akanealw
eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Quality Checks / Backend (Go) (push) Waiting to run
Quality Checks / Frontend (React) (push) Waiting to run
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
WAF integration / Coraza WAF Integration (push) Waiting to run
5.2 KiB
Executable File
5.2 KiB
Executable File
Cloudflare DNS Provider Setup
Overview
Cloudflare is one of the most popular DNS providers and offers a free tier with API access. This guide walks you through setting up Cloudflare as a DNS provider in Charon for wildcard certificate support.
Prerequisites
- Active Cloudflare account (free tier is sufficient)
- Domain added to Cloudflare with nameservers configured
- Domain status: Active (not pending nameserver update)
Step 1: Generate API Token
Cloudflare API Tokens provide scoped access and are more secure than Global API Keys.
- Log in to Cloudflare Dashboard
- Click on your profile icon (top right) → My Profile
- Select API Tokens from the left sidebar
- Click Create Token
- Use the Edit zone DNS template or create a custom token
- Configure token permissions:
- Permissions:
- Zone → DNS → Edit
- Zone Resources:
- Include → Specific zone → Select your domain
- OR Include → All zones (if managing multiple domains)
- Permissions:
- (Optional) Set Client IP Address Filtering for additional security
- (Optional) Set TTL for token expiration
- Click Continue to summary
- Review permissions and click Create Token
- Copy the token immediately (shown only once)
Tip: Store the API token in a password manager. Cloudflare won't display it again.
Step 2: Configure in Charon
- Navigate to DNS Providers in Charon
- Click Add Provider
- Fill in the form:
- Provider Type: Select
Cloudflare - Name: Enter a descriptive name (e.g., "Cloudflare Production")
- API Token: Paste the token from Step 1
- Provider Type: Select
Advanced Settings (Optional)
Expand Advanced Settings to customize:
- Propagation Timeout:
60seconds (Cloudflare has fast global propagation) - Polling Interval:
10seconds (default) - Set as Default: Enable if this is your primary DNS provider
Step 3: Test Connection
- Click Test Connection button
- Wait for validation (usually 2-5 seconds)
- Verify you see: ✅ Connection successful
If the test fails, see Troubleshooting below.
Step 4: Save Configuration
Click Save to store the DNS provider configuration. Credentials are encrypted at rest using AES-256-GCM.
Step 5: Use with Wildcard Certificates
When creating a proxy host with a wildcard domain:
- Navigate to Proxy Hosts → Add Proxy Host
- Enter a wildcard domain:
*.example.com - Select Cloudflare from the DNS Provider dropdown
- Configure remaining settings
- Save
Charon will automatically obtain a wildcard certificate using DNS-01 challenge.
Example Configuration
Provider Type: cloudflare
Name: Cloudflare - example.com
API Token: ********************************
Propagation Timeout: 60 seconds
Polling Interval: 10 seconds
Default: Yes
Required Permissions
The API token needs the following Cloudflare permissions:
- Zone → DNS → Edit: Create and delete TXT records for ACME challenges
Note: The token does NOT need Zone → Edit or Account-level permissions.
Troubleshooting
Connection Test Fails
Error: Invalid API token
- Verify the token was copied correctly (no extra spaces)
- Ensure the token has Zone → DNS → Edit permission
- Check token hasn't expired (if TTL was set)
- Regenerate the token if necessary
Error: Zone not found
- Verify the domain is added to your Cloudflare account
- Ensure domain status is Active (nameservers updated)
- Check API token includes the correct zone in Zone Resources
Certificate Issuance Fails
Error: DNS propagation timeout
- Cloudflare typically propagates in <30 seconds
- Check Cloudflare Status page for service issues
- Verify DNSSEC is configured correctly (if enabled)
- Try increasing Propagation Timeout to 120 seconds
Error: Unauthorized to edit DNS
- API token may have been revoked
- Regenerate a new token with correct permissions
- Update configuration in Charon
Rate Limiting
Cloudflare has generous API rate limits:
- Free plan: 1,200 requests per 5 minutes
- Certificate challenges typically use <10 requests
If you hit limits:
- Reduce polling frequency
- Avoid unnecessary test connection attempts
- Consider upgrading Cloudflare plan
Security Recommendations
- Scope Tokens: Limit to specific zones rather than "All zones"
- IP Filtering: Add your server's IP to Client IP Address Filtering
- Set Expiration: Use token TTL for automatic expiration (renew before expiry)
- Rotate Regularly: Generate new tokens every 90-180 days
- Monitor Usage: Review API token activity in Cloudflare dashboard