A secure, production-ready Home Assistant integration for Cloudflare. Monitor zone analytics, manage Zero Trust tunnels, control page rules, secure apps, and modify DNS records directly from Home Assistant.
| β¨ Features | π¦ Installation | βοΈ Configuration | π‘οΈ Security |
| 𧱠Services | π Automations | β FAQ | π§βπ» Development |
| π Credits | π License |
While generic DNS updates only provide simple IP changes, this integration leverages Cloudflare APIs (REST & GraphQL) to offer deep administrative control. Manage multiple zones, workers, turnstile widgets, access policies, and Zero Trust tunnels in one cohesive dashboard without accessing complex terminals.
- Zone Analytics:
- Requests: Real-time traffic insights.
- Bandwidth: Data transfer metrics (in Megabytes).
- Threats Blocked: See how many malicious requests were prevented.
- Unique Visitors: Track visitor metrics.
- Certificate Expiration: Monitor edge certificate expiry dates.
- Zero Trust & Tunnels:
- Tunnel Status: Monitor status (Connected/Healthy) for Cloudflare Tunnels.
- Details: Track active connection counts and connector daemon versions.
- Gateway Policies: Toggle Zero Trust DNS/HTTP policies on or off.
- Load Balancer Pools: View health diagnostics for origin server distributions.
- Registrar Domains: Track the expiration date of domains registered via Cloudflare.
- Access Applications, Edge Workers & Pages:
- Access Apps: Monitor active statuses for protected assets.
- Workers Deployment: Get uptime diagnostics for deployed Cloudflare Workers.
- Pages Deployment: Track the live deployment state of Cloudflare Pages.
- Turnstile Widgets: Monitor mode configurations.
- Cloudflare Images: Monitor stored vs allowed capacities.
- Configurable Control:
- Zone Settings: Toggles for Development Mode, Always Use HTTPS, Automatic HTTPS Rewrites, IPv6 Compatibility, Rocket Loader, WebSockets, Brotli, Hotlink Protection, and Early Hints.
- Security Level: Dropdown options to force immediate strictness (
off,essentially_off,low,medium,high,under_attack). - Page Rules: Disable or enable individual URL filters.
- Email Routing: Toggle custom email forwarding rules on or off.
- WAF Rules: Toggle specific WAF Custom rules to secure origins.
- Cache Rules: Toggle specific advanced caching behavior rules.
- Domain Auto-Renew: Toggle domain registration auto-renewals safely.
- API Quota Monitoring: Tracks remaining API requests and reset time to prevent rate limiting.
- Security Logs: Tracks external attack properties (
Country,IP Address,Rule Triggered).
- Smart Tracking & Logic:
- Automated DDNS Updates: Automatically detects your router's public IP changes using
Home Assistantnetworking infrastructure, seamlessly propagating changes onto mapped Zone A-Records (Configurable via Options Flow). - Cache Management: Instantly purge your Cloudflare Zone Cache using custom hardware buttons.
- Automated DDNS Updates: Automatically detects your router's public IP changes using
I maintain this integration in my free time alongside my regular job β bug hunting, new features, testing. Test environments cost money, and every donation helps me stay independent and dedicate more time to open-source work.
This project is and will always remain 100% free. There are no "Premium Upgrades" or subscriptions.
Donations are completely voluntary β but the more support I receive, the less I depend on other income sources. πͺ
This integration is fully compatible with HACS.
- Open HACS in Home Assistant.
- Click the three dots in the top right corner and select Custom repositories.
- Add
FaserF/ha-cloudflarewith category Integration. - Search for "Cloudflare Advanced".
- Install and restart Home Assistant.
- Download the latest release from the Releases page.
- Extract the
custom_components/cloudflare_advancedfolder into your Home Assistant'scustom_componentsdirectory. - Restart Home Assistant.
Adding your Cloudflare account is entirely done via the UI. No YAML configuration is required.
- Navigate to Settings > Devices & Services in Home Assistant.
- Click Add Integration and search for Cloudflare Advanced.
- Choose Authentication:
- API Token (Recommended): Generate a secure scoped token.
- Legacy Credentials: E-Mail address + Global API Key.
- Select which active domain zones you wish to initialize.
To use the recommended API Token method, you must generate a token in your Cloudflare account.
You can jump directly to the Cloudflare API Tokens Dashboard or follow these steps manually:
- Log in to the Cloudflare Dashboard.
- In the top right, click on your Profile Icon and select My Profile.
- Go to the API Tokens tab.
- Click Create Token and select Create Custom Token.
For a comprehensive step-by-step tutorial, refer to the official Cloudflare Token Creation Guide.
Ensure your generated API Token follows the Principle of Least Privilege. Grant access solely to the required scopes for your selected domains:
Analytics(Read) - For traffic & security metrics.Zone(Read) - For zone discovery and metadata.Zone Settings(Read/Edit) - For performance and network toggles.Page Rules(Read/Edit) - For URL filter management.DNS(Read/Edit) - For DDNS updates and record control.Firewall Services(Read/Edit) - For custom WAF rule toggles.Cache Rules(Read/Edit) - For advanced Cache rules.Email Routing(Read/Edit) - For email forwarding rule control.Cache Purge(Edit) - For manual cache clearing.
Cloudflare Zero Trust(Read/Edit) - For Tunnels and Gateway policies.Workers Scripts(Read) - For Worker status tracking.Cloudflare Pages(Read) - For project deployment status.Cloudflare Images(Read) - For storage capacity monitoring.Load Balancing(Read) - For health diagnostics of LB pools.Registrar(Read/Edit) - For domain management and auto-renew toggles.
The integration provides powerful actions for deployment management.
Purges files stored on edge cache layers.
zone_id: (Required) Unique identifier of the domain zone.purge_everything: (Optional) Clears all cached elements if True (default:true).files: (Optional) Specify exact asset URLs to selectively wipe.
Updates IP targets.
zone_id: (Required) Target Cloudflare Zone.record_id: (Required) Cloudflare record reference.name: (Required) Record name string (e.g.sub.example.com).type: (Required) Protocol format (A,CNAME,AAAA).content: (Required) Upstream destination.
Constructs completely new entries.
zone_id: (Required) Domain reference.name: (Required) Title endpoint string.type: (Required) Schema type.content: (Required) IP binding.
π Auto-Disable Dev Mode After Hours
alias: "Cloudflare: Time Dev Mode"
trigger:
- platform: state
entity_id: switch.example_com_development_mode
to: "on"
for:
hours: 4
action:
- target:
entity_id: switch.example_com_development_mode
action: switch.turn_offπ‘οΈ Respond to Threat Spikes
alias: "Cloudflare: Under Attack State"
trigger:
- platform: numeric_state
entity_id: sensor.example_com_threats_blocked
above: 25
action:
- target:
entity_id: select.example_com_security_level
action: select.select_option
data:
option: "under_attack"π¨ Push Alerts on VPN Tunnel Failures
alias: "Cloudflare: Tunnel Status Notification"
trigger:
- platform: state
entity_id: binary_sensor.tunnel_main_gateway
to: "off"
action:
- action: notify.notify
data:
title: "Tunnel Error"
message: "Gateway link dropped."Check token permissions. Tokens restricted from accessing general lists fail verification. Verify Zone read privileges.
Specific operations rely upon the Tier setup in Cloudflare profiles. Free profiles lack some complex variables.
Uses:
rufflintingpytestframeworksmypyvalidation
Built from the ground up to provide a complete replacement for basic dynamic IP workflows.
MIT License - see the LICENSE file for details.