Guide Networking

A Cloudflare DDNS script that uses an API Token instead of your Global API Key

I have been using this simple bash script for a while for my DDNS needs. It is simple enough for quick deployment, and gets the job done. That is until Caddy2’s Cloudflare DNS provider moves away from Global API Key to API Token for the API access. This prompted me to rethink the security implications of using that script.

The Global API Key basically allows for *ALL* access to your entire Cloudflare account, which includes making changes to other domains under your account as well as your account settings. And this key is stored as plain-text within the script, to be placed on a server which you don’t have physical access — sounds a lot like the perfect recipe for a security nightmare. An API Token, on the other hand, is created with specific permissions. You can, for instance, create a Token that only has the permission to make changes to a specific domain, without the ability to add or delete anything.


Get Caddy 2.0 now with Cloudflare DNS Provider module for automatic TLS

Caddy 2.0 has finally entered GA since about a day ago, after three Release Candidates which I didn’t use. So now is high time to upgrade all our production servers to the latest and greatest version, because those 1.0.4 installation works really well and life is too boring when everything just works, we need to spice things up a little.

For Debian/Ubuntu distros, Caddy 2 now has an official repository at which you can add to APT sources and then install it via apt install caddy. However, unlike the slick curl method in Caddy 1.x, it is no longer possible to include modules on-the-fly upon installation. If you need the popular Cloudflare DNS TLS Provider module to be included in Caddy 2, the only option at this point is to build it from source.


Allow only Cloudflare CDN servers to your web servers

We love to use Cloudflare CDN because it improves latency and uptime, and the price is just right (free) for the starter pack.

Normally, a web server’s ports 80 and 443 would be opened to the public internet, with access restricted by selected IP ranges by either ASN or country, depending on what the administrator has configured. But if you are using Cloudflare’s CDN service, you can permit TCP 80/443 access only to their servers, and block all other incoming requests. You can then fine-tune access control using Cloudflare’s web application firewall. It would greatly reduce your web server’s attack surface.