cloudflare

Cloudflare API DNS Update

 in Applications / Bash / Firewall / GNU/Linux / HowTos  tagged api / cloudflare / DNS / update DNS record / what is my ip by

Cloudflare is a content delivery network (CDN) that provides a wide range of services, including domain name system (DNS) management. The Cloudflare API allows developers to programmatically manage DNS records, making it possible to automate updating DNS records. This blog post will explain how to use the Cloudflare API to update a DNS record.

Log in to Cloudflare and get your Global API Key

First, log in to your Cloudflare account and obtain your Global API Key. You can obtain your Global API Key by navigating to the URL: https://dash.cloudflare.com/profile/api-tokens. Once logged in, you should see a section called “API Tokens.” Click on the “View” button to see your Global API Key.

Find the Zone ID

The next step is to find the Zone ID of the domain you want to update. You can find the Zone ID by following the instructions provided in the Cloudflare documentation: https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/.

  1. Click on the domain you want to manage.
  2. In the left-hand sidebar, click on “Overview.”
  3. Scroll to the “API” section and click “Get your API key.”
  4. Click on the “View” button next to the Global API Key.
  5. Copy the key and keep it somewhere safe.

Get the DNS Record Identifiers

Once you have obtained the Zone ID, you can use it to get the identifiers for the DNS records associated with that domain. You can do this by making a GET request to the Cloudflare API, specifying the Zone ID, and providing your email address and API key. The response will contain information about all of the DNS records associated with the domain, including their identifiers.

Here is an example command that you can use to get the DNS record identifiers:

curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: <email_address>' \
  --header 'X-Auth-Key: <api_key>'

Replace <zone_id>, <email_address>, and <api_key> with your actual values.

Update the DNS Record

Finally, you can use the DNS record identifier to update the DNS record. The following is an example bash script that you can use to update a DNS record:

#!/bin/bash

ip=`curl https://bytefreaks.net/what-is-my-ip | grep '<h1 style="text-align: center;"' | cut -d '>' -f 2 | cut -d '<' -f 1`;

ip=`echo $ip | cut -d, -f1`;

comment=`date +%Y-%m-%d\ %H:%M`;

curl --request PUT \
  --url https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records/<dns_record_id> \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: <email_address>' \
  --header 'X-Auth-Key: <api_key>' \
  --data '{
  "content": "'$ip'",
  "name": "www.bytefreaks.net",
  "proxied": true,
  "type": "A",
  "comment": "'"$comment"'",
  "tags": [],
  "ttl": 3600
}'

Replace <zone_id>, <dns_record_id>, <email_address>, and <api_key> with your actual values. You should also update the "name" field to match the name of the DNS record you want to update.

This script is used to update a DNS record using the Cloudflare API. It retrieves the current public IP address of the device running the script and then updates the specified DNS record on Cloudflare with the new IP address.

Here is a breakdown of each command in the script:

  • ip=curl https://bytefreaks.net/what-is-my-ip | grep ‘<h1 style=”text-align: center;”‘ | cut -d ‘>’ -f 2 | cut -d ‘<‘ -f 1“: This command uses the curl command to retrieve the public IP address of the device running the script from the website https://bytefreaks.net/what-is-my-ip. The output of this command is then piped through grep to find the line that contains the IP address. The cut command is then used to extract the IP address from the line.
  • ip=echo $ip | cut -d, -f1“: This command removes any commas from the IP address, which may be present if the IP address is in a format that includes additional information.
  • comment=date +%Y-%m-%d\ %H:%M“: This command generates a comment for the DNS record update. The comment includes the current date and time in the format YYYY-MM-DD HH:MM.
  • curl --request PUT \: This command sends an HTTP PUT request to update the specified DNS record.
  • --url https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records/<dns_record_id> \: This specifies the URL for the Cloudflare API endpoint for updating a DNS record. The <zone_id> and <dns_record_id> placeholders should be replaced with the actual zone ID and DNS record ID, respectively.
  • --header 'Content-Type: application/json' \: This specifies that the content type of the request is JSON.
  • --header 'X-Auth-Email: <email_address>' \: This specifies the Cloudflare account email address associated with the API key. The <email_address> placeholder should be replaced with the actual email address.
  • --header 'X-Auth-Key: <api_key>' \: This specifies the Cloudflare API key for the account. The <api_key> placeholder should be replaced with the actual API key.
  • --data '{ ... }': This specifies the JSON data to be sent in the request body. This includes the new IP address in the content field, the domain name in the name field, the record type in the type field, the comment in the comment field, and other optional parameters like the ttl. Note that the domain name at.put.cy is hardcoded in the script, and should be replaced with the actual domain name to be updated.

Cloudflare certificate on tomcat windows server

 in Windows  tagged cloudflare / keystore / keytool / server / tomcat / windows by

Use Keytool to Create a New Keystore at your Windows Server

Step 1

At your server, generate the Keystore file using keytool command at your command line window with the following command:

keytool -genkey -alias tomcat -keyalg RSA -keystore your_site_name.keystore -validity 3650

In the command above, your_site_name should be the name of the domain you want to secure with this SSL/TLS certificate.
When prompted for the first and last name, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com).

Step 2

Generate a Certificate Signing Request (CSR) from your New Keystore using the keytool command:

keytool -certreq -alias tomcat -file certreq.csr -keystore your_site_name.keystore -keysize 2048

When prompted, enter the password you created earlier (when you created your new Keystore).
In your current directory, certreq.csr now contains your CSR.

Create the certificate from Cloudflare using the certificate request that you created from your Windows Server

Step 3

Open your Cloudflare account, select your domain, open the SSL/TLS tab and click on Origin Server to create the certificate

Step 4

Select the option I have my own private key and CSR where you will Copy-Paste the certificate you saved on the txt file from your Windows Server (certreq.csr), fill in the hostnames, select the expiration years, and press Create

Step 5

Copy-Paste in PKCS#7 key format the certificate in a text file and save the file

Import Cloudflare Origin CA root certificate at your Windows server

Step 6

Copy the Cloudflare Origin CA — RSA Root certificate from the Cloudflare website, save to a file and transfer it to your Windows Server.
[https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#4-required-for-some-add-cloudflare-origin-ca-root-certificates]
Filename: origin_ca_rsa_root.pem

Step 7

Import the root certificate into your Keystore file.

keytool -import -alias root -keystore your_site_name.keystore -trustcacerts -file origin_ca_rsa_root.pem

Add the public certificate from Cloudflare to your Windows Server

Step 8

Copy the file with the PKCS#7 certificate from Cloudflare at your Windows Server

Step 9

Run the following command to import the public certificate at your Keystore

keytool -import -alias tomcat -keystore your_site_name.keystore -file your_site_name.p7b

You should get a confirmation that the “Certificate reply was installed in Keystore.”

Use the newly created server origin certificate from Cloudflare for your website.

Step 10

Find your Tomcat server configuration (server.xml file), make the following changes at your Connector, and save the file.

<Connector executor="tomcatThreadPool" port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\SysAidServer\ keystore your_site_name.keystore" keystorePass="XXXXXXXXXXXXXX" />

Step 11

Restart the Tomcat service

Cloudflare: Error 522 – Connection timed out 2

 in Other  tagged 522 / cloudflare / error / timed out by

Recently, we’ve been noticing weird behavior on sites that are proxied behind Cloudflare servers. While visiting a site from one internet connection, we are constantly getting a 522 error. If at that moment, we switch our internet connection on that machine and visit the same page, it works as expected.

We are sure that the servers we have access to did not run out of resources, nor does the firewall block Cloudflare IPs. All firewalls are properly configured to accept connections from the official Cloudflare IPs that were retrieved from here.

We will investigate it further, hopefully we will figure it out.

Cloudflare Origin Server Certificate for IIS 10 Server on Windows Server 2016 to allow Full (strict) mode SSL/TLS encryption mode 8

 in Applications  tagged certificate / cloudflare / iis / IIS 10 / Origin Server / server by

Create a Certificate Request from your Windows Server

  1. Open Internet Information Services (IIS) Manager from the Windows Server 2016 through Control Panel -> Administrative Tools
  2. Select your server from the Connections and open Server Certificates
  1. From the Server Certificates Actions select Create Certificate Request
  1. Fill in the following form with your details: 
Common name: [your domain]
Organization: [your organization name]
etc.
  1. Set the settings for the Cryptographic service provider of the certificate, the bigger the length of the certificate the better the security but it makes the server slower.
  1. Specify the filename of the txt file where you will save the certificate request

Create the certificate from Cloudflare using your own certificate request that you created from your Windows Server

  1. Open your Cloudflare account, select your domain, open SSL/TLS tab and click on Origin Server in order to create the certificate
  1. Select the option ‘I have my own private key and CSR’ where you will Copy-Paste the certificate you saved on the txt file from your Windows Server, fill in the hostnames, select the expiration years and press Next
  1. Copy-Paste in PEM key format the certificate in a text file and save the file

Add the public certificate from Cloudflare at your Windows Server

  1. Copy the file with the PEM certificate from Cloudflare at your Windows Server
  2. Select ‘Complete Certificate Request’ from the IIS Manager Server Certificates Actions
  1. Select the PEM certificate you copied at the server and add a friendly name (e.g. the domain it covers and the expiration date of it):
  1. The certificate will appear at the list of the Server Certificates with the Friendly name you added at the form before

Import Cloudflare Origin CA root certificate at your Windows server

  1. Copy the Cloudflare Origin CA — RSA Root certificate from Cloudflare website, save to a file and transfer it to your Windows Server
  2. Open the Certificates Microsoft Management Console (MMC) snap-in by typing mmc.exe at the command prompt (or at the run dialog that you can open by pressing the buttons Win+R)
  3. On the File menu, select Add/Remove Snap-in
  1. In the Add or Remove Snap-ins dialog box, select Certificates snap-in in the Available snap-ins list, click Add, and then select OK
  1. In the Certificates snap-in dialog-box, select Computer account, and then select Next
  1. In the Select computer dialog box, click on Finish
  1. In the Add or Remove Snap-ins dialog box, select OK
  1. In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point to All Tasks, and then select Import
  1. In the Certificate Import Wizard, select Next
  1. In the File to Import page, select the file with the Cloudflare origin CA root certificate you saved before, and then select Next
  1. Select Next at the Certificate Import Wizard
  1. Select Finish at the Certificate Import Wizard
  1. The certificate will appear at the Certificates list

Use the newly created server origin certificate from Cloudflare for your website

  1. Select Bindings from the IIS Manager Web Site Actions
  1. Select the https binding and click Edit. If you do not have an https binding, press Add... to create one like in the second screen down
  1. At the SSL certificate dropdown list Select the new certificate and press OK

Force your website domain to pass through Cloudflare

  1. Open your Cloudflare account, select your domain, go to DNS option and change the Proxy status for your website from DNS only to Proxied by click it
  1. Enable Cloudflare full (strict) SSL TLS encryption mode in the SSL/TLS tab