CloudFlare Setup
This guide covers configuring the ELLIO Traefik Middleware Plugin for services deployed behind CloudFlare. CloudFlare acts as a proxy, so proper IP extraction configuration is crucial for accurate IP-based filtering.
Overview
When your Traefik instance is behind CloudFlare:
- Client IPs are forwarded in the
CF-Connecting-IPheader - CloudFlare IPs appear as the direct connection source
- Trusted proxy configuration is essential to prevent IP spoofing
- Real client IPs must be extracted from CloudFlare headers
Prerequisites
- CloudFlare account with your domain configured
- Traefik instance running behind CloudFlare proxy
- Bootstrap token from your custom EDL configured for "Traefik Middleware"
Step 1: Configure CloudFlare-Specific Settings
The key to CloudFlare integration is using the CF-Connecting-IP header and trusting CloudFlare's IP ranges.
Static Configuration
- YAML
# traefik.yml
api:
dashboard: true
entryPoints:
web:
address: :80
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: :443
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
file:
filename: /etc/traefik/dynamic.yml
watch: true
# ELLIO Plugin
experimental:
plugins:
ellio:
moduleName: "github.com/ELLIO-Technology/ELLIO-Traefik-Middleware-Plugin"
version: "v1.0.1"
log:
level: INFO
accessLog: {}
# CloudFlare SSL/TLS configuration
certificatesResolvers:
cloudflare:
acme:
dnsChallenge:
provider: cloudflare
# Use DNS challenge with CloudFlare
Dynamic Configuration for CloudFlare
- YAML
# dynamic.yml
http:
middlewares:
# ELLIO EDL Middleware - CloudFlare Configuration
ellio-cloudflare:
plugin:
ellio:
bootstrapToken: "YOUR_ELLIO_BOOTSTRAP_TOKEN"
logLevel: "info"
ipStrategy: "custom"
trustedHeader: "CF-Connecting-IP"
trustedProxies:
# CloudFlare IP ranges
- "173.245.48.0/20"
# ...
routers:
# Protected application behind CloudFlare
protected-app:
rule: "Host(`app.example.com`)"
service: my-app
middlewares:
- ellio-cloudflare
entryPoints:
- websecure
tls:
certResolver: cloudflare
# Dashboard with CloudFlare protection
api:
rule: "Host(`traefik.example.com`)"
service: api@internal
middlewares:
- ellio-cloudflare
entryPoints:
- websecure
tls:
certResolver: cloudflare
services:
my-app:
loadBalancer:
servers:
- url: "http://backend:8080"
Step 2: Complete CloudFlare Docker Compose Setup
- docker-compose.yml
docker-compose.yml
# docker-compose.yml
services:
traefik:
image: traefik:v3.2
container_name: traefik-cloudflare
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./dynamic.yml:/etc/traefik/dynamic.yml:ro
- ./letsencrypt:/letsencrypt
environment:
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
- CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
networks:
- web
labels:
- "traefik.enable=true"
# Dashboard with ELLIO protection
- "traefik.http.routers.api.rule=Host(`${TRAEFIK_DOMAIN}`)"
- "traefik.http.routers.api.middlewares=ellio-cloudflare@file"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=cloudflare"
# Example backend service
backend:
image: traefik/whoami
container_name: backend-app
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.app.rule=Host(`${APP_DOMAIN}`)"
- "traefik.http.routers.app.middlewares=ellio-cloudflare@file,cloudflare-headers@file"
- "traefik.http.routers.app.entrypoints=websecure"
- "traefik.http.routers.app.tls.certresolver=cloudflare"
networks:
web:
driver: bridge