Cloudflare Configuration for Zerops
This guide provides step-by-step instructions for configuring Cloudflare to work with your Zerops applications, covering DNS records, proxy settings, SSL/TLS configuration, and common troubleshooting scenarios.
Prerequisites
Before starting, ensure you have:
- A Cloudflare account
- A registered domain name
- Access to your Zerops project with domain access configured
- Your Zerops IP addresses (IPv4 and/or IPv6) from the Zerops GUI
DNS Record Configuration
Configure your DNS records in Cloudflare using one of these approaches based on your needs:
With Cloudflare Proxy
IPv6 only
Cloudflare handles IPv4 to IPv6 translation, making your service accessible to both IPv4 and IPv6 users. Uses Zerops' free dedicated IPv6 address.
Do not add a proxied A record with shared IPv4 when using this setup, as it would prevent proper IPv4 traffic routing.
Dedicated IPv4
Uses your dedicated IPv4 address with Cloudflare's proxy features.
Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
Shared IPv4 (not recommended)
Creates inconsistent security posture by mixing direct and proxied connections. Consider using IPv6 only or dedicated IPv4 configurations instead.
DNS-Only Configuration (Without Cloudflare Proxy)
If you prefer direct connections without Cloudflare's proxy features:
Shared IPv4
Uses Zerops' free shared IPv4.
Adding AAAA record is essential for shared IPv4 configuration as it serves as a security measure to prevent unauthorized domain claims.
Dedicated IPv4
Uses your dedicated IPv4 address.
Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.
IPv6 only
Uses only Zerops' free dedicated IPv6.
This configuration will only work for users with IPv6 connectivity.
Wildcard Domain Configuration
Zerops supports wildcard domains (*.<your-domain>
) that allow routing all subdomains to your project.
DNS Records for Wildcards
Configure wildcard domains using either method:
Method A: Direct Wildcard Records
Method B: CNAME to Main Domain
First ensure your main domain has proper A/AAAA records, then add:
Certificate Validation for Wildcards
To enable automatic SSL certificate issuance for wildcard domains:
This CNAME record allows Zerops to handle the DNS-01 challenge required for wildcard SSL certificates.
Higher-Level Wildcard Subdomains
You can also set up higher-level wildcard subdomains like *.<subdomain>.<your-domain>
:
Method A: Direct Configuration
Method B: Using a CNAME Record
or
For certificate validation with higher-level wildcards:
Combining Main Domain and Wildcard Domain
To use both <your-domain>
and *.<your-domain>
, specify both variants in your Zerops configuration. Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.
Cloudflare SSL/TLS Configuration
Essential SSL/TLS Settings
-
Set Encryption Mode
- Navigate to SSL/TLS → Overview in your Cloudflare dashboard
- Select Full (strict) for production or Full for testing
- Never use Flexible mode - this will cause redirect loops
-
Edge Certificates
- Go to SSL/TLS → Edge Certificates
- Ensure Always Use HTTPS is enabled for production
- Keep Automatic HTTPS Rewrites enabled
Certificate Validation Configuration
For proper certificate issuance, especially with Let's Encrypt:
Option A: Simple Setup (Testing/Development)
- Temporarily disable Always Use HTTPS during initial certificate setup
- Re-enable after certificates are issued
Option B: Production Setup
Keep Always Use HTTPS enabled and create a Configuration Rule:
- Go to Rules → Configuration Rules
- Create a new rule with these settings:
- Rule name: "Allow ACME Challenge"
- Field: URI Path
- Operator: starts with
- Value:
/.well-known/acme-challenge/
- Action: Disable Automatic HTTPS Rewrites
This rule allows certificate validation to work while maintaining HTTPS enforcement for all other traffic.
Validation and Testing
DNS Resolution Testing
Connectivity Testing
Cloudflare-Specific Checks
- Verify proxy status in Cloudflare DNS dashboard (orange cloud = proxied)
- Check SSL/TLS mode in SSL/TLS → Overview
- Confirm certificate issuance in SSL/TLS → Edge Certificates
- Test redirect behavior by accessing
http://
version of your domain
Troubleshooting Common Issues
SSL Certificate Problems
Symptom: "Too many redirects" or SSL errors Solutions:
- Verify SSL/TLS mode is set to Full or Full (strict), not Flexible
- Check that both Zerops and Cloudflare have valid certificates
- Ensure Always Use HTTPS is properly configured
- For new domains, refresh the Cloudflare SSL/TLS page as settings may display incorrectly initially
Symptom: Certificate validation fails for wildcard domains Solutions:
- Verify the
_acme-challenge
CNAME record is correctly configured - Ensure DNS propagation is complete (check with
dig
command) - Check that the CNAME points to
<your-domain>.zerops.zone
DNS Resolution Issues
Symptom: Domain not resolving Solutions:
- Confirm DNS records are correctly configured in Cloudflare
- Verify proxy status matches your intended setup
- Check for typos in IP addresses
- Wait for DNS propagation (typically 5-10 minutes)
Symptom: IPv4 traffic not working with IPv6-only setup Solutions:
- Ensure Cloudflare proxy is enabled (orange cloud)
- Verify IPv6 address is correct in AAAA record
- Confirm no conflicting A record with shared IPv4 exists
Security Considerations
- Always use Full (strict) SSL mode for production
- Enable HSTS (HTTP Strict Transport Security) in Cloudflare
- Consider enabling Bot Fight Mode for additional protection
- Use Cloudflare's Firewall Rules to block malicious traffic
- Regularly monitor SSL certificate expiration dates
Getting Help
If you encounter issues not covered in this guide:
- Check the general DNS configuration guide for additional context
- Review your Zerops service logs for error messages
- Verify your configuration against Cloudflare's documentation
- Test with simple curl commands to isolate the problem
- Contact Zerops support via email or reach out on Discord