Guides

Cloudflare Migration

Migrate firewall rules from Vercel to Cloudflare with automatic rule translation.

Guide for migrating firewall rules from Vercel Firewall to Cloudflare WAF using Vercel Doorman.

Before You Begin

Complete the Cloudflare Setup guide first
Back up your current Vercel configuration
Review the compatibility matrix below — some features don't translate 1:1

Important: Always test in a staging environment before applying to production.

Compatibility Matrix

Feature	Vercel	Cloudflare	Translation
Path matching	✅	✅	Direct
Method filtering	✅	✅	Direct
IP blocking	✅	✅	Direct (uses Lists API when Account ID provided)
User agent matching	✅	✅	Direct
Header matching	✅	✅	Direct
Geo-blocking	✅	✅	Direct
Rate limiting	✅	✅	Modified (different config format)
Redirects	✅	✅	Direct
Challenge actions	✅ Basic	✅ Advanced	Enhanced (Cloudflare offers more challenge types)
Regex matching	✅	⚠️ Enterprise only	Falls back to contains/starts_with
Environment conditions	✅	❌	Removed (Vercel-specific)
JA3/JA4 fingerprints	✅	❌	Removed (Vercel-specific)

Migration Steps

1. Back Up

bash

vercel-doorman backup
vercel-doorman export --format json --output vercel-backup.json

2. Preview the Migration

bash

vercel-doorman migrate --from vercel --to cloudflare --dry-run

This shows which rules will migrate perfectly, which will be modified, and which can't migrate. No changes are made.

3. Generate the Cloudflare Config

bash

vercel-doorman migrate --from vercel --to cloudflare --output cloudflare.config.json

The generated file includes:

Translated rules with Cloudflare provider settings
Migration metadata (source, date, warnings)
Notes on any rules that were modified

4. Review and Validate

Open cloudflare.config.json and review the translated rules, then:

bash

vercel-doorman validate --config cloudflare.config.json
vercel-doorman status --config cloudflare.config.json

5. Test in Staging

bash

vercel-doorman sync --config cloudflare.config.json --provider cloudflare

Verify in the Cloudflare dashboard under Security → WAF → Custom rules.

6. Deploy to Production

bash

vercel-doorman sync --config cloudflare.config.json --provider cloudflare
vercel-doorman status --config cloudflare.config.json

7. Monitor

Check Security → Events in the Cloudflare dashboard
Watch for false positives in the first few days
Adjust rules based on real traffic patterns

Handling Common Translation Changes

Regex → Simple Matching

Regex patterns are converted to simpler operators on non-Enterprise plans:

json

// Vercel (regex)
{ "type": "path", "op": "re", "value": "\\.(php|asp|jsp)$" }

// Cloudflare (converted to multiple suffix conditions)
[
  { "type": "path", "op": "suf", "value": ".php" },
  { "type": "path", "op": "suf", "value": ".asp" },
  { "type": "path", "op": "suf", "value": ".jsp" }
]

Review these conversions to ensure they still cover your intended traffic patterns.

Environment Conditions Removed

Cloudflare doesn't have an equivalent to Vercel's environment condition. Options:

Use separate config files per environment
Use zone-based separation (different Cloudflare zones for staging vs production)

Rate Limiting Format Differences

Rate limiting translates automatically, but review thresholds — Cloudflare's rate limiting behavior may differ slightly from Vercel's.

Rollback

Restore from Backup

bash

vercel-doorman backup --list
vercel-doorman backup --restore backup-file.json
vercel-doorman sync --provider vercel

Reverse Migration

bash

vercel-doorman migrate --from cloudflare --to vercel --output vercel-restored.config.json
vercel-doorman sync --config vercel-restored.config.json --provider vercel

Note: Cloudflare → Vercel translation has some limitations. Review the output carefully.

Gradual Migration

For large rule sets, consider migrating in phases:

Critical security rules (bot blocking, IP blocking)
Rate limiting rules
Remaining rules
Optimize for Cloudflare-specific features

Post-Migration Checklist

All critical rules active in Cloudflare
IP blocking working correctly
Rate limiting functioning as expected
No false positives in legitimate traffic
Cloudflare Analytics showing expected rule triggers
Team trained on Cloudflare-specific workflows
CI/CD pipelines updated for Cloudflare provider
Backup procedures updated

Cloudflare Setup — Credentials, environment, and initial configuration
Configuration — Configuration file reference
Commands Overview — Full CLI reference

This content is sourced from the GitHub Wiki.

Guides

Cloudflare Migration

Migrate firewall rules from Vercel to Cloudflare with automatic rule translation.

Edit on GitHub

Guide for migrating firewall rules from Vercel Firewall to Cloudflare WAF using Vercel Doorman.

Before You Begin

Complete the Cloudflare Setup guide first
Back up your current Vercel configuration
Review the compatibility matrix below — some features don't translate 1:1

Important: Always test in a staging environment before applying to production.

Compatibility Matrix

Feature	Vercel	Cloudflare	Translation
Path matching	✅	✅	Direct
Method filtering	✅	✅	Direct
IP blocking	✅	✅	Direct (uses Lists API when Account ID provided)
User agent matching	✅	✅	Direct
Header matching	✅	✅	Direct
Geo-blocking	✅	✅	Direct
Rate limiting	✅	✅	Modified (different config format)
Redirects	✅	✅	Direct
Challenge actions	✅ Basic	✅ Advanced	Enhanced (Cloudflare offers more challenge types)
Regex matching	✅	⚠️ Enterprise only	Falls back to contains/starts_with
Environment conditions	✅	❌	Removed (Vercel-specific)
JA3/JA4 fingerprints	✅	❌	Removed (Vercel-specific)

Migration Steps

1. Back Up

bash

vercel-doorman backup
vercel-doorman export --format json --output vercel-backup.json

2. Preview the Migration

bash

vercel-doorman migrate --from vercel --to cloudflare --dry-run

This shows which rules will migrate perfectly, which will be modified, and which can't migrate. No changes are made.

3. Generate the Cloudflare Config

bash

vercel-doorman migrate --from vercel --to cloudflare --output cloudflare.config.json

The generated file includes:

Translated rules with Cloudflare provider settings
Migration metadata (source, date, warnings)
Notes on any rules that were modified

4. Review and Validate

Open cloudflare.config.json and review the translated rules, then:

bash

vercel-doorman validate --config cloudflare.config.json
vercel-doorman status --config cloudflare.config.json

5. Test in Staging

bash

vercel-doorman sync --config cloudflare.config.json --provider cloudflare

Verify in the Cloudflare dashboard under Security → WAF → Custom rules.

6. Deploy to Production

bash

vercel-doorman sync --config cloudflare.config.json --provider cloudflare
vercel-doorman status --config cloudflare.config.json

7. Monitor

Check Security → Events in the Cloudflare dashboard
Watch for false positives in the first few days
Adjust rules based on real traffic patterns

Handling Common Translation Changes

Regex → Simple Matching

Regex patterns are converted to simpler operators on non-Enterprise plans:

json

// Vercel (regex)
{ "type": "path", "op": "re", "value": "\\.(php|asp|jsp)$" }

// Cloudflare (converted to multiple suffix conditions)
[
  { "type": "path", "op": "suf", "value": ".php" },
  { "type": "path", "op": "suf", "value": ".asp" },
  { "type": "path", "op": "suf", "value": ".jsp" }
]

Review these conversions to ensure they still cover your intended traffic patterns.

Environment Conditions Removed

Cloudflare doesn't have an equivalent to Vercel's environment condition. Options:

Use separate config files per environment
Use zone-based separation (different Cloudflare zones for staging vs production)

Rate Limiting Format Differences

Rate limiting translates automatically, but review thresholds — Cloudflare's rate limiting behavior may differ slightly from Vercel's.

Rollback

Restore from Backup

bash

vercel-doorman backup --list
vercel-doorman backup --restore backup-file.json
vercel-doorman sync --provider vercel

Reverse Migration

bash

vercel-doorman migrate --from cloudflare --to vercel --output vercel-restored.config.json
vercel-doorman sync --config vercel-restored.config.json --provider vercel

Note: Cloudflare → Vercel translation has some limitations. Review the output carefully.

Gradual Migration

For large rule sets, consider migrating in phases:

Critical security rules (bot blocking, IP blocking)
Rate limiting rules
Remaining rules
Optimize for Cloudflare-specific features

Post-Migration Checklist

All critical rules active in Cloudflare
IP blocking working correctly
Rate limiting functioning as expected
No false positives in legitimate traffic
Cloudflare Analytics showing expected rule triggers
Team trained on Cloudflare-specific workflows
CI/CD pipelines updated for Cloudflare provider
Backup procedures updated

Cloudflare Setup — Credentials, environment, and initial configuration
Configuration — Configuration file reference
Commands Overview — Full CLI reference

This content is sourced from the GitHub Wiki.

Cloudflare Migration

Before You Begin

Compatibility Matrix

Migration Steps

1. Back Up

2. Preview the Migration

3. Generate the Cloudflare Config

4. Review and Validate

5. Test in Staging

6. Deploy to Production

7. Monitor

Handling Common Translation Changes

Regex → Simple Matching

Environment Conditions Removed

Rate Limiting Format Differences

Rollback

Restore from Backup

Reverse Migration

Gradual Migration

Post-Migration Checklist

Related Pages

Cloudflare Migration

Before You Begin

Compatibility Matrix

Migration Steps

1. Back Up

2. Preview the Migration

3. Generate the Cloudflare Config

4. Review and Validate

5. Test in Staging

6. Deploy to Production

7. Monitor

Handling Common Translation Changes

Regex → Simple Matching

Environment Conditions Removed

Rate Limiting Format Differences

Rollback

Restore from Backup

Reverse Migration

Gradual Migration

Post-Migration Checklist

Related Pages