# Cloudflare Configuration Guide ## Date: 2025-01-22 ## 📊 Current Status ### ✅ DNS Configuration **Domain**: `cross-all.defi-oracle.io` **DNS Resolution**: ``` cross-all.defi-oracle.io → 172.67.209.228 cross-all.defi-oracle.io → 104.21.91.43 ``` **Status**: ✅ Configured and resolving (Cloudflare IPs) --- ## ⚠️ Cloudflare 522 Error ### Current Situation - **HTTP Status**: 522 (Connection Timeout) - **HTTPS Status**: 522 (Connection Timeout) - **SSL Certificate**: ✅ Valid (Cloudflare-issued) - **DNS**: ✅ Resolving correctly **522 Error Meaning**: Cloudflare cannot connect to the origin server. --- ## 🔧 Cloudflare Configuration Required ### Step 1: Access Cloudflare Dashboard 1. Log into Cloudflare dashboard: https://dash.cloudflare.com 2. Select domain: `defi-oracle.io` 3. Navigate to **DNS** section ### Step 2: Configure DNS A Record **Current Configuration** (Verify): - **Type**: A - **Name**: `cross-all` - **Content**: [Origin Server IP] ← **This must be NPMplus public IP** - **Proxy Status**: ✅ Proxied (Orange Cloud) ← **Should be enabled** - **TTL**: Auto (or 300) **Required Configuration**: 1. **Origin Server IP**: Must be the public IP address of your NPMplus server - This is the IP that Cloudflare will connect to - Should be the public IP of the server hosting NPMplus (192.168.11.11's public IP) 2. **Proxy Status**: - ✅ **Enabled** (Orange Cloud) - Routes through Cloudflare - ⚠️ **Disabled** (Grey Cloud) - Direct DNS only 3. **Verify**: - The A record content should point to your NPMplus server's public IP - Not the private IP (192.168.11.166) - Not localhost ### Step 3: Verify Origin Server Accessibility **Check if origin server is accessible**: ```bash # Test from external network (if possible) curl -I http://[NPMPLUS_PUBLIC_IP]/ # Test with Host header curl -I -H "Host: cross-all.defi-oracle.io" http://[NPMPLUS_PUBLIC_IP]/ ``` **Requirements**: - Origin server must be accessible from the internet - Port 80 (HTTP) and 443 (HTTPS) must be open - Firewall must allow Cloudflare IP ranges ### Step 4: Cloudflare SSL/TLS Settings 1. Navigate to **SSL/TLS** section in Cloudflare 2. **SSL/TLS encryption mode**: Should be **"Full"** or **"Full (strict)"** - **Full**: Encrypts connection between Cloudflare and origin - **Full (strict)**: Same as Full, but validates origin certificate 3. **Always Use HTTPS**: Enable (optional but recommended) ### Step 5: Verify Origin Server Configuration **NPMplus Server**: - Must be accessible from internet on port 80/443 - Must accept connections from Cloudflare IP ranges - Must have proper firewall rules **Backend Server**: - Running and accessible: ✅ `http://192.168.11.211/` (HTTP 200) - NPMplus proxy configured: ✅ Active --- ## 🔍 Troubleshooting ### Issue: 522 Connection Timeout **Possible Causes**: 1. Origin server IP incorrect in Cloudflare DNS 2. Origin server not accessible from internet 3. Firewall blocking Cloudflare IPs 4. Port 80/443 not open on origin server 5. NPMplus not listening on public IP **Solutions**: 1. **Verify Origin IP in Cloudflare**: - Check DNS A record content - Must be public IP of NPMplus server - Not private IP (192.168.11.x) 2. **Check Firewall Rules**: ```bash # On NPMplus server # Allow Cloudflare IP ranges (see Cloudflare documentation) # Allow port 80 and 443 from anywhere (or Cloudflare IPs) ``` 3. **Verify NPMplus Accessibility**: ```bash # Test if NPMplus is accessible externally # From external network or Cloudflare test tool curl -I http://[NPMPLUS_PUBLIC_IP]:80/ ``` 4. **Check NPMplus Configuration**: - Verify NPMplus is listening on public interface - Check NPMplus nginx configuration - Verify proxy host is active ### Issue: SSL Certificate Errors **Cloudflare SSL**: - Cloudflare provides SSL automatically when proxy is enabled - SSL certificate is Cloudflare-issued (this is normal) - No action needed for Cloudflare SSL **Origin SSL** (if using Full strict): - NPMplus must have valid SSL certificate - Certificate must match domain name - Can be self-signed for Full strict (Cloudflare accepts it) --- ## 📋 Cloudflare IP Ranges If you need to whitelist Cloudflare IPs in firewall: **IPv4**: https://www.cloudflare.com/ips-v4 **IPv6**: https://www.cloudflare.com/ips-v6 **Common IPv4 Ranges**: ``` 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 ``` --- ## ✅ Verification Steps ### 1. Check DNS Configuration ```bash dig cross-all.defi-oracle.io +short # Should return Cloudflare IPs: 172.67.209.228, 104.21.91.43 ``` ### 2. Check Origin Server ```bash # Verify NPMplus is accessible (from internal network) curl -I -H "Host: cross-all.defi-oracle.io" http://192.168.11.166/ # Verify backend is accessible curl -I http://192.168.11.211/ ``` ### 3. Check Cloudflare Status - Access Cloudflare dashboard - Check DNS records - Verify proxy status (orange cloud) - Check SSL/TLS settings ### 4. Test Domain Access ```bash # Test HTTP curl -I http://cross-all.defi-oracle.io/ # Test HTTPS curl -I https://cross-all.defi-oracle.io/ # Should return HTTP 200 (not 522) ``` --- ## 📊 Current Configuration Summary ### ✅ Complete - ✅ DNS configured in Cloudflare - ✅ SSL certificate active (Cloudflare-issued) - ✅ NPMplus proxy configured - ✅ Backend server deployed and running - ✅ All local services operational ### ⚠️ Needs Configuration - ⚠️ Cloudflare origin server IP - ⚠️ Origin server accessibility from internet - ⚠️ Firewall rules for Cloudflare IPs - ⚠️ SSL/TLS mode in Cloudflare --- ## 🎯 Next Steps 1. **Configure Cloudflare Origin**: - Set A record to NPMplus public IP - Verify proxy status (orange cloud) 2. **Verify Accessibility**: - Test origin server from external network - Check firewall rules 3. **Configure SSL/TLS**: - Set SSL/TLS mode to "Full" or "Full (strict)" - Enable "Always Use HTTPS" 4. **Test Access**: - Test domain access: `https://cross-all.defi-oracle.io/` - Verify HTTP 200 (not 522) --- **Last Updated**: 2025-01-22 **Status**: DNS Configured, Cloudflare Origin Configuration Needed