Cloudflare Configuration for Zerops

This guide provides step-by-step instructions for configuring Cloudflare to work with your Zerops applications, covering DNS records, proxy settings, SSL/TLS configuration, and common troubleshooting scenarios.

Prerequisites

Before starting, ensure you have:

• A Cloudflare account
• A registered domain name
• Access to your Zerops project with domain access configured
• Your Zerops IP addresses (IPv4 and/or IPv6) from the Zerops GUI

DNS Record Configuration

Configure your DNS records in Cloudflare using one of these approaches based on your needs:

Using CNAME Records

CNAME can be used for non-apex domains (subdomains) or with DNS providers that support CNAME flattening at the apex (like Cloudflare). When you set up a CNAME in Zerops, it internally creates A and AAAA records pointing to your project.

To find your CNAME target value, go to your service in the Zerops GUI, navigate to Public access & internal ports, and select the CNAME option when adding a domain.

Type    Name              Content                         Proxy status       TTL
CNAME   <your-domain>     <your-project-cname-target>     Proxied/DNS Only   Auto

Cloudflare Proxy with Shared IPv4

When using Cloudflare's proxy with CNAME records, you must exclude the shared IPv4. Toggle off "Shared IPv4 included in the CNAME" in the Zerops GUI.

Zerops does a reverse lookup of the AAAA record of the domain for requests to our shared IPv4 address. If you use a shared IPv4 and also enable a proxy for the AAAA record, Zerops will not be able to correctly route the request.

This setting affects all domains in your project.

With Cloudflare Proxy

IPv6 only

Type    Name              Content                Proxy status   TTL
AAAA    <your-domain>     <your-project-ipv6>    Proxied        Auto

Cloudflare handles IPv4 to IPv6 translation, making your service accessible to both IPv4 and IPv6 users. Uses Zerops' free dedicated IPv6 address.

Note

Do not add a proxied A record with shared IPv4 when using this setup, as it would prevent proper IPv4 traffic routing.

Dedicated IPv4

Type    Name              Content                Proxy status   TTL
A       <your-domain>     <your-dedicated-ipv4>  Proxied        Auto
# Optional
AAAA    <your-domain>     <your-project-ipv6>    Proxied        Auto

Uses your dedicated IPv4 address with Cloudflare's proxy features.

Tip

Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.

Shared IPv4 (not recommended)

Type    Name              Content                Proxy status  TTL
AAAA             DNS only      Auto
A               Proxied       Auto

Why Not?

Zerops does a reverse lookup of the AAAA record of the domain for requests to our shared IPv4 address. If you use a shared IPv4 and also enable a proxy for the AAAA record, Zerops will not be able to correctly route the request.

Consider using IPv6 only or dedicated IPv4 configurations instead.

DNS-Only Configuration (Without Cloudflare Proxy)

If you prefer direct connections without Cloudflare's proxy features:

Shared IPv4

Type    Name              Content                Proxy status   TTL
A       <your-domain>     <zerops-shared-ipv4>   DNS only       Auto
AAAA    <your-domain>     <your-project-ipv6>    DNS only       Auto

Uses Zerops' free shared IPv4.

Both A + AAAA Required

Adding AAAA record is essential for shared IPv4 configuration as it serves as a security measure to prevent unauthorized domain claims.

Dedicated IPv4

Type    Name              Content                Proxy status   TTL
A       <your-domain>     <your-dedicated-ipv4>  DNS only       Auto
# Optional
AAAA    <your-domain>     <your-project-ipv6>    DNS only       Auto

Uses your dedicated IPv4 address.

Tip

Adding the AAAA record allows visitors with IPv6 support to connect directly via IPv6.

IPv6 only

Type    Name              Content                Proxy status   TTL
AAAA    <your-domain>     <your-project-ipv6>    DNS only       Auto

Uses only Zerops' free dedicated IPv6.

Note

This configuration will only work for users with IPv6 connectivity.

Wildcard Domain Configuration

Zerops supports wildcard domains (*.<your-domain>) that allow routing all subdomains to your project.

DNS Records for Wildcards

Configure wildcard domains using either method:

Method A: Direct Wildcard Records

Type   Name              Content               Proxy status       TTL
A      *.<your-domain>   <your-ipv4-address>   DNS only/Proxied   Auto
AAAA   *.<your-domain>   <your-ipv6-address>   DNS only/Proxied   Auto

Method B: CNAME to Main Domain

First ensure your main domain has proper A/AAAA records, then add:

Type    Name              Content         Proxy status       TTL
CNAME   *.<your-domain>   <your-domain>   DNS only/Proxied   Auto

Certificate Validation for Wildcards

To enable automatic SSL certificate issuance for wildcard domains:

Type    Name                            Content                     Proxy status   TTL
CNAME   _acme-challenge.<your-domain>   <your-domain>.zerops.zone   DNS only       Auto

This CNAME record allows Zerops to handle the DNS-01 challenge required for wildcard SSL certificates.

Higher-Level Wildcard Subdomains

You can also set up higher-level wildcard subdomains like *.<subdomain>.<your-domain>:

Method A: Direct Configuration

Type   Name                          Content               Proxy status       TTL
A      *.<subdomain>.<your-domain>   <your-ipv4-address>   DNS only/Proxied   Auto
AAAA   *.<subdomain>.<your-domain>   <your-ipv6-address>   DNS only/Proxied   Auto

Method B: Using a CNAME Record

Type    Name                          Content                     Proxy status       TTL
CNAME   *.<subdomain>.<your-domain>   <subdomain>.<your-domain>   DNS only/Proxied   Auto

or

Type    Name                          Content         Proxy status       TTL
CNAME   *.<subdomain>.<your-domain>   <your-domain>   DNS only/Proxied   Auto

For certificate validation with higher-level wildcards:

Type    Name                                        Content                                 Proxy status   TTL
CNAME   _acme-challenge.<subdomain>.<your-domain>   <subdomain>.<your-domain>.zerops.zone   DNS only       Auto

Combining Main Domain and Wildcard Domain

To use both <your-domain> and *.<your-domain>, specify both variants in your Zerops configuration. Zerops automatically issues a single shared certificate for both the main domain and all its subdomains.

Cloudflare SSL/TLS Configuration

Essential SSL/TLS Settings

1. Set Encryption Mode

   • Navigate to SSL/TLS → Overview in your Cloudflare dashboard
   • Select Full (strict) for production or Full for testing
   • Never use Flexible mode - this will cause redirect loops

2. Edge Certificates

   • Go to SSL/TLS → Edge Certificates
   • Ensure Always Use HTTPS is enabled for production
   • Keep Automatic HTTPS Rewrites enabled

Certificate Validation Configuration

For proper certificate issuance, especially with Let's Encrypt:

Option A: Simple Setup (Testing/Development)

• Temporarily disable Always Use HTTPS during initial certificate setup
• Re-enable after certificates are issued

Option B: Production Setup

Keep Always Use HTTPS enabled and create a Configuration Rule:

1. Go to Rules → Configuration Rules
2. Create a new rule with these settings:
   • Rule name: "Allow ACME Challenge"
   • Field: URI Path
   • Operator: starts with
   • Value: /.well-known/acme-challenge/
   • Action: Disable Automatic HTTPS Rewrites

This rule allows certificate validation to work while maintaining HTTPS enforcement for all other traffic.

Validation and Testing

DNS Resolution Testing

# Check IPv4 resolution
dig A <your-domain>

# Check IPv6 resolution
dig AAAA <your-domain>

# Check from specific DNS server
dig @1.1.1.1 <your-domain>

Connectivity Testing

# Basic HTTPS test
curl -vI https://<your-domain>

# Test with specific subdomain (for wildcards)
curl -vI https://api.<your-domain>

# Test IPv4 specifically
curl -4 -v https://<your-domain>

# Test IPv6 specifically
curl -6 -v https://<your-domain>

Cloudflare-Specific Checks

1. Verify proxy status in Cloudflare DNS dashboard (orange cloud = proxied)
2. Check SSL/TLS mode in SSL/TLS → Overview
3. Confirm certificate issuance in SSL/TLS → Edge Certificates
4. Test redirect behavior by accessing http:// version of your domain

Troubleshooting Common Issues

SSL Certificate Problems

Too Many Redirects or SSL Errors

Possible causes:

• Incorrect SSL/TLS mode in Cloudflare
• Invalid or missing certificates
• Misconfigured HTTPS settings

Solutions:

1. Verify SSL/TLS mode is set to Full or Full (strict), not Flexible
2. Check that both Zerops and Cloudflare have valid certificates
3. Ensure Always Use HTTPS is properly configured
4. For new domains, refresh the Cloudflare SSL/TLS page as settings may display incorrectly initially

Certificate Validation Fails for Wildcard Domains

Possible causes:

• Missing or incorrect _acme-challenge CNAME record
• DNS propagation not complete
• Incorrect CNAME target

Solutions:

1. Verify the _acme-challenge CNAME record is correctly configured
2. Ensure DNS propagation is complete (check with dig command)
3. Confirm the CNAME points to <your-domain>.zerops.zone

Domain Verification Failed (DNS Warning in Zerops)

Possible causes:

• Cloudflare's WAF or security features blocking the /.well-known/acme-challenge/ path
• Let's Encrypt HTTP-01 validation being prevented

Solutions:

Option 1: Create a WAF Skip Rule (Recommended)

1. Navigate to Security → WAF → Custom rules in Cloudflare
2. Click Create rule and configure:
   • Rule name: "Allow ACME Challenge"
   • Field: URI Path
   • Operator: starts with
   • Value: /.well-known/acme-challenge/
   • Choose action: Skip
   • Which rules to skip: Select all WAF components
3. Move this rule to the top of your Custom rules list
4. Wait a few minutes and check if the warning disappears in Zerops

Option 2: Modify Existing WAF Rules

1. Edit your existing WAF rule
2. Add an additional condition:
   • Field: URI Path
   • Operator: does not start with
   • Value: /.well-known/acme-challenge/

CNAME Flattening and DNS Verification

Cloudflare uses CNAME flattening, which converts CNAME records to A/AAAA records in DNS responses. This is normal behavior and doesn't affect Zerops' domain verification. However, if WAF or other security features block the ACME challenge endpoint, Zerops cannot complete the HTTP-01 validation required for certificate issuance.

DNS Resolution Issues

Domain Not Resolving

Possible causes:

• Incorrect DNS record configuration
• DNS propagation delay
• Typos in IP addresses

Solutions:

1. Confirm DNS records are correctly configured in Cloudflare
2. Verify proxy status matches your intended setup (orange cloud = proxied)
3. Check for typos in IP addresses or CNAME targets
4. Wait for DNS propagation (typically 5-10 minutes, up to 24 hours globally)
5. Test resolution using: dig @1.1.1.1 <your-domain>

IPv4 Traffic Not Working with IPv6-Only Setup

Possible causes:

• Cloudflare proxy disabled
• Incorrect IPv6 address
• Conflicting DNS records

Solutions:

1. Ensure Cloudflare proxy is enabled (orange cloud icon)
2. Verify IPv6 address is correct in AAAA record
3. Confirm no conflicting A record with shared IPv4 exists
4. Test with: curl -4 -v https://<your-domain>

Security Considerations

• Always use Full (strict) SSL mode for production
• Enable HSTS (HTTP Strict Transport Security) in Cloudflare
• Consider enabling Bot Fight Mode for additional protection
• Use Cloudflare's Firewall Rules to block malicious traffic
• Regularly monitor SSL certificate expiration dates

Getting Help

If you encounter issues not covered in this guide:

• Check the general DNS configuration guide for additional context
• Review your Zerops service logs for error messages
• Verify your configuration against Cloudflare's documentation
• Test with simple curl commands to isolate the problem
• Contact Zerops support via email or reach out on Discord