Cloudflare settings summary (dynamic IP, SSL/TLS, Email Routing, etc.)
This article is a translation of the following my article:
Original: Cloudflare設定まとめ(動的IP、SSL/TLS、Email Routingなど)
* Translated automatically by Google.
* Please note that some links or referenced content in this article may be in Japanese.
* Comments in the code are basically in Japanese.
by bokumin
Cloudflare setting memo(DynamicDNS,SSL/TLS,EmailRouting)
Introduction
I rented a domain for my home server from Cloudflare. Leave a personal note to refer to when changing settings in the future.
Add record
In addition to the acquired domain, we will also be using subdomains, so we will set up the necessary records. There is no need to create an MX record as it will be automatically entered when configuring Email Routing. Here we will add an A record and a TXT record.
Turn on proxy for your A record to allow traffic to flow through Cloudflare. Turn it on if you want to hide your real IP or benefit from other benefits such as caching.
Turning on the proxy requires some configuration, for example on the web server. Please refer to the article below.
Configuring a dynamic IP address
For general home lines, the IP address may change. Therefore, you will need to periodically submit your IP to Cloudflare to update it.
First, get the Zone ID from the domain’s overview page. Next, select “Create API Token” and create a new token with the “Edit zone DNS” permission. API tokens can be created from the URL below.
https://dash.cloudflare.com/profile/api-tokens
I automated the dynamic IP update with the shell script below. test.bokumin.org sets PROXIED to false to enable SSH connections. If you are setting up a proxy on Cloudflare, you can omit specifying the Proxied part, but it is specified explicitly.
#!/bin/bash
API_TOKEN="xxxxxxxxxxxx"
ZONE_ID="xxxxxxxxxxx"
RECORDS=("bokumin.org" "www.bokumin.org" "test.bokumin.org")
CURRENT_IP=$(curl -s https://ifconfig.me)
for RECORD_NAME in "${RECORDS[@]}"; do
RECORD_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?type=A&name=${RECORD_NAME}" \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" | grep -Po '"id":"\K[^"]*' | head -1)
if [ "${RECORD_NAME}" = "test.bokumin.org" ]; then
PROXIED="false"
else
PROXIED="true"
fi
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
--data "{\"type\":\"A\",\"name\":\"${RECORD_NAME}\",\"content\":\"${CURRENT_IP}\",\"proxied\":${PROXIED}}"
echo "$(date): Updated ${RECORD_NAME} to ${CURRENT_IP} (proxied: ${PROXIED})"
done
The execution result is as follows. If there is no error and success is true, it is working normally.
$ ./sendip.sh
{"result":{"id":"xxxxxx","name":"bokumin.org","type":"A","content":"xxx.xxx.xxx.xxx","proxiable":true,"proxied":true,"ttl":1,"settings":{},"meta":{},"comment":null,"tags":[],"created_on":"2025-10-01T08:20:56.23225Z","modified_on":"2025-11-06T11:22:24.028148Z"},"success":true,"errors":[],"messages":[]}Mon Nov 10 09:16:37 AM JST 2025: Updated bokumin.org to 58.183.112.156 (proxied: true)
{"result":{"id":"xxxxxx","name":"www.bokumin.org","type":"A","content":"xxx.xxx.xxx.xxx","proxiable":true,"proxied":true,"ttl":1,"settings":{},"meta":{},"comment":null,"tags":[],"created_on":"2025-10-02T06:49:10.738964Z","modified_on":"2025-11-06T11:22:24.981124Z"},"success":true,"errors":[],"messages":[]}Mon Nov 10 09:16:38 AM JST 2025: Updated www.bokumin.org to 58.183.112.156 (proxied: true)
{"result":{"id":"xxxxxx","name":"test.bokumin.org","type":"A","content":"xxx.xxx.xxx.xxx","proxiable":true,"proxied":false,"ttl":1,"settings":{},"meta":{},"comment":null,"tags":[],"created_on":"2025-11-05T04:40:59.450762Z","modified_on":"2025-11-06T11:22:25.882437Z"},"success":true,"errors":[],"messages":[]}Mon Nov 10 09:16:39 AM JST 2025: Updated server.bokumin.org to 58.183.112.156 (proxied: false)
Check with the dig command and if the IP address of the domain for which you turned off the proxy is the IP address of your home, it is a success. If there are no problems so far, let’s run the script from earlier using cron, etc.
$ dig bokumin.org
; <<>> DiG 9.20.13 <<>> bokumin.org
...
;; ANSWER SECTION:
bokumin.org. 300 IN A 104.21.54.69
bokumin.org. 300 IN A 172.67.136.60
$ dig test.bokumin.org
; <<>> DiG 9.20.13 <<>> server.bokumin.org
...
;; ANSWER SECTION:
server.bokumin.org. 300 IN A xxx.xxx.xxx.xxx←自宅IPになっていれば成功
SSL/TLS設定
This is about SSL/TLS encryption settings.
- full(strict) → If the local server has a trusted certificate
- full → When using a random certificate or an expired certificate
- flexible → If you do not have a certificate
- off → If you want to use your own server’s certificate as is or do not need Cloudflare’s certificate
This time, since we have obtained a Let’s Encrypt certificate on the server, we selected Full (strict). In some circumstances, Full may be more appropriate, such as if you are manually obtaining certificates.
This setting changes the certificate information displayed in the browser because Cloudflare performs the authentication in the middle. If you do not have a certificate, select Flexible to enable HTTPS connections without providing a certificate.
After changing the settings, check whether the local server’s certificate is applied correctly. You can check this using a browser, but this time I used the openssl command.
$ openssl s_client -connect bokumin.org:443 -servername bokumin.org < /dev/null 2>/dev/null | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:9b:b3:1d:f8:0a:4d:1d:13:96:77:b3:e0:5e:31:ed
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Google Trust Services, CN=WE1
Validity
Not Before: Oct 1 07:25:54 2025 GMT
Not After : Dec 30 08:14:42 2025 GMT
Subject: CN=bokumin.org
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ad:1b:74:d6:c8:c9:06:46:97:62:8c:11:35:9c:
d3:b8:65:0a:bc:e7:54:c0:8a:3d:77:53:aa:95:1b:
8b:41:f9:92:bd:10:60:8f:d1:01:a9:8b:1a:d5:02:
a0:a7:a2:6f:eb:66:b0:5b:ec:21:0f:bb:46:4a:95:
73:32:b1:38:77
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
BE:01:FE:A5:8C:95:9A:39:11:BB:CE:F6:F2:4B:CE:1B:B9:03:93:FD
X509v3 Authority Key Identifier:
90:77:92:35:67:C4:FF:A8:CC:A9:E6:7B:D9:80:79:7B:CC:93:F9:38
Authority Information Access:
OCSP - URI:http://o.pki.goog/s/we1/Tps
CA Issuers - URI:http://i.pki.goog/we1.crt
X509v3 Subject Alternative Name:
DNS:bokumin.org, DNS:*.bokumin.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://c.pki.goog/we1/BH5itOT96Ec.crl
(以下略)
Email settings (sending/receiving)
Email Routing is available for free with Cloudflare.
Reception settings
- Email Routing → Routing rules → Create address
- Set forwarding email address
Gmail sending settings
This is the setting procedure for sending from Gmail using an email address of your own domain.
Create an app password
Create an app password in https://myaccount.google.com/apppasswords. Please make a note of the app password you create, as it will only be displayed once.
Once created, proceed as follows in gmail.
Settings in Gmail
1. Gmail → Settings → Show all settings → Accounts and import → Add email address
2. Enter the email address to add (e.g. [email protected])
Set “Treat as an alias” to your preference
3. Enter SMTP server information
- Username: Your Gmail address
- Password: App password you created
- SMTTPrenter: smtp.gmail.comp
- Port: 587
You will receive a verification email, click on the link to complete verification
Other
Page rule settings
Cloudflare’s page rules allow you to configure different behavior for specific URL patterns.
設定例
- Enhanced static file caching
- URL:
*bokumin.org/static/* - Settings: cache level “Cache Everything”, edge cache TTL “1 month”
- URL:
- Disable admin screen cache
- URL:
*bokumin.org/admin/* - Settings: Cache level “Skip or bypass”
- URL:
- Configuring API endpoints
- URL:
*bokumin.org/api/* - Settings: cache level “skip or bypass”, security level “high”
- URL:
With the free plan, you can create up to 3 page rules. We recommend configuring the settings in descending order of priority.
Cache settings
Basic settings
You can set the following items from SSL/TLS → Overview → Cache Settings.
- Cache level → Standard
- Browser cache TTL → If you want to synchronize with .htaccess etc., it is better to give priority to existing headers
- Always online → If enabled, serves cached content even if the origin server is down
Notes during development
During development, you can temporarily turn off caching for 3 hours by enabling “Development Mode”. This allows you to see your changes immediately.
Can be enabled from Cache → Settings → Development Mode.
Purge cache
When you update content, you can immediately reflect the new content by purging the cache. You can do this from Cache → Settings → Purge cache.
The above is a summary of various settings methods in Cloudflare. I am very grateful that I can use convenient functions such as email functions for free just by paying the domain fee.
There are many services that provide DNS, and each has different configuration methods and management screen specifications. Therefore, since it is not realistic to memorize it (I have no intention of remembering it), I kept it as a record on my blog like this. I hope this will be helpful to someone.
End