How to Use Cloudflare with Flowtriq:
complete integration guide

Architecture Overview

Before diving into the configuration, it helps to understand how traffic flows through a Cloudflare + Flowtriq deployment and where each product sits in the stack.

The architecture is straightforward. Cloudflare operates as a reverse proxy at the network edge. All DNS records point to Cloudflare's anycast network, which absorbs volumetric L3/L4 attacks and filters L7 HTTP/HTTPS traffic using WAF rules, rate limiting, and bot management. Clean traffic is then forwarded to your origin server over an encrypted tunnel or direct connection.

Flowtriq operates on the origin server itself. The Flowtriq agent monitors all inbound traffic at the network interface level, regardless of whether that traffic came through Cloudflare or arrived through some other path. It detects anomalies, classifies attack vectors, captures PCAP evidence, and sends alerts through your configured channels.

The traffic flow looks like this:

Client Request
    |
    v
Cloudflare Edge (anycast)
    |-- Volumetric L3/L4 absorption
    |-- WAF rules, rate limiting, bot detection
    |-- SSL/TLS termination
    |
    v
Origin Server
    |-- Flowtriq agent (monitoring all interfaces)
    |-- Detects bypassed traffic, direct-to-IP attacks
    |-- Classifies attack vectors in <2 seconds
    |-- Captures PCAP for forensics
    |-- Alerts via Discord, Slack, PagerDuty, etc.
    |
    v
Application Stack

This layered model means Cloudflare handles mitigation at the edge while Flowtriq handles detection and forensics at the origin. Neither product replaces the other. They monitor different points in the traffic path and provide different types of data.

What Flowtriq Sees That Cloudflare Does Not

Cloudflare is excellent at what it does, but its architecture has an inherent limitation: it only sees traffic that flows through its network. Several categories of attacks bypass Cloudflare entirely and hit your origin server directly.

Direct-to-IP Attacks

If an attacker discovers your origin IP address, they can send traffic directly to it, bypassing Cloudflare entirely. Origin IP discovery is not theoretical. Attackers use historical DNS records, certificate transparency logs, email headers, server error pages, and services like Shodan and Censys to find origin IPs. Once they have the IP, Cloudflare never sees the attack traffic.

Flowtriq detects these attacks because it monitors the network interface on the origin server. Whether traffic arrived through Cloudflare or directly to the IP, Flowtriq sees it, classifies it, and alerts you within seconds.

Non-Proxied Services

Cloudflare's standard reverse proxy only handles HTTP/HTTPS traffic (and Spectrum for enterprise customers). If you run game servers, DNS resolvers, VoIP services, custom UDP protocols, or any non-HTTP service on your origin, that traffic does not flow through Cloudflare. Attacks targeting those services are invisible to Cloudflare's detection.

Flowtriq monitors all protocols on all ports. A UDP flood targeting your game server on port 27015 is detected and classified just as quickly as a SYN flood on port 443.

Traffic That Gets Through

No filter is perfect. Application-layer attacks designed to look like legitimate traffic can sometimes pass through Cloudflare's WAF. Low-and-slow attacks, credential stuffing at rates below rate-limit thresholds, and sophisticated L7 patterns may reach the origin. Flowtriq's per-second PPS and BPS monitoring on the origin gives you visibility into what actually arrives at your server, not just what Cloudflare reports.

Think of Cloudflare as your perimeter fence and Flowtriq as your security cameras inside the building. The fence stops most intruders, but you still need cameras to see anyone who gets through.

Step 1: Install the Flowtriq Agent on Your Origin Server

Start by installing the Flowtriq agent on each origin server behind Cloudflare. The agent runs as a lightweight background service and requires no changes to your application or Cloudflare configuration.

# Install the Flowtriq agent
pip install ftagent --break-system-packages

# Run the setup wizard
sudo ftagent --setup

During installation, you will be prompted for your Flowtriq API key. You can find this in your Flowtriq dashboard under Settings. The installer creates a systemd service that starts automatically on boot.

# Verify the agent is running
sudo systemctl status ftagent

# Check agent logs
sudo journalctl -u ftagent -f

The agent configuration file lives at /etc/ftagent/config.yaml. Here is a typical configuration for an origin server behind Cloudflare:

# /etc/ftagent/config.yaml
api_key: "ft_your_api_key_here"
server: "https://flowtriq.com/api/v1"

# Monitor the primary network interface
interface: "eth0"

# Detection thresholds (customize for your traffic profile)
detection:
  pps_threshold: auto       # Dynamic baseline detection
  bps_threshold: auto
  sensitivity: medium        # low, medium, high
  detection_window: 2s       # 2-second detection window

# PCAP capture on incident
pcap:
  enabled: true
  max_size: 100MB
  capture_duration: 30s

# Tags for this node (useful for multi-server setups)
tags:
  role: "web-origin"
  provider: "cloudflare"
  datacenter: "us-east-1"

The interface setting should point to the network interface that receives inbound traffic. On most servers this is eth0 or ens5. Run ip link show to list your interfaces.

Step 2: Lock Down Your Origin to Cloudflare

Before configuring the integration, make sure your origin server is properly locked down. This reduces (but does not eliminate) the risk of direct-to-IP attacks, and it makes Flowtriq's job clearer: any non-Cloudflare traffic that hits your server is suspicious by definition.

Configure your server firewall to only accept HTTP/HTTPS traffic from Cloudflare's IP ranges:

# Download Cloudflare's current IP ranges
curl -s https://www.cloudflare.com/ips-v4 -o /tmp/cf-ips-v4.txt
curl -s https://www.cloudflare.com/ips-v6 -o /tmp/cf-ips-v6.txt

# Allow Cloudflare IPs on ports 80 and 443
while read ip; do
  sudo iptables -A INPUT -p tcp -s "$ip" --dport 80 -j ACCEPT
  sudo iptables -A INPUT -p tcp -s "$ip" --dport 443 -j ACCEPT
done < /tmp/cf-ips-v4.txt

# Drop all other HTTP/HTTPS traffic
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

Keep SSH and other management ports accessible from your trusted IPs. The Flowtriq agent communicates outbound to flowtriq.com/api/v1 on port 443, so no inbound firewall rules are needed for it.

Even with firewall rules restricting HTTP to Cloudflare IPs, other protocols and ports remain exposed. A UDP flood on port 53 or a SYN flood on a non-HTTP port will bypass these rules entirely. This is exactly what Flowtriq monitors.

Step 3: Configure the Cloudflare WAF Integration

This is where the integration gets powerful. Flowtriq can automatically create Cloudflare WAF rules when it detects an attack, blocking malicious traffic at Cloudflare's edge before it reaches your origin. This turns Flowtriq's detection capabilities into automated mitigation actions.

To set this up, you need a Cloudflare API token with WAF write permissions. Go to your Cloudflare dashboard, navigate to My Profile, then API Tokens, and create a token with the following permissions:

• Zone - Firewall Services - Edit — allows Flowtriq to create and manage WAF rules
• Zone - Zone - Read — allows Flowtriq to list your zones and find the correct zone ID

In your Flowtriq dashboard, go to Integrations and select Cloudflare. Enter your API token and Zone ID:

# Cloudflare integration settings in Flowtriq dashboard
Cloudflare API Token: cf_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Zone ID: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
Auto-mitigation: Enabled
Rule action: block          # block, challenge, or managed_challenge
Rule duration: 1h           # auto-expire rules after this period
Min confidence: 0.85        # only create rules for high-confidence detections

With this configured, Flowtriq will automatically call the Cloudflare API to create firewall rules when it detects an attack with sufficient confidence. Here is an example of the API call Flowtriq makes behind the scenes:

# Example: Flowtriq creates a Cloudflare WAF rule via API
# This happens automatically when an attack is detected

curl -X POST \
  "https://api.cloudflare.com/client/v4/zones/{zone_id}/firewall/rules" \
  -H "Authorization: Bearer {cloudflare_api_token}" \
  -H "Content-Type: application/json" \
  -d '[{
    "filter": {
      "expression": "(ip.src in {203.0.113.0/24 198.51.100.0/24})",
      "description": "Flowtriq auto-block: UDP flood detected (incident #ft-2026-0312-001)"
    },
    "action": "block",
    "description": "Auto-created by Flowtriq - expires 2026-03-12T14:00:00Z"
  }]'

Flowtriq extracts the top source IP ranges from the attack traffic, creates a Cloudflare firewall rule expression that blocks those ranges, and sets an expiration time so the rule automatically cleans up. Every rule includes a reference to the Flowtriq incident ID so you can trace it back to the detection event.

Step 4: Configure Alert Routing

With both Cloudflare and Flowtriq running, you want to route alerts to the right teams through the right channels. Flowtriq supports Discord, Slack, PagerDuty, OpsGenie, email, SMS, and custom webhooks.

A recommended alert routing strategy for a Cloudflare + Flowtriq deployment:

• Cloudflare alerts (via Cloudflare Notifications) — route to your infrastructure team's email or Slack channel. These cover edge-level events like large volumetric attacks absorbed by Cloudflare, WAF rule triggers, and origin health check failures.
• Flowtriq alerts — route to your security operations team via PagerDuty or Discord. These cover origin-level events that indicate something reached your server: direct-to-IP attacks, bypassed traffic, non-HTTP protocol attacks, and any anomalous traffic patterns.
• Flowtriq firewall rule alerts — send a notification whenever Flowtriq creates a Cloudflare WAF rule. This keeps your team informed about automated actions so they can review and adjust if needed.

Configure notification channels in your Flowtriq dashboard under Channels:

# Example: Slack webhook for Flowtriq alerts
Channel type: Slack
Webhook URL: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
Alert types: All incidents
Min severity: Medium

# Example: PagerDuty for critical incidents
Channel type: PagerDuty
Integration key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Alert types: Critical incidents only
Min severity: Critical

Step 5: Advanced Configuration

Preserving Real Client IPs

When Cloudflare proxies traffic to your origin, the source IP of every request is a Cloudflare IP, not the real client IP. The actual client IP is passed in the CF-Connecting-IP header. This is important for Flowtriq's analysis.

At the network layer, Flowtriq sees Cloudflare's IPs as the source. This is expected and does not affect detection — a sudden spike in PPS from any source, including Cloudflare IPs, triggers detection. However, for forensic analysis and source attribution, configure your web server to log the real client IP:

# Nginx: restore real client IP from Cloudflare header
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
real_ip_header CF-Connecting-IP;

Cloudflare Tunnel (cloudflared) Deployments

If you use Cloudflare Tunnels instead of exposing your origin IP directly, the security model changes. With a Tunnel, your origin has no public IP address for HTTP traffic, which eliminates direct-to-IP attacks on proxied services. However, Flowtriq still provides value in this configuration:

• Monitoring non-HTTP services that are not routed through the Tunnel
• Detecting attacks on the server from within your private network
• Providing PCAP-level visibility into what traffic the Tunnel delivers to your application
• Monitoring for unusual outbound traffic patterns that could indicate compromise

Multi-Server Deployments

If you run multiple origin servers behind Cloudflare (load balanced or active-passive), install the Flowtriq agent on each server. Use tags to organize them in your Flowtriq dashboard:

# Server 1: /etc/ftagent/config.yaml
tags:
  role: "web-origin"
  cluster: "production"
  server: "origin-1"

# Server 2: /etc/ftagent/config.yaml
tags:
  role: "web-origin"
  cluster: "production"
  server: "origin-2"

This gives you per-server visibility across your entire origin fleet. You can see which servers are receiving attack traffic, whether the load balancer is distributing attacks evenly, and whether a specific server is being targeted.

Real-World Use Case: Automated Attack Response

Here is how the full integration works during an actual attack scenario:

1. Attack begins — An attacker discovers your origin IP through certificate transparency logs and launches a 50,000 PPS UDP flood directly at your server on port 53, bypassing Cloudflare entirely.
2. Flowtriq detects (T+2 seconds) — The Flowtriq agent detects the anomaly within its 2-second detection window. It classifies the attack as a DNS amplification flood with high confidence and begins PCAP capture.
3. Alerts fire (T+3 seconds) — Flowtriq sends alerts to your configured channels: a PagerDuty incident for the on-call engineer, a Slack message to the security channel, and a Discord notification.
4. Auto-mitigation triggers (T+4 seconds) — Flowtriq's Cloudflare integration analyzes the top source IP ranges from the attack traffic and creates a Cloudflare WAF rule that blocks those ranges at the edge. Even though this attack bypassed Cloudflare, future traffic from these ranges to your proxied services will now be blocked at the edge.
5. Engineer responds (T+minutes) — The on-call engineer reviews the incident in the Flowtriq dashboard, examines the PCAP capture to confirm the attack vector, and decides whether to add iptables rules on the origin to block the attack traffic that is not going through Cloudflare.
6. Post-incident — The PCAP capture and incident timeline are available for post-mortem analysis, compliance reporting, and communication with your upstream provider if you need them to null-route the attack source.

This entire sequence happens automatically. No manual rule creation, no guessing about attack vectors, no scrambling to figure out what is happening. Flowtriq detects, classifies, alerts, captures evidence, and triggers mitigation.

Integration Checklist

Use this checklist to verify your Cloudflare + Flowtriq integration is complete:

• Flowtriq agent installed on each origin server and reporting to the dashboard
• Origin firewall configured to restrict HTTP/HTTPS to Cloudflare IPs only
• Cloudflare API token created with Firewall Services Edit and Zone Read permissions
• Cloudflare integration configured in Flowtriq dashboard with zone ID and API token
• Auto-mitigation enabled with appropriate confidence threshold and rule duration
• Alert channels configured — at least one real-time channel (Slack, Discord, or PagerDuty)
• PCAP capture enabled for forensic evidence on detection
• Real client IP restoration configured in your web server (Nginx or Apache)
• Test the integration by triggering a test alert in Flowtriq and verifying it flows through to your alert channels

What Each Layer Catches

To summarize the layered defense model, here is what each product catches that the other cannot:

Cloudflare catches (and mitigates):

• Multi-terabit volumetric L3/L4 floods that would overwhelm your origin's bandwidth
• L7 HTTP/HTTPS attacks filtered by WAF rules, rate limiting, and bot detection
• Known malicious bot traffic and automated scanning
• DDoS attacks absorbed silently at the edge without any traffic reaching your origin

Flowtriq catches (and alerts on):

• Direct-to-IP attacks that bypass Cloudflare entirely
• Attacks on non-HTTP services (game servers, DNS, VoIP, custom protocols)
• Traffic anomalies that pass through Cloudflare's filters and reach the origin
• Attacks within private networks or from other servers in your infrastructure
• Sub-threshold attacks that are too small for Cloudflare to flag but large enough to impact your server

Together, they provide:

• Edge-level mitigation capacity (Cloudflare) plus origin-level detection depth (Flowtriq)
• Automated feedback loop: Flowtriq detection triggers Cloudflare WAF rule creation
• Complete forensic trail: Cloudflare logs what it filtered, Flowtriq captures what reached the origin
• Multi-channel real-time alerting for events at both layers

Layered defense is not about redundancy. Each layer sees different traffic at a different point in the path. Cloudflare mitigates what it can see at the edge. Flowtriq detects what reaches the origin. Together, you have visibility across the entire attack surface.

Frequently Asked Questions

Does Flowtriq conflict with Cloudflare in any way?

No. Flowtriq is a passive detection agent that monitors your network interface. It does not modify traffic, inject headers, or interfere with Cloudflare's proxy connection. The only active action it takes is creating Cloudflare WAF rules via the API when firewall rules are enabled, and those rules work within Cloudflare's normal rule framework.

Will Flowtriq generate false positives from Cloudflare traffic?

Flowtriq uses dynamic baseline detection, which means it learns your server's normal traffic patterns over time. Legitimate traffic spikes from Cloudflare (a front-page post going viral, for example) are handled by the baseline algorithm. The sensitivity setting lets you tune the detection threshold to match your traffic profile.

How much does this integration cost?

Flowtriq is $9.99 per node per month ($7.99 on annual billing), with a 7-day free trial. There is no additional cost for the Cloudflare integration feature — it is included in the standard plan. Cloudflare's pricing is separate and depends on your Cloudflare plan tier.

Do I need Cloudflare Enterprise for this integration?

No. Flowtriq's Cloudflare integration works with any Cloudflare plan that supports API-managed firewall rules, which includes Free, Pro, Business, and Enterprise plans. The specific WAF features available depend on your Cloudflare plan tier.

Back to Blog

Related Articles