Cloudflare Integration with Zerops

Keywords

cloudflare, dns, ssl, tls, proxy, cname, aaaa, redirect loop, full strict, acme, wildcard domain, cloudflare ssl

TL;DR

Always use Full (strict) SSL mode in Cloudflare — "Flexible" causes redirect loops. Shared IPv4 with Cloudflare proxy is not recommended.

DNS Configuration

CNAME (non-apex or with CNAME flattening)

CNAME <domain> <project-cname-target>

With Cloudflare Proxy (orange cloud)

IP Type	Record	Proxy
IPv6 only	`AAAA <domain> <ipv6>`	Proxied
Dedicated IPv4	`A <domain> <ipv4>`	Proxied
Shared IPv4	Not recommended	Reverse AAAA lookup issues

DNS-Only (gray cloud)

IP Type	Records Required
Shared IPv4	`A + AAAA` (both required for SNI)
Dedicated IPv4	`A` (AAAA optional)
IPv6 only	`AAAA`

Wildcard Domains

Method A: A *.<domain> + AAAA *.<domain>
Method B: CNAME *.<domain> <domain>
ACME:     CNAME _acme-challenge.<domain> <domain>.zerops.zone

SSL/TLS Settings (Cloudflare Dashboard)

Encryption mode: Full (strict) — mandatory
Never use "Flexible" — causes infinite redirect loops
Enable "Always Use HTTPS"
WAF exception: Skip rule for /.well-known/acme-challenge/ (ACME validation)

Preparing a Service for Cloudflare

Any runtime service (nodejs, go, python, etc.) can be put behind Cloudflare. Steps:

Create the service with enableSubdomainAccess: true in import YAML:

services:
  - hostname: myapp
    type: nodejs@22
    enableSubdomainAccess: true
    minContainers: 1

Deploy code to the service (via zcli push or buildFromGit)
Configure Cloudflare DNS to point to your Zerops project IP
Set SSL mode to "Full (strict)" in Cloudflare dashboard

Important: The zerops_subdomain enable tool only works on deployed (ACTIVE) services. For new services, use enableSubdomainAccess: true in import YAML.

Internal service-to-service communication must always use http:// — never https://. SSL terminates at the Zerops L7 balancer.

Gotchas

Flexible SSL = redirect loop: Zerops forces HTTPS, Cloudflare Flexible sends HTTP → infinite redirect
Shared IPv4 + proxy is broken: Reverse AAAA lookup doesn't work with Cloudflare proxy on shared IPv4
ACME challenge needs WAF exception: Without it, Cloudflare blocks Let's Encrypt validation
Wildcard SSL on Cloudflare Free: Free plan doesn't proxy wildcard subdomains — use DNS-only or upgrade
Subdomain on undeployed service: zerops_subdomain enable returns "Service stack is not http or https" on READY_TO_DEPLOY services — deploy code first or use enableSubdomainAccess in import YAML

Keywords​

TL;DR​

DNS Configuration​

CNAME (non-apex or with CNAME flattening)​

With Cloudflare Proxy (orange cloud)​

DNS-Only (gray cloud)​

Wildcard Domains​

SSL/TLS Settings (Cloudflare Dashboard)​

Preparing a Service for Cloudflare​

Gotchas​

See Also​