuration will only work for users with IPv6 connectivity.
Wildcard Domain Configuration​
Zerops supports wildcard domains (*.<your-domain>) that allow routing all subdomains to your project.
DNS Records for Wildcards​
Configure wildcard domains using either method:
Method A: Direct Wildcard Records​
Method B: CNAME to Main Domain​
First ensure your main domain has proper A/AAAA records, then add:
Certificate Validation for Wildcards​
To enable automatic SSL certificate issuance for wildcard domains:
This CNAME record allows Zerops to handle the DNS-01 challenge required for wildcard SSL certificates.
Higher-Level Wildcard Subdomains​
You can also set up higher-level wildcard subdomains like *.<subdomain>.<your-domain>:
Method A: Direct Configuration​
Method B: Using a CNAME Record​
or
For certificate validation with higher-level wildcards:
Combining Main Domain and Wildcard Domain​
To use both <your-domain> and *.<your-domain>, specify both variants in your Zerops configuration. Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
Cloudflare SSL/TLS Configuration​
Essential SSL/TLS Settings​
-
Set Encryption Mode
- Navigate to SSL/TLS → Overview in your Cloudflare dashboard
- Select Full (strict) for production or Full for testing
- Never use Flexible mode - this will cause redirect loops
-
Edge Certificates
- Go to SSL/TLS → Edge Certificates
- Ensure Always Use HTTPS is enabled for production
- Keep Automatic HTTPS Rewrites enabled
Certificate Validation Configuration​
For proper certificate issuance, especially with Let's Encrypt:
Option A: Simple Setup (Testing/Development)​
- Temporarily disable Always Use HTTPS during initial certificate setup
- Re-enable after certificates are issued
Option B: Production Setup​
Keep Always Use HTTPS enabled and create a Configuration Rule:
- Go to Rules → Configuration Rules
- Create a new rule with these settings:
- Rule name: "Allow ACME Challenge"
- Field: URI Path
- Operator: starts with
- Value:
/.well-known/acme-challenge/ - Action: Disable Automatic HTTPS Rewrites
This rule allows certificate validation to work while maintaining HTTPS enforcement for all other traffic.
Validation and Testing​
DNS Resolution Testing​
Connectivity Testing​
Cloudflare-Specific Checks​
- Verify proxy status in Cloudflare DNS dashboard (orange cloud = proxied)
- Check SSL/TLS mode in SSL/TLS → Overview
- Confirm certificate issuance in SSL/TLS → Edge Certificates
- Test redirect behavior by accessing
http://version of your domain
Troubleshooting Common Issues​
SSL Certificate Problems​
Symptom: "Too many redirects" or SSL errors Solutions:
- Verify SSL/TLS mode is set to Full or Full (strict), not Flexible
- Check that both Zerops and Cloudflare have valid certificates
- Ensure Always Use HTTPS is properly configured
- For new domains, refresh the Cloudflare SSL/TLS page as settings may display incorrectly initially
Symptom: Certificate validation fails for wildcard domains Solutions:
- Verify the
_acme-challengeCNAME record is correctly configured - Ensure DNS propagation is complete (check with
digcommand) - Check that the CNAME points to
<your-domain>.zerops.zone
DNS Resolution Issues​
Symptom: Domain not resolving Solutions:
- Confirm DNS records are correctly configured in Cloudflare
- Verify proxy status matches your intended setup
- Check for typos in IP addresses
- Wait for DNS propagation (typically 5-10 minutes)
Symptom: IPv4 traffic not working with IPv6-only setup Solutions:
- Ensure Cloudflare proxy is enabled (orange cloud)
- Verify IPv6 address is correct in AAAA record
- Confirm no conflicting A record with shared IPv4 exists
Security Considerations​
- Always use Full (strict) SSL mode for production
- Enable HSTS (HTTP Strict Transport Security) in Cloudflare
- Consider enabling Bot Fight Mode for additional protection
- Use Cloudflare's Firewall Rules to block malicious traffic
- Regularly monitor SSL certificate expiration dates
Getting Help​
If you encounter issues not covered in this guide:
- Check the general DNS configuration guide for additional context
- Review your Zerops service logs for error messages
- Verify your configuration against Cloudflare's documentation
- Test with simple curl commands to isolate the problem
- Contact Zerops support via email or reach out on Discord