TLS version control and configure for separate DNS Records

Hi! I have a problem for which I’m looking for a fix so I want to ask you if the TLS version can be controlled and configured not only for the whole domain(site) but for every separate DNS Record?
Thanks in advance!

Regards,
Kristian Kiradzhiyski

Regards,
Kristian Kiradzhiyski

Hi! I’ve searched for a information about if it’s needed to buy a plan in order to create a custom TLS config for every separate domain and I found it’s not needed because it’s possible in every plan (nevermind it’s free or not) but the pricing for this service is $10/zone/mo. Can you tell us what is the meaning of this /zone/mo? And the next question is will it be enough to buy only the service and do our TLS configuration for every separate DNS zone we want or we need to create an API for it too? Is the API a prerequisite for this configuration? Do we need only the service for this 10$ or only API or both of them? Our idea is to use logic which can check if a subnet is contained in a list and if it’s there to let him to access or if it’s not in the list to block it’s access.

I’m wondering if we need the API and if this API can do this check about subnet when someone tries to access?

Thanks in advance!

Regards,
Kristian Kiradzhiyski

Hi @kkiradzhiyski,

That refers to the cost of $10 per DNS zone (domain) per month for the custom TLS configuration service.

The API is not necessary to run the custom TLS configurations. However, if you want to automate the workflow, the API might be useful and a good way of doing it.

The API itself does not accomplish this on their own. You need to use Cloudflare’s firewall rules to control access based on IP addresses or subnets. This can then be configured manually or via the API, depending on your preferences.

Hi! Thank you very much for your reply. I have some other questions. How it’s possible to configure TLS 1.0 and 1.1 to be allowed only to specific IP’s or for specific subdomains? Can you tell us which of the ways is better best practice for this configuration? The task we should have to do is to configure TLS 1.0 and 1.1 for determined subdomains and at the same time all other subdomains to work with 1.2 and 1.3. Please send us detailed information with step-by-step if it’s possible. If we need to buy the Advanced Certificate Manager service as a prerequisite to fulfil the task or not? Thanks in advance!

Regards,
Kristian Kiradzhiyski

You would create a WAF rule that blocks all connections that use TLSv1.0 and 1.1 unless they come from the specified IPs.

1 Like

Hi! Would it be possible to be created a WAF rule for all the 506 IP addresses because that’s the count of IP’s?

The easiest way would be to create a list for the IP addresses…
https://dash.cloudflare.com/?to=/:account/configurations/lists
(as that’s easier to create and manage)

…then refer to that in the WAF using “IP source address” and either “is in list” or “is not in list” (“is not in list” is often easier to use as it can make exceptions to rules that cover everything else).

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.