Cloudflare Troubleshooting Skill

Description

This skill provides systematic troubleshooting for Cloudflare infrastructure issues. It covers DNS configuration, SSL/TLS modes, caching problems, firewall/WAF rules, Workers debugging, and performance optimization.

Instructions

When the user reports a Cloudflare issue, follow this diagnostic workflow:

Step 1: Identify the Problem Category

Symptom	Likely Category
Site not loading	DNS or SSL/TLS
Mixed content warnings	SSL/TLS mode
Stale content	Caching
Requests blocked	Firewall/WAF
Worker errors	Workers deployment
Slow performance	Caching or optimization
Redirect loops	SSL/TLS or Page Rules

Step 2: DNS Diagnostics

Copy
# Check DNS resolution
dig +short example.com A
dig +short example.com AAAA
dig +short example.com CNAME

# Check nameservers
dig NS example.com

# Verify propagation
dig @1.1.1.1 example.com
dig @8.8.8.8 example.com

# Check if proxied (orange cloud)
curl -sI https://example.com | grep -i 'cf-ray\|server'
# If "server: cloudflare" appears, traffic is proxied

Step 3: SSL/TLS Diagnostics

Copy
# Check certificate
curl -vI https://example.com 2>&1 | grep -A5 'SSL connection\|subject\|expire'

# Check for redirect loops (common with wrong SSL mode)
curl -vL https://example.com 2>&1 | grep '< HTTP\|< location'

# Test origin directly (bypass CF)
curl -vI https://origin-ip --resolve example.com:443:origin-ip 2>&1

Common SSL fixes:

Issue	Current Mode	Fix
Redirect loop	Flexible	Change to Full (Strict)
Mixed content	Flexible	Change to Full (Strict)
Certificate error	Full (Strict)	Install origin certificate
ERR_TOO_MANY_REDIRECTS	Flexible + HTTPS redirect on origin	Remove origin redirect OR use Full

Step 4: Caching Diagnostics

Copy
# Check cache status
curl -sI https://example.com/page | grep -i 'cf-cache-status\|cache-control\|age'

# CF-Cache-Status values:
# HIT    — Served from Cloudflare cache
# MISS   — Fetched from origin, now cached
# BYPASS — Not cached (usually due to cookies/headers)
# DYNAMIC — Not eligible for caching

# Purge cache via API
curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/purge_cache" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  --data '{"purge_everything":true}'

Step 5: Firewall/WAF Diagnostics

Copy
# Check if a request is being blocked
curl -sI https://example.com/api/endpoint \
  -H "User-Agent: TestBot" | grep -i 'cf-ray\|cf-mitigated'

# Check firewall events via API
curl -s "https://api.cloudflare.com/client/v4/zones/{zone_id}/security/events?per_page=10" \
  -H "Authorization: Bearer {api_token}" | jq '.result[].action'

Rules

• Always start with DNS verification — most issues trace back to DNS
• Check CF-Cache-Status header before assuming caching is broken
• Never share API tokens or zone IDs in logs or output
• For SSL issues, always check BOTH the Cloudflare SSL mode AND the origin server certificate
• Document each diagnostic step and finding before proposing a fix
• After applying a fix, verify with the same diagnostic commands
• Allow 5 minutes for DNS changes and 30 seconds for setting changes to propagate
• If using the Cloudflare API, prefer scoped API tokens over global API keys

Examples

User: My site shows ERR_TOO_MANY_REDIRECTS Action: Check SSL mode (likely Flexible with origin HTTPS redirect), recommend Full (Strict) mode

User: My API requests are getting 403 errors Action: Check firewall events, identify blocking rule, create exception for the API path

User: Changes to my site aren't showing up Action: Check CF-Cache-Status headers, verify cache TTL, purge if needed