Cloudflare Setup
This guide configures the ELLIO Traefik Middleware Plugin for services deployed behind Cloudflare. Cloudflare acts as a proxy, so IP extraction must be configured for filtering to act on real client IPs.
Overview
Section titled “Overview”When your Traefik instance is behind Cloudflare:
- Client IPs are forwarded in the
CF-Connecting-IPheader - Cloudflare IPs appear as the direct connection source
- Trusted proxy configuration is essential to prevent IP spoofing
- Real client IPs must be extracted from Cloudflare headers
Prerequisites
Section titled “Prerequisites”- Cloudflare account with your domain configured
- Traefik instance running behind Cloudflare proxy
- Bootstrap token from your custom EDL configured for “Traefik Middleware”
Step 1: Configure Cloudflare-specific settings
Section titled “Step 1: Configure Cloudflare-specific settings”The key to the Cloudflare integration is using the CF-Connecting-IP header
and trusting Cloudflare’s IP ranges.
Static configuration
Section titled “Static configuration”api: dashboard: true
entryPoints: web: address: :80 http: redirections: entrypoint: to: websecure scheme: https websecure: address: :443
providers: docker: endpoint: unix:///var/run/docker.sock exposedByDefault: false file: filename: /etc/traefik/dynamic.yml watch: true
# ELLIO Pluginexperimental: plugins: ellio: moduleName: "github.com/ELLIO-Technology/ELLIO-Traefik-Middleware-Plugin" version: "v1.0.2"
log: level: INFO
accessLog: {}
# Cloudflare SSL/TLS configurationcertificatesResolvers: cloudflare: acme: dnsChallenge: provider: cloudflare # Use DNS challenge with CloudflareDynamic configuration for Cloudflare
Section titled “Dynamic configuration for Cloudflare”http: middlewares: # ELLIO EDL Middleware - Cloudflare Configuration ellio-cloudflare: plugin: ellio: bootstrapToken: "YOUR_ELLIO_BOOTSTRAP_TOKEN" logLevel: "info" ipStrategy: "custom" trustedHeader: "CF-Connecting-IP" trustedProxies: # Cloudflare IPv4 ranges - "173.245.48.0/20" - "103.21.244.0/22" - "103.22.200.0/22" - "103.31.4.0/22" - "141.101.64.0/18" - "108.162.192.0/18" - "190.93.240.0/20" - "188.114.96.0/20" - "197.234.240.0/22" - "198.41.128.0/17" - "162.158.0.0/15" - "104.16.0.0/13" - "104.24.0.0/14" - "172.64.0.0/13" - "131.0.72.0/22" # Cloudflare IPv6 ranges - "2400:cb00::/32" - "2606:4700::/32" - "2803:f800::/32" - "2405:b500::/32" - "2405:8100::/32" - "2a06:98c0::/29" - "2c0f:f248::/32"
routers: # Protected application behind Cloudflare protected-app: rule: "Host(`app.example.com`)" service: my-app middlewares: - ellio-cloudflare entryPoints: - websecure tls: certResolver: cloudflare
# Dashboard with Cloudflare protection api: rule: "Host(`traefik.example.com`)" service: api@internal middlewares: - ellio-cloudflare entryPoints: - websecure tls: certResolver: cloudflare
services: my-app: loadBalancer: servers: - url: "http://backend:8080"Step 2: Complete Cloudflare Docker Compose setup
Section titled “Step 2: Complete Cloudflare Docker Compose setup”services: traefik: image: traefik:v3.2 container_name: traefik-cloudflare restart: unless-stopped ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.yml:/etc/traefik/traefik.yml:ro - ./dynamic.yml:/etc/traefik/dynamic.yml:ro - ./letsencrypt:/letsencrypt environment: - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL} - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY} networks: - web labels: - "traefik.enable=true" # Dashboard with ELLIO protection - "traefik.http.routers.api.rule=Host(`${TRAEFIK_DOMAIN}`)" - "traefik.http.routers.api.middlewares=ellio-cloudflare@file" - "traefik.http.routers.api.service=api@internal" - "traefik.http.routers.api.entrypoints=websecure" - "traefik.http.routers.api.tls.certresolver=cloudflare"
# Example backend service backend: image: traefik/whoami container_name: backend-app networks: - web labels: - "traefik.enable=true" - "traefik.http.routers.app.rule=Host(`${APP_DOMAIN}`)" - "traefik.http.routers.app.middlewares=ellio-cloudflare@file" - "traefik.http.routers.app.entrypoints=websecure" - "traefik.http.routers.app.tls.certresolver=cloudflare"
networks: web: driver: bridge