Guides
Cloudflare Setup
Set up Vercel Doorman with Cloudflare WAF — credentials, configuration, and deployment.
Complete guide for setting up Vercel Doorman with Cloudflare WAF.
Status: Cloudflare support is production-ready with comprehensive error handling, validation, and rule translation.
Prerequisites
- Cloudflare account with at least one domain
- Node.js 18+ installed
- Vercel Doorman installed (
npm install -g vercel-doorman)
Get Your Credentials
API Token
- Go to Cloudflare API Tokens
- Click Create Token → Custom token
- Set these permissions:
| Permission Type | Permission | Access Level |
|---|---|---|
| Zone | Zone Settings | Read |
| Zone | Zone | Read |
| Zone | Firewall Services | Edit |
| Account | Account Rulesets | Edit (optional) |
- Under Zone Resources, select your domain (or "All zones from an account" for multiple domains)
- Optionally set Client IP Filtering and TTL for extra security
- Click Continue to summary → Create Token
- Copy the token immediately — you won't see it again
Zone ID
- Go to Cloudflare Dashboard and select your domain
- On the Overview page, find Zone ID in the right sidebar
- Copy it
Account ID (Optional)
The Account ID enables the Cloudflare Lists API for efficient bulk IP management.
- On any Cloudflare dashboard page, find Account ID in the right sidebar
- Copy it
Without an Account ID, Doorman falls back to individual IP rules instead of Lists.
Configure Environment Variables
bash
export CLOUDFLARE_API_TOKEN="your_api_token_here"
export CLOUDFLARE_ZONE_ID="your_zone_id_here"
export CLOUDFLARE_ACCOUNT_ID="your_account_id_here" # OptionalOr create a .env file in your project root:
bash
CLOUDFLARE_API_TOKEN=your_api_token_here
CLOUDFLARE_ZONE_ID=your_zone_id_here
CLOUDFLARE_ACCOUNT_ID=your_account_id_hereImportant: Add
.envto your.gitignoreto avoid committing secrets.
Initialize Your Project
bash
vercel-doorman init --provider cloudflare --interactiveThis validates your credentials, tests API connectivity, and creates a configuration file.
Or create vercel-firewall.config.json manually:
json
{
"$schema": "https://doorman.griffen.codes/schema.json",
"provider": "cloudflare",
"providers": {
"cloudflare": {
"zoneId": "your_zone_id",
"accountId": "your_account_id"
}
},
"rules": [],
"ips": []
}Add Your First Rules
Add a template or write rules by hand:
bash
# Add bot protection
vercel-doorman template add bad-bots --provider cloudflare
# Add AI bot blocking
vercel-doorman template add ai-bots --provider cloudflare
# Add WordPress protection
vercel-doorman template add wordpress --provider cloudflareDeploy
bash
# Preview what will change
vercel-doorman diff --provider cloudflare
# Deploy rules
vercel-doorman sync --provider cloudflare
# Verify deployment
vercel-doorman status --provider cloudflareDay-to-Day Commands
bash
vercel-doorman status --provider cloudflare # Check sync status and health
vercel-doorman list --provider cloudflare # List deployed rules
vercel-doorman diff --provider cloudflare # Preview pending changes
vercel-doorman sync --provider cloudflare # Deploy changes
vercel-doorman validate # Validate config syntax
vercel-doorman backup # Create a backup
vercel-doorman watch --provider cloudflare # Auto-sync on file changesAdvanced Configuration
Multiple Zones
Create separate config files per zone:
bash
vercel-doorman init --provider cloudflare --config zone1.config.json
vercel-doorman init --provider cloudflare --config zone2.config.jsonAccount-Level Rules
With an Account ID, you can create rules that apply across all zones:
json
{
"providers": {
"cloudflare": {
"accountId": "your_account_id",
"useAccountRules": true
}
}
}Cloudflare Plan Limits
| Plan | Custom Rules |
|---|---|
| Free | 5 |
| Pro | 20 |
| Business | 100 |
| Enterprise | Unlimited |
Troubleshooting
"Invalid API Token"
- Verify the token hasn't expired
- Confirm it has Zone: Firewall Services: Edit permission
- Test manually:
bash
curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
"Zone Not Found"
- Double-check the Zone ID in the Cloudflare dashboard
- Ensure the token has access to that zone
- List accessible zones:
bash
curl -X GET "https://api.cloudflare.com/client/v4/zones" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.result[] | {name, id}'
Rules Not Appearing
- Check Security → WAF → Custom rules in the Cloudflare dashboard
- Run
vercel-doorman sync --provider cloudflare --verbosefor detailed output - Look for translation warnings — complex conditions may have been simplified
Rate Limit Errors (429)
Doorman has built-in retry logic, but if you hit persistent rate limits:
- Avoid running multiple sync operations simultaneously
- Wait 60 seconds and retry
IP Blocking Not Working
- Ensure IPs use CIDR notation (
192.168.1.1/32not192.168.1.1) - Provide an Account ID to enable the more efficient Lists API
- Check rule priority in the Cloudflare dashboard
Security Best Practices
- Never commit API tokens — use environment variables or secret management
- Use minimum permissions — only grant what Doorman needs
- Set token expiration — rotate tokens regularly
- Test in staging first — create rules disabled, enable after testing
- Create backups before major changes
- Monitor Cloudflare Analytics (Security → Events) for rule effectiveness
Related Pages
- Getting Started — General Doorman setup
- Configuration — Configuration file reference
- Cloudflare Migration — Migrating from Vercel to Cloudflare
- Commands Overview — Full CLI reference
This content is sourced from the GitHub Wiki.