Cloudflare

Provides integration with CloudFlare CDN using the CloudFlare API for cache clearing and client IP restoration.

cloudflare
3,877 sites
46
drupal.org
gui api integration
cloudflare cdn cache purge performance reverse-proxy ip-restore cache-tags integration

概要

CloudFlareモジュールは、CloudFlare APIを使用してCloudFlare CDNサービスとの包括的な連携機能を提供します。DrupalサイトがCloudFlareと通信し、キャッシュ管理と適切なクライアント識別を行えるようにします。

主な機能として、パスによるキャッシュクリア(FreeおよびProfessionalティアに推奨)とタグによるキャッシュクリア(Enterpriseティア専用)、およびCloudFlareがリバースプロキシとして動作する際にマスクされる元のクライアントIPアドレスの復元があります。モジュールはウィザードベースの設定アプローチを採用し、API認証情報とゾーン選択を簡単にセットアップできます。

モジュールにはCloudFlare Purgerサブモジュールが含まれており、DrupalのPurgeモジュールと連携してCloudFlareのAPIを通じた自動キャッシュ無効化を提供します。タグベース、URLベース、フルキャッシュパージをサポートし、組み込みのレート制限保護と診断チェック機能を備えています。

Features

  • URLパスによるキャッシュクリア(FreeおよびProfessionalティア)
  • キャッシュタグによるキャッシュクリア(Enterpriseティア専用)
  • CloudFlareのCF-Connecting-IPヘッダーからの元のクライアントIPアドレスの自動復元
  • セキュリティのためのCloudFlare IP範囲に対する受信リクエストの検証
  • APIキー/メールとAPIトークン両方の認証方式をサポート
  • 複数のCloudFlareゾーンを持つアカウント向けのマルチゾーンサポート
  • 選択を容易にする名前によるゾーンフィルタリング
  • 認証済みユーザードメインの警告を抑制するバイパスホスト設定
  • 最も早い段階でリクエスト処理を行うHTTPミドルウェア
  • ハッシュベース圧縮によるCloudFlare互換フォーマットでのキャッシュタグヘッダー生成
  • 自動キャッシュ無効化のためのDrupal Purgeモジュールとの連携
  • API認証情報、レート制限、日次タグパージ制限の診断チェック
  • 特定のタグがヘッダーに含まれないようにするキャッシュタグ除外リスト

Use Cases

CDN Cache Management for Content Updates

When editors publish or update content in Drupal, the Purge module automatically queues cache invalidations. The CloudFlare Purger processes these queued items and sends purge requests to CloudFlare's API, ensuring that visitors see fresh content without manual cache clearing.

Restoring Visitor IP Addresses

When CloudFlare proxies requests, the server sees CloudFlare's IP instead of the visitor's actual IP. Enable 'Restore Client Ip Address' to have the module automatically restore the original visitor IP from CloudFlare's CF-Connecting-IP header. This is essential for accurate analytics, access logging, and geographic-based functionality.

Enterprise Cache Tag Purging

For CloudFlare Enterprise customers, enable tag-based cache purging for surgical cache invalidation. When a specific node is updated, only pages containing that node's cache tags are purged, rather than clearing the entire CDN cache. The module automatically hashes cache tags to fit CloudFlare's header size limits.

Multi-Site or Multi-Domain Setup

For CloudFlare accounts with multiple zones, use the zone name filter to limit the displayed zones, then select one or more zones to manage. The module will send purge requests to all selected zones.

Separate Editorial Domain

For Free tier users who cannot use CloudFlare's vary-by-cookie feature, configure a separate editorial domain (e.g., edit.example.com) that bypasses CloudFlare. Set this as the 'Host to Bypass CloudFlare' to suppress warning messages when editors access the site directly.

Tips

  • For Free tier CloudFlare accounts, cache tags won't work - use URL-based purging via the purge_queuer_url module instead
  • Set page cache max age to a high value (31536000 seconds = 1 year) since CloudFlare handles cache invalidation
  • The module caches CloudFlare IP ranges permanently; clear cache if CloudFlare updates their IP ranges
  • Use the Purge UI at /admin/config/development/performance/purge to monitor purge status and diagnostic checks
  • Cache tags are hashed to 4-character strings to fit CloudFlare's header limits; this may cause occasional over-invalidation due to hash collisions
  • For high-traffic events, consider the potential for cache tag hash collisions that could cause unintended page purges
  • API Tokens are recommended over API Keys as they can be scoped with specific permissions

Technical Details

Admin Pages 3
CloudFlare Settings /admin/config/services/cloudflare

Main configuration page for CloudFlare integration. Uses a two-step wizard approach: first configure API credentials, then select the CloudFlare zone(s).

CloudFlare Zone Selection /admin/config/services/cloudflare/{step}

Second step of the configuration wizard where users select one or more CloudFlare zones from their account.

CloudFlare Purger Settings /admin/config/services/cloudflare/purger

Configure cache tag exclude-list for the CloudFlare Purger.

権限 1
Administer CloudFlare settings

Allows the user to change CloudFlare API settings. This is a restricted permission due to the sensitive nature of API credentials.

Hooks 1
hook_help

Implements hook_help() to provide help text on the module's help page.

Troubleshooting 8
Requests showing CloudFlare IP instead of visitor IP

Enable 'Restore Client Ip Address' in the CloudFlare settings. Ensure requests are actually coming through CloudFlare by checking for the CF-Connecting-IP header.

Warning: Request came through without being routed through CloudFlare

This warning appears when the module expects CloudFlare but requests arrive directly. Either configure a bypass host for editorial domains, or verify your DNS configuration routes traffic through CloudFlare.

Warning: Client IP does not match a known CloudFlare IP

This indicates a request has the CF-Connecting-IP header but the connecting IP isn't from CloudFlare. This could be a security issue (spoofed headers) or a legitimate setup like Kubernetes ingress. If legitimate, disable 'Validate remote IP address' (with caution).

HTTP 400 errors when purging by cache tags

Cache tag purging is only available on CloudFlare Enterprise plans. Use URL-based purging for Free and Professional tier accounts.

API rate limit exceeded

CloudFlare limits API calls to 1,200 requests per 5 minutes. Reduce purge frequency by batching content updates, using the purge queue processor with appropriate intervals, or excluding high-frequency cache tags from purging.

Daily tag purge limit exceeded

CloudFlare Enterprise has a limit of 30,000 tag purges per day. Consider using URL-based purging for less critical content, or implementing a cache tag exclude-list for frequently changing but non-critical tags.

Endless loop when retrieving zones

This bug was fixed in recent versions. Update to the latest module version to resolve zone pagination issues.

Zone selection shows no zones

Verify API credentials have permission to access zones. For API Tokens, ensure the token has 'Zone:Read' permission. Try accessing CloudFlare's console to verify zones exist.

Security Notes 5
  • API credentials (key/email or token) are stored in Drupal configuration. Ensure configuration exports are properly secured and not committed to public repositories.
  • The 'administer cloudflare' permission is marked as restricted due to access to sensitive API credentials.
  • When 'Validate remote IP address' is disabled, the module trusts the CF-Connecting-IP header without verifying the request source. This could allow IP spoofing if requests can bypass CloudFlare.
  • The module fetches CloudFlare's IP ranges from https://www.cloudflare.com/ips-v4 and ips-v6. Ensure outbound HTTP access is available.
  • Consider using CloudFlare API Tokens instead of API Keys for better security through scope limitation.