Cloudflare API

--- name: cloudflare-api description: Use when managing Cloudflare resources via API - DNS records, zones, page rules, security settings, analytics, and Workers. Essential for infrastructure automation and bulk operations. category: infrastructure metadata: author: skynet version: 1.0.0 --- # Cloudflare API ## Authentication Setup ```bash # Set environment variables export CF_API_TOKEN="your_api_token_here" export CF_API_EMAIL="your@email.com" export CF_API_KEY="your_global_api_key" # Legacy method # Test authentication curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" ``` ## Zone Management ### List and Find Zones ```bash # List all zones curl -X GET "https://api.cloudflare.com/client/v4/zones" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Get specific zone by name curl -X GET "https://api.cloudflare.com/client/v4/zones?name=example.com" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Store zone ID for reuse ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=example.com" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" | jq -r '.result[0].id') ``` ### Zone Settings ```bash # Get SSL settings curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ssl" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Enable Always Use HTTPS curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/always_use_https" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{"value":"on"}' # Set security level curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/security_level" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{"value":"medium"}' ``` ## DNS Record Management ### CRUD Operations ```bash # List DNS records curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Create A record curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "type": "A", "name": "subdomain", "content": "192.168.1.1", "ttl": 3600, "proxied": true }' # Update DNS record DNS_RECORD_ID="record_id_here" curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{"content": "192.168.1.2"}' # Delete DNS record curl -X DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" ``` ### Bulk DNS Operations ```bash # Find and update multiple records curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=A" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" | \ jq -r '.result[] | select(.name | contains("api")) | .id' | \ while read record_id; do curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$record_id" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{"proxied": false}' done ``` ## Page Rules and Workers ### Page Rules ```bash # List page rules curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/pagerules" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Create cache everything rule curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/pagerules" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "targets": [{"target": "url", "constraint": {"operator": "matches", "value": "*.example.com/api/*"}}], "actions": [{"id": "cache_level", "value": "cache_everything"}], "priority": 1, "status": "active" }' ``` ### Workers ```bash # List Workers scripts curl -X GET "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/workers/scripts" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Deploy Worker script curl -X PUT "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/workers/scripts/my-worker" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/javascript" \ --data-binary "@worker.js" ``` ## Security and Firewall ### Firewall Rules ```bash # List firewall rules curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/firewall/rules" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Block IP range curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/firewall/rules" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "filter": {"expression": "ip.src in {192.168.1.0/24}"}, "action": "block", "description": "Block internal network" }' # Rate limiting rule curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rate_limits" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "threshold": 10, "period": 60, "action": {"mode": "ban", "timeout": 86400}, "match": {"request": {"url": "*.example.com/api/*"}} }' ``` ## Analytics and Monitoring ```bash # Get zone analytics curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/analytics/dashboard?since=-1440&until=now" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Security events curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/security/events" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" # Cache statistics curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/analytics/colos" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" ``` ## Decision Tree: DNS Record Management ``` DNS Record Task? ├── Create new record │ ├── A/AAAA → Use type: "A"/"AAAA", set proxied: true/false │ ├── CNAME → Use type: "CNAME", target must be FQDN │ └── MX → Use type: "MX", include priority field ├── Bulk operations │ ├── Many similar records → Use loop with API calls │ └── Import from file → Use Cloudflare CLI or script with JSON ├── Update existing │ ├── Change IP → PATCH with new content │ ├── Toggle proxy → PATCH with proxied: true/false │ └── Change TTL → PATCH with ttl value └── Troubleshoot ├── Record not resolving → Check proxied status and DNS propagation └── API errors → Verify zone ID and record ID exist ``` ## Troubleshooting ### Common Errors and Solutions **Error 10000: "Authentication error"** ```bash # Check token validity curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \ -H "Authorization: Bearer $CF_API_TOKEN" # If invalid, regenerate token with proper permissions ``` **Error 81044: "DNS record already exists"** ```bash # Find existing record first curl -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?name=subdomain.example.com" \ -H "Authorization: Bearer $CF_API_TOKEN" # Then update instead of create ``` **Error 1004: "DNS points to prohibited IP"** ```bash # Check if IP is in prohibited range (private IPs when proxied) # Solution: Set proxied to false for private IPs curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -d '{"proxied": false}' ``` **Rate Limiting (Error 1015)** ```bash # Implement backoff strategy sleep_time=1 for attempt in {1..3}; do response=$(curl -w "%{http_code}" -s -o response.json -X GET "..." \ -H "Authorization: Bearer $CF_API_TOKEN") if [[ $response == "200" ]]; then break elif [[ $response == "429" ]]; then sleep $((sleep_time * 2)) sleep_time=$((sleep_time * 2)) fi done ``` ### Debugging Tips ```bash # Enable verbose curl output curl -v -X GET "https://api.cloudflare.com/client/v4/zones" \ -H "Authorization: Bearer $CF_API_TOKEN" # Parse JSON responses with jq curl -s "..." | jq '.errors[] | {code, message}' # Check API response success curl -s "..." | jq -r '.success' ``` ## Best Practices - Use API tokens instead of Global API Key - Implement proper error handling and retries - Cache zone IDs to reduce API calls - Use pagination for large datasets (`?page=1&per_page=50`) - Monitor rate limits and implement exponential backoff - Always verify changes with GET requests after POST/PATCH operations