262 lines
6.3 KiB
Markdown
262 lines
6.3 KiB
Markdown
|
|
# Cloudflare Configuration Guide
|
||
|
|
|
||
|
|
## Date: 2025-01-22
|
||
|
|
|
||
|
|
## 📊 Current Status
|
||
|
|
|
||
|
|
### ✅ DNS Configuration
|
||
|
|
|
||
|
|
**Domain**: `cross-all.defi-oracle.io`
|
||
|
|
|
||
|
|
**DNS Resolution**:
|
||
|
|
```
|
||
|
|
cross-all.defi-oracle.io → 172.67.209.228
|
||
|
|
cross-all.defi-oracle.io → 104.21.91.43
|
||
|
|
```
|
||
|
|
|
||
|
|
**Status**: ✅ Configured and resolving (Cloudflare IPs)
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## ⚠️ Cloudflare 522 Error
|
||
|
|
|
||
|
|
### Current Situation
|
||
|
|
|
||
|
|
- **HTTP Status**: 522 (Connection Timeout)
|
||
|
|
- **HTTPS Status**: 522 (Connection Timeout)
|
||
|
|
- **SSL Certificate**: ✅ Valid (Cloudflare-issued)
|
||
|
|
- **DNS**: ✅ Resolving correctly
|
||
|
|
|
||
|
|
**522 Error Meaning**: Cloudflare cannot connect to the origin server.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 🔧 Cloudflare Configuration Required
|
||
|
|
|
||
|
|
### Step 1: Access Cloudflare Dashboard
|
||
|
|
|
||
|
|
1. Log into Cloudflare dashboard: https://dash.cloudflare.com
|
||
|
|
2. Select domain: `defi-oracle.io`
|
||
|
|
3. Navigate to **DNS** section
|
||
|
|
|
||
|
|
### Step 2: Configure DNS A Record
|
||
|
|
|
||
|
|
**Current Configuration** (Verify):
|
||
|
|
- **Type**: A
|
||
|
|
- **Name**: `cross-all`
|
||
|
|
- **Content**: [Origin Server IP] ← **This must be NPMplus public IP**
|
||
|
|
- **Proxy Status**: ✅ Proxied (Orange Cloud) ← **Should be enabled**
|
||
|
|
- **TTL**: Auto (or 300)
|
||
|
|
|
||
|
|
**Required Configuration**:
|
||
|
|
1. **Origin Server IP**: Must be the public IP address of your NPMplus server
|
||
|
|
- This is the IP that Cloudflare will connect to
|
||
|
|
- Should be the public IP of the server hosting NPMplus (192.168.11.11's public IP)
|
||
|
|
|
||
|
|
2. **Proxy Status**:
|
||
|
|
- ✅ **Enabled** (Orange Cloud) - Routes through Cloudflare
|
||
|
|
- ⚠️ **Disabled** (Grey Cloud) - Direct DNS only
|
||
|
|
|
||
|
|
3. **Verify**:
|
||
|
|
- The A record content should point to your NPMplus server's public IP
|
||
|
|
- Not the private IP (192.168.11.166)
|
||
|
|
- Not localhost
|
||
|
|
|
||
|
|
### Step 3: Verify Origin Server Accessibility
|
||
|
|
|
||
|
|
**Check if origin server is accessible**:
|
||
|
|
```bash
|
||
|
|
# Test from external network (if possible)
|
||
|
|
curl -I http://[NPMPLUS_PUBLIC_IP]/
|
||
|
|
|
||
|
|
# Test with Host header
|
||
|
|
curl -I -H "Host: cross-all.defi-oracle.io" http://[NPMPLUS_PUBLIC_IP]/
|
||
|
|
```
|
||
|
|
|
||
|
|
**Requirements**:
|
||
|
|
- Origin server must be accessible from the internet
|
||
|
|
- Port 80 (HTTP) and 443 (HTTPS) must be open
|
||
|
|
- Firewall must allow Cloudflare IP ranges
|
||
|
|
|
||
|
|
### Step 4: Cloudflare SSL/TLS Settings
|
||
|
|
|
||
|
|
1. Navigate to **SSL/TLS** section in Cloudflare
|
||
|
|
2. **SSL/TLS encryption mode**: Should be **"Full"** or **"Full (strict)"**
|
||
|
|
- **Full**: Encrypts connection between Cloudflare and origin
|
||
|
|
- **Full (strict)**: Same as Full, but validates origin certificate
|
||
|
|
3. **Always Use HTTPS**: Enable (optional but recommended)
|
||
|
|
|
||
|
|
### Step 5: Verify Origin Server Configuration
|
||
|
|
|
||
|
|
**NPMplus Server**:
|
||
|
|
- Must be accessible from internet on port 80/443
|
||
|
|
- Must accept connections from Cloudflare IP ranges
|
||
|
|
- Must have proper firewall rules
|
||
|
|
|
||
|
|
**Backend Server**:
|
||
|
|
- Running and accessible: ✅ `http://192.168.11.211/` (HTTP 200)
|
||
|
|
- NPMplus proxy configured: ✅ Active
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 🔍 Troubleshooting
|
||
|
|
|
||
|
|
### Issue: 522 Connection Timeout
|
||
|
|
|
||
|
|
**Possible Causes**:
|
||
|
|
1. Origin server IP incorrect in Cloudflare DNS
|
||
|
|
2. Origin server not accessible from internet
|
||
|
|
3. Firewall blocking Cloudflare IPs
|
||
|
|
4. Port 80/443 not open on origin server
|
||
|
|
5. NPMplus not listening on public IP
|
||
|
|
|
||
|
|
**Solutions**:
|
||
|
|
|
||
|
|
1. **Verify Origin IP in Cloudflare**:
|
||
|
|
- Check DNS A record content
|
||
|
|
- Must be public IP of NPMplus server
|
||
|
|
- Not private IP (192.168.11.x)
|
||
|
|
|
||
|
|
2. **Check Firewall Rules**:
|
||
|
|
```bash
|
||
|
|
# On NPMplus server
|
||
|
|
# Allow Cloudflare IP ranges (see Cloudflare documentation)
|
||
|
|
# Allow port 80 and 443 from anywhere (or Cloudflare IPs)
|
||
|
|
```
|
||
|
|
|
||
|
|
3. **Verify NPMplus Accessibility**:
|
||
|
|
```bash
|
||
|
|
# Test if NPMplus is accessible externally
|
||
|
|
# From external network or Cloudflare test tool
|
||
|
|
curl -I http://[NPMPLUS_PUBLIC_IP]:80/
|
||
|
|
```
|
||
|
|
|
||
|
|
4. **Check NPMplus Configuration**:
|
||
|
|
- Verify NPMplus is listening on public interface
|
||
|
|
- Check NPMplus nginx configuration
|
||
|
|
- Verify proxy host is active
|
||
|
|
|
||
|
|
### Issue: SSL Certificate Errors
|
||
|
|
|
||
|
|
**Cloudflare SSL**:
|
||
|
|
- Cloudflare provides SSL automatically when proxy is enabled
|
||
|
|
- SSL certificate is Cloudflare-issued (this is normal)
|
||
|
|
- No action needed for Cloudflare SSL
|
||
|
|
|
||
|
|
**Origin SSL** (if using Full strict):
|
||
|
|
- NPMplus must have valid SSL certificate
|
||
|
|
- Certificate must match domain name
|
||
|
|
- Can be self-signed for Full strict (Cloudflare accepts it)
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 📋 Cloudflare IP Ranges
|
||
|
|
|
||
|
|
If you need to whitelist Cloudflare IPs in firewall:
|
||
|
|
|
||
|
|
**IPv4**: https://www.cloudflare.com/ips-v4
|
||
|
|
**IPv6**: https://www.cloudflare.com/ips-v6
|
||
|
|
|
||
|
|
**Common IPv4 Ranges**:
|
||
|
|
```
|
||
|
|
173.245.48.0/20
|
||
|
|
103.21.244.0/22
|
||
|
|
103.22.200.0/22
|
||
|
|
103.31.4.0/22
|
||
|
|
141.101.64.0/18
|
||
|
|
108.162.192.0/18
|
||
|
|
190.93.240.0/20
|
||
|
|
188.114.96.0/20
|
||
|
|
197.234.240.0/22
|
||
|
|
198.41.128.0/17
|
||
|
|
162.158.0.0/15
|
||
|
|
104.16.0.0/13
|
||
|
|
104.24.0.0/14
|
||
|
|
172.64.0.0/13
|
||
|
|
131.0.72.0/22
|
||
|
|
```
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## ✅ Verification Steps
|
||
|
|
|
||
|
|
### 1. Check DNS Configuration
|
||
|
|
|
||
|
|
```bash
|
||
|
|
dig cross-all.defi-oracle.io +short
|
||
|
|
# Should return Cloudflare IPs: 172.67.209.228, 104.21.91.43
|
||
|
|
```
|
||
|
|
|
||
|
|
### 2. Check Origin Server
|
||
|
|
|
||
|
|
```bash
|
||
|
|
# Verify NPMplus is accessible (from internal network)
|
||
|
|
curl -I -H "Host: cross-all.defi-oracle.io" http://192.168.11.166/
|
||
|
|
|
||
|
|
# Verify backend is accessible
|
||
|
|
curl -I http://192.168.11.211/
|
||
|
|
```
|
||
|
|
|
||
|
|
### 3. Check Cloudflare Status
|
||
|
|
|
||
|
|
- Access Cloudflare dashboard
|
||
|
|
- Check DNS records
|
||
|
|
- Verify proxy status (orange cloud)
|
||
|
|
- Check SSL/TLS settings
|
||
|
|
|
||
|
|
### 4. Test Domain Access
|
||
|
|
|
||
|
|
```bash
|
||
|
|
# Test HTTP
|
||
|
|
curl -I http://cross-all.defi-oracle.io/
|
||
|
|
|
||
|
|
# Test HTTPS
|
||
|
|
curl -I https://cross-all.defi-oracle.io/
|
||
|
|
|
||
|
|
# Should return HTTP 200 (not 522)
|
||
|
|
```
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 📊 Current Configuration Summary
|
||
|
|
|
||
|
|
### ✅ Complete
|
||
|
|
|
||
|
|
- ✅ DNS configured in Cloudflare
|
||
|
|
- ✅ SSL certificate active (Cloudflare-issued)
|
||
|
|
- ✅ NPMplus proxy configured
|
||
|
|
- ✅ Backend server deployed and running
|
||
|
|
- ✅ All local services operational
|
||
|
|
|
||
|
|
### ⚠️ Needs Configuration
|
||
|
|
|
||
|
|
- ⚠️ Cloudflare origin server IP
|
||
|
|
- ⚠️ Origin server accessibility from internet
|
||
|
|
- ⚠️ Firewall rules for Cloudflare IPs
|
||
|
|
- ⚠️ SSL/TLS mode in Cloudflare
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 🎯 Next Steps
|
||
|
|
|
||
|
|
1. **Configure Cloudflare Origin**:
|
||
|
|
- Set A record to NPMplus public IP
|
||
|
|
- Verify proxy status (orange cloud)
|
||
|
|
|
||
|
|
2. **Verify Accessibility**:
|
||
|
|
- Test origin server from external network
|
||
|
|
- Check firewall rules
|
||
|
|
|
||
|
|
3. **Configure SSL/TLS**:
|
||
|
|
- Set SSL/TLS mode to "Full" or "Full (strict)"
|
||
|
|
- Enable "Always Use HTTPS"
|
||
|
|
|
||
|
|
4. **Test Access**:
|
||
|
|
- Test domain access: `https://cross-all.defi-oracle.io/`
|
||
|
|
- Verify HTTP 200 (not 522)
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
**Last Updated**: 2025-01-22
|
||
|
|
**Status**: DNS Configured, Cloudflare Origin Configuration Needed
|