The Complete Guide to Cloudflare Management in Panelica: DNS, Firewall, Cache, Email, Analytics — Everything in One Panel

Cloudflare sits between your server and the internet. It absorbs DDoS attacks, caches static content, terminates SSL, and accelerates delivery through 330+ data centers worldwide. But managing Cloudflare through its own dashboard while simultaneously managing your server through a different panel means constant context-switching, duplicate effort, and the risk of configuration drift.

Panelica eliminates that problem. Its built-in Cloudflare module connects directly to the Cloudflare API and brings every critical operation — DNS management, firewall rules, cache control, SSL configuration, analytics, and multi-account management — into the same panel where you manage your server.

This guide covers everything: from connecting your first Cloudflare account to managing WAF custom rules across multiple accounts, with real-world scenarios for every feature.

40 API Endpoints

7 Management Tabs

26 Granular Permissions

∞ Multi-Account Support

In This Article

1. How the Integration Works — Architecture Overview
2. Connecting Your Cloudflare Account (Multi-Account Support)
3. Zone Management — Create, Monitor, Delete
4. DNS Record Management — Full CRUD with Drift Detection
5. Quick Actions — Cache, SSL, Under Attack Mode
6. Mail DNS Sync — 6-Record Email Authentication in One Click
7. WAF Custom Rules — IP Blocking, Country Filtering, Bot Protection
8. Zone Analytics — Traffic, Bandwidth, Threats, Countries
9. Page Rules — URL-Based Behavior Configuration
10. IP Sync — Keep Cloudflare Pointed at Your Server
11. Multi-User Access Control — Who Can Do What
12. Real-World Scenarios — From Setup to Crisis Response
13. Security Model — How Your API Keys Are Protected

1. How the Integration Works — Architecture Overview

Panelica does not proxy your traffic or sit between Cloudflare and your server. It communicates directly with the Cloudflare API (v4) using your API credentials, executing the same operations you would perform in the Cloudflare dashboard — but from within your server panel.

┌─────────────────────────────────────────────────────────────────┐ │ PANELICA CLOUDFLARE INTEGRATION │ │ │ │ ┌──────────────────┐ │ │ │ PANELICA PANEL │ │ │ │ (Browser) │ │ │ │ │ │ │ │ ┌─────────────┐ │ HTTPS/WSS ┌─────────────────┐ │ │ │ │ Cloudflare │ │ ◄──────────────► │ Panelica Backend│ │ │ │ │ Module │ │ REST API │ (Go Binary) │ │ │ │ │ │ │ │ │ │ │ │ │ 7 Tabs │ │ │ ┌──────────────┐│ │ │ │ │ Zone select │ │ │ │ CF Service ││ │ │ │ │ Credential │ │ │ │ (4400 lines) ││ │ │ │ │ selector │ │ │ └──────┬───────┘│ │ │ │ └─────────────┘ │ └────────┼────────┘ │ │ └──────────────────┘ │ │ │ │ HTTPS │ │ │ X-Auth-Email │ │ │ X-Auth-Key │ │ ▼ │ │ ┌──────────────────┐ │ │ │ CLOUDFLARE API │ │ │ │ api.cloudflare. │ │ │ │ com/client/v4/ │ │ │ │ │ │ │ │ Zones, DNS, │ │ │ │ Firewall, Cache, │ │ │ │ SSL, Analytics │ │ │ └──────────────────┘ │ │ │ │ KEY FEATURES: │ │ • AES-256 encrypted API key storage │ │ • 15-minute zone cache with stale fallback │ │ • Concurrent zone enrichment (10 parallel) │ │ • IPv4-only HTTP client (prevents v6 hangs) │ │ • SSRF protection (private IP blocking) │ │ • Full audit logging (request/response) │ │ │ └─────────────────────────────────────────────────────────────────┘

The backend service is 4,400 lines of Go code with 52 methods covering every Cloudflare operation. A 15-minute in-memory cache reduces API calls, with a stale fallback of up to 1 hour if the Cloudflare API is temporarily unavailable. Zone settings (SSL mode, security level, HTTPS redirect) are fetched concurrently using goroutines with a semaphore of 10 to respect Cloudflare's rate limits.

2. Connecting Your Cloudflare Account (Multi-Account Support)

Panelica supports connecting multiple Cloudflare accounts to a single panel installation. This is essential for agencies managing client Cloudflare accounts, hosting companies with separate accounts per division, or administrators with personal and business accounts.

Scenario: Agency with 3 Client Accounts

Situation: A web agency manages servers for three clients. Each client has their own Cloudflare account with their own domains. The agency administrator needs to manage all three from one Panelica panel.

1. Setup in Panelica:Navigate to Domains → Cloudflare → Settings
2. Click "Add Credential"
3. Enter: Name = "Client A — E-commerce", Email = [email protected], API Key
4. Panelica tests the connection automatically (calls Cloudflare /user endpoint)
5. Repeat for "Client B — SaaS" and "Client C — Media"
6. Set one as default (used when no credential is explicitly selected)

Result: The Zones tab now shows a credential selector dropdown. The administrator can switch between accounts instantly. All 3 accounts' zones appear in a unified list when "All Accounts" is selected. Each operation (DNS, cache, firewall) is executed against the correct account automatically.

┌─────────────────────────────────────────────────────────────────┐ │ MULTI-ACCOUNT CREDENTIAL MANAGEMENT │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ Settings Tab → Credentials │ │ │ │ │ │ │ │ ┌──────────────────────────────────────────┐ │ │ │ │ │ Name │ Email │ Zones │ ★ │ │ │ │ │ ├──────────────────────────────────────────┤ │ │ │ │ │ Client A │ [email protected] │ 12 │ ★ │ │ │ │ │ │ Client B │ [email protected] │ 5 │ │ │ │ │ │ │ Client C │ [email protected] │ 8 │ │ │ │ │ │ │ Personal │ [email protected] │ 3 │ │ │ │ │ │ └──────────────────────────────────────────┘ │ │ │ │ │ │ │ │ ★ = Default credential │ │ │ │ [+ Add Credential] [Edit] [Delete] │ │ │ └─────────────────────────────────────────────────┘ │ │ │ │ Zones Tab → Credential Selector │ │ ┌──────────────────────────────┐ │ │ │ ▼ All Accounts (28 zones) │ ← Aggregates all accounts │ │ │ Client A (12 zones) │ │ │ │ Client B (5 zones) │ │ │ │ Client C (8 zones) │ │ │ │ Personal (3 zones) │ │ │ └──────────────────────────────┘ │ │ │ │ Every operation passes the correct credential_id. │ │ No cross-account leakage. Fail-closed security. │ │ │ └─────────────────────────────────────────────────────────────────┘

Credential security: API keys are encrypted with AES-256 before storage. They are never exposed in API responses — only a masked version (****a1b2) is shown in the UI. Decryption happens only at the moment of a Cloudflare API call, in server memory, never written to logs.

3. Zone Management — Create, Monitor, Delete

The Zones tab is your command center. It displays all zones across all connected accounts with real-time status information.

Creating a New Zone

You can add domains to Cloudflare directly from Panelica without opening the Cloudflare dashboard:

1. Click "Add Zone" in the Zones tab
2. Select the Cloudflare account (credential) to use
3. Enter the domain name
4. Select the Cloudflare account (organization) from the dropdown
5. Optionally enable Jump Start — Cloudflare will auto-import existing DNS records from your registrar
6. Click Create — the zone is created via the Cloudflare API
7. Cloudflare returns the nameservers to point your domain to (e.g., ada.ns.cloudflare.com)

Bulk IP Sync

When you migrate servers or change IP addresses, every zone's A record needs updating. Instead of editing 28 zones one by one:

1. Select multiple zones using the checkboxes
2. Click "Bulk Sync IP"
3. Confirm the server IP (auto-detected from Panelica settings)
4. Panelica updates the root A record for every selected zone in parallel

4. DNS Record Management — Full CRUD with Drift Detection

The DNS tab provides complete DNS management with support for 8 record types.

┌─────────────────────────────────────────────────────────────────┐ │ SUPPORTED DNS RECORD TYPES │ │ │ │ A IPv4 address 192.168.1.1 │ │ AAAA IPv6 address 2001:db8::1 │ │ CNAME Canonical name www → example.com │ │ MX Mail exchanger mail.example.com (pri: 10) │ │ TXT Text record v=spf1 ip4:... -all │ │ NS Name server ns1.example.com │ │ SRV Service locator _sip._tcp 5060 sip.example.com │ │ CAA Cert authority auth 0 issue "letsencrypt.org" │ │ │ │ A and CNAME records support the Cloudflare proxy toggle │ │ (orange cloud = proxied through Cloudflare CDN) │ │ │ └─────────────────────────────────────────────────────────────────┘

Scenario: Setting Up a New Website with CDN

Situation: You have created a domain store.example.com in Panelica and want to configure Cloudflare DNS with CDN acceleration.

1. Steps in Panelica:Go to Cloudflare → DNS, select the example.com zone
2. Click "Add Record"
3. Type: A, Name: store, Content: your server IP
4. Toggle Proxied: ON (orange cloud — routes traffic through Cloudflare CDN)
5. TTL: Auto (Cloudflare manages TTL for proxied records)
6. Click Create

Now add the www redirect:

1. Add another record: Type: CNAME, Name: www.store, Content: store.example.com, Proxied: ON

Result: store.example.com now routes through Cloudflare's CDN. Static assets (images, CSS, JS) are cached at 330+ edge locations. DDoS protection is active. The Panelica panel shows both records with the orange cloud icon indicating CDN is enabled.

Drift Detection

When a domain exists in both Panelica and Cloudflare, the DNS tab compares their records. If the Cloudflare A record points to a different IP than your Panelica server, a Drift indicator appears — alerting you that DNS is out of sync.

5. Quick Actions — Cache, SSL, Under Attack Mode

The Quick Actions tab provides one-click access to the most frequently used Cloudflare operations, with real-time status display.

1

Purge Cache

Clears all cached content from Cloudflare's 330+ edge servers. Use after deploying new CSS/JS, updating images, or fixing cached errors. Takes effect globally within seconds.

2

Development Mode

Temporarily bypasses Cloudflare's cache for 3 hours. Every request hits your origin server. Essential during active development when you need to see changes immediately without purging cache repeatedly. Auto-disables after 3 hours.

3

Under Attack Mode

Presents a JavaScript challenge (interstitial page) to every visitor before allowing access. Filters out most automated attacks. Use during active DDoS or brute force attacks. Disable when the attack subsides to restore normal user experience.

4

SSL Mode

Controls how Cloudflare handles HTTPS. Off: No encryption. Flexible: Encrypted browser-to-Cloudflare, unencrypted Cloudflare-to-server. Full: Encrypted both ways, self-signed cert OK. Strict: Encrypted both ways, valid certificate required. Always use Full (Strict) for production.

5

Always Use HTTPS

Redirects all HTTP requests to HTTPS. Equivalent to adding a 301 redirect rule for every URL on your domain. One toggle instead of modifying server configuration.

Scenario: Your Site Is Under DDoS Attack

Situation: At 2 AM, your monitoring alerts you that store.example.com is receiving 50,000 requests per second. Legitimate users cannot load the page. Your server CPU is at 100%.

1. Emergency response from Panelica (30 seconds):Open Cloudflare → Quick Actions
2. Select the affected zone
3. Click "Under Attack Mode: ON" — Cloudflare now challenges every visitor
4. Attack traffic drops from 50,000 req/s to under 100 — only humans solving the JS challenge get through
5. Server CPU drops to normal within seconds
6. Open Cloudflare → Firewall tab
7. Create a WAF rule: ip.geoip.country in {"RU" "CN" "BR"} → Block (if attack source is identifiable)
8. Once attack subsides: disable Under Attack Mode, keep the WAF rule active

Result: Total response time: under 60 seconds. No SSH needed. No Cloudflare dashboard login needed. Everything handled from the same panel where you manage your server. The attack is logged in Panelica's Cloudflare audit log with timestamps and actions taken.

6. Mail DNS Sync — 6-Record Email Authentication in One Click

Email authentication is one of the most complex DNS configurations to get right. Gmail, Outlook, and Yahoo now enforce strict authentication requirements — without proper SPF, DKIM, and DMARC records, your emails land in spam or get rejected entirely.

Panelica's Sync Mail DNS action creates or updates all 6 required records in a single click:

┌─────────────────────────────────────────────────────────────────┐ │ MAIL DNS SYNC — 6 RECORDS IN ONE CLICK │ │ │ │ Record 1: MX │ │ ├── Name: example.com │ │ ├── Content: mail.example.com │ │ ├── Priority: 10 │ │ └── Purpose: Tells senders where to deliver email │ │ │ │ Record 2: A (Mail Server) │ │ ├── Name: mail.example.com │ │ ├── Content: 203.0.113.50 (your server IP) │ │ ├── Proxied: OFF (mail MUST NOT go through CDN) │ │ └── Purpose: Points mail subdomain to your server │ │ │ │ Record 3: TXT (SPF — Root Domain) │ │ ├── Name: example.com │ │ ├── Content: v=spf1 ip4:203.0.113.50 -all │ │ └── Purpose: Authorizes your IP to send email for domain │ │ (-all = hard fail, Gmail 2025+ requirement) │ │ │ │ Record 4: TXT (SPF — Mail Subdomain) │ │ ├── Name: mail.example.com │ │ ├── Content: v=spf1 ip4:203.0.113.50 -all │ │ └── Purpose: SPF for HELO/EHLO identity (fixes vacation │ │ email SPF failures) │ │ │ │ Record 5: TXT (DKIM) │ │ ├── Name: default._domainkey.example.com │ │ ├── Content: v=DKIM1; h=sha256; k=rsa; p=MIIBIjAN... │ │ └── Purpose: Cryptographic signature proving email came │ │ from your server (2048-bit RSA key) │ │ │ │ Record 6: TXT (DMARC) │ │ ├── Name: _dmarc.example.com │ │ ├── Content: v=DMARC1; p=quarantine; rua=mailto:postmaster@ │ │ │ example.com; ruf=mailto:[email protected]; │ │ │ fo=1 │ │ └── Purpose: Instructs receivers to quarantine emails that │ │ fail SPF/DKIM alignment. Reports sent to admin. │ │ │ │ ───────────────────────────────────────────────────── │ │ Status per record: CREATED | UPDATED | UNCHANGED | ERROR │ │ DKIM key: Auto-generated if not exists (2048-bit RSA) │ │ OpenDKIM: Config auto-updated (KeyTable, SigningTable) │ │ │ └─────────────────────────────────────────────────────────────────┘

Gmail 2025+ compliance: This configuration meets Google's Bulk Sender Requirements — SPF with hard fail (-all), aligned DKIM, DMARC with p=quarantine, and TLS. Your emails will land in inbox, not spam.

Scenario: Setting Up Email for a New Domain

Situation: You have set up email accounts for example.com using Panelica's email module (Postfix + Dovecot). Now you need the DNS records in Cloudflare so emails actually work.

1. Steps:Go to Cloudflare → Quick Actions
2. Select the example.com zone
3. Click "Sync Mail DNS"
4. Panelica auto-detects your server IP and generates all 6 records
5. If no DKIM key exists, Panelica generates a 2048-bit RSA key pair and updates OpenDKIM configuration
6. Each record is created or updated (idempotent — safe to run multiple times)
7. Status report shows: MX (created), A (created), SPF (created), Mail SPF (created), DKIM (created), DMARC (created)

Result: Complete email authentication in one click. Send a test email to Gmail — it will pass SPF, DKIM, and DMARC checks. No manual DNS editing. No copy-pasting DKIM keys. No forgetting the mail subdomain SPF record that causes autoresponder failures.

7. WAF Custom Rules — IP Blocking, Country Filtering, Bot Protection

The Firewall tab manages Cloudflare's Web Application Firewall using the modern Rulesets API. You create rules with Wireshark-style expressions that execute at Cloudflare's edge — before traffic even reaches your server.

Expression Examples

┌─────────────────────────────────────────────────────────────────┐ │ WAF EXPRESSION EXAMPLES │ │ │ │ Block a single IP: │ │ ip.src == 203.0.113.50 │ │ │ │ Block an IP range: │ │ ip.src in {203.0.113.0/24} │ │ │ │ Block countries: │ │ ip.geoip.country in {"CN" "RU" "KP"} │ │ │ │ Block bots by user-agent: │ │ http.user_agent contains "SemrushBot" or │ │ http.user_agent contains "AhrefsBot" │ │ │ │ Protect admin area: │ │ http.request.uri.path contains "/wp-admin" and │ │ not ip.src in {203.0.113.0/24} │ │ │ │ Block requests without referrer to API: │ │ http.request.uri.path starts_with "/api/" and │ │ not any(http.request.headers["referer"][*] contains │ │ "example.com") │ │ │ │ Rate limit login page (challenge): │ │ http.request.uri.path == "/wp-login.php" and │ │ http.request.method == "POST" │ │ │ │ Allow known good bots: │ │ cf.client.bot and ip.src in {66.249.64.0/19} │ │ (Googlebot IP range — allow) │ │ │ └─────────────────────────────────────────────────────────────────┘

Scenario: Blocking a Brute Force Attack on WordPress

Situation: Your WordPress site at blog.example.com is receiving 5,000 POST requests per minute to /wp-login.php from IPs across multiple countries. fail2ban is banning IPs locally, but they rotate faster than bans take effect. Your server is struggling under the load.

1. Steps in Panelica:Go to Cloudflare → Firewall
2. Select the zone
3. Click "Add Rule"
4. Description: "Block wp-login brute force"
5. Expression: http.request.uri.path == "/wp-login.php" and http.request.method == "POST"
6. Action: Managed Challenge
7. Enabled: ON
8. Click Create

Result: Every POST to wp-login.php now requires passing Cloudflare's challenge — humans pass automatically, bots fail. The 5,000 req/min drops to near zero. Your server load returns to normal instantly. The rule executes at Cloudflare's edge, so attack traffic never reaches your server at all. Your fail2ban can handle the trickle that gets through.

8. Zone Analytics — Traffic, Bandwidth, Threats, Countries

The Analytics tab pulls data from Cloudflare's GraphQL API to provide traffic intelligence for any time range: last 24 hours, 7 days, or 30 days.

Traffic Metrics

Total requests, cached requests (with cache hit ratio percentage), page views, unique visitors — all charted over time as area charts.

Security Metrics

Threats blocked over time as a bar chart. See when attacks peak and how Cloudflare mitigates them before they reach your server.

Geographic Intelligence

Top countries by request count in a table. Identifies your traffic sources — and potential attack origins.

All analytics use Cloudflare's GraphQL API (not the deprecated REST analytics). For 24-hour views, data is aggregated hourly (httpRequests1hGroups). For 7-day and 30-day views, daily aggregation is used (httpRequests1dGroups) to stay within Cloudflare's query limits.

Scenario: Investigating a Traffic Spike

Situation: Your monitoring shows a sudden 10x increase in bandwidth for example.com over the weekend. You did not deploy anything new.

1. Investigation from Panelica:Go to Cloudflare → Analytics
2. Select the zone, choose "Last 7 Days"
3. The bandwidth chart shows a spike starting Saturday at 14:00
4. Check the HTTP Status Distribution donut chart — 92% are 200 OK (legitimate content)
5. Check Top Countries table — 78% of traffic from Brazil (you have no Brazilian customers)
6. Check Threats Blocked — 0 (Cloudflare did not flag it as malicious)
7. Diagnosis: Likely a hotlinked image or viral social media share from Brazil

Action: Go to Firewall tab and create a WAF rule: ip.geoip.country == "BR" and http.request.uri.path contains "/wp-content/uploads/" → Block. Or use a Page Rule to enable Hotlink Protection. Bandwidth returns to normal within minutes.

9. Page Rules — URL-Based Behavior Configuration

The Page Rules tab manages Cloudflare's URL-based behavior rules. Page Rules allow you to set different caching, SSL, and redirection behaviors for specific URL patterns.

Deprecation notice: Cloudflare is migrating Page Rules to newer products (Redirect Rules, Cache Rules, Configuration Rules). Panelica displays a warning banner. Existing rules continue to work, but creating new rules may be restricted on some Cloudflare plans. Consider using WAF custom rules for new configurations.

Common Page Rule configurations:

10. IP Sync — Keep Cloudflare Pointed at Your Server

When you change servers, change IP addresses, or set up a new domain, the root A record in Cloudflare needs to point to your Panelica server's IP. The IP Sync feature automates this.

┌─────────────────────────────────────────────────────────────────┐ │ IP SYNC FLOW │ │ │ │ Step 1: Panelica reads primary_ip from panelica.conf │ │ (e.g., 203.0.113.50) │ │ │ │ Step 2: Fetches root A record from Cloudflare │ │ GET /zones/{id}/dns_records?type=A&name={zone} │ │ │ │ Step 3: Compares │ │ Cloudflare A record: 198.51.100.10 (old server) │ │ Panelica server IP: 203.0.113.50 (current) │ │ Result: DRIFT DETECTED │ │ │ │ Step 4: On "Sync IP" click → Updates A record │ │ PUT /zones/{id}/dns_records/{record_id} │ │ content: 203.0.113.50, proxied: true │ │ │ │ Step 5: SSRF Protection │ │ Validates IP is NOT in private/reserved ranges: │ │ ✗ 10.0.0.0/8 │ │ ✗ 172.16.0.0/12 │ │ ✗ 192.168.0.0/16 │ │ ✗ 127.0.0.0/8 │ │ ✗ 169.254.0.0/16 │ │ │ └─────────────────────────────────────────────────────────────────┘

11. Multi-User Access Control — Who Can Do What

Panelica's RBAC system applies to Cloudflare operations with 26 granular permissions across 4 roles:

┌─────────────────────────────────────────────────────────────────┐ │ CLOUDFLARE PERMISSION MATRIX │ │ │ │ Permission ROOT ADMIN RESELLER USER │ │ ─────────────────────────────────────────────────────── │ │ View zones ✓ ✓ ✓ ✓ │ │ Create/delete zones ✓ ✓ ✗ ✗ │ │ View DNS records ✓ ✓ ✓ ✓ │ │ Create/edit/delete DNS ✓ ✓ ✓ ✓ │ │ Purge cache ✓ ✓ ✓ ✓ │ │ Development mode ✓ ✓ ✓ ✓ │ │ Under Attack mode ✓ ✓ ✓ ✓ │ │ Change SSL mode ✓ ✓ ✓ ✓ │ │ HTTPS redirect ✓ ✓ ✓ ✓ │ │ IP sync / Mail DNS sync ✓ ✓ ✓ ✓ │ │ View firewall rules ✓ ✓ ✓ ✓ │ │ Create/edit/delete firewall ✓ ✓ ✗ ✗ │ │ View page rules ✓ ✓ ✓ ✓ │ │ Create/edit/delete pages ✓ ✓ ✗ ✗ │ │ View analytics ✓ ✓ ✓ ✓ │ │ Connect/disconnect accounts ✓ ✓ ✓ ✓ │ │ Change settings ✓ ✓ ✓ ✓ │ │ │ │ VISIBILITY RULES: │ │ ROOT → Sees ALL zones across ALL users │ │ ADMIN → Sees own zones + zones of users they created │ │ RESELLER → Sees own zones + zones of their users │ │ USER → Sees only their own zones │ │ │ └─────────────────────────────────────────────────────────────────┘

Multi-tenant security: A RESELLER user can manage Cloudflare for their own clients but cannot see or modify zones belonging to other resellers' clients. The RBAC filtering happens at the backend service level — the frontend never receives data it should not display.

12. Real-World Scenarios — From Setup to Crisis Response

Scenario A: Complete New Client Onboarding

Situation: A new client signs up. They have a domain registered at their registrar, no Cloudflare account yet, and want a fully secured website with email.

1. Complete workflow in Panelica:Cloudflare → Settings: Connect the client's Cloudflare account (or add as a new credential)
2. Cloudflare → Zones: Create zone for clientdomain.com with Jump Start enabled
3. Note the nameservers returned by Cloudflare → update at registrar
4. Cloudflare → DNS: Verify A record points to Panelica server (or use IP Sync)
5. Cloudflare → Quick Actions: Set SSL Mode to Full (Strict), enable HTTPS Redirect
6. Cloudflare → Quick Actions: Click "Sync Mail DNS" — all 6 email authentication records created
7. Cloudflare → Firewall: Create rule to challenge wp-login.php POST requests
8. Cloudflare → Analytics: Verify traffic is flowing through Cloudflare

Total time: 5 minutes. Total context switches to Cloudflare dashboard: 0.

Scenario B: Server Migration (Changing IP Address)

Situation: You are migrating from an old server (198.51.100.10) to a new server (203.0.113.50). You have 15 domains on Cloudflare that need their A records updated.

1. Steps:Cloudflare → Zones: All 15 zones show IP Drift — they still point to the old IP
2. Select all 15 zones using checkboxes
3. Click "Bulk Sync IP"
4. Confirm the new server IP (auto-detected: 203.0.113.50)
5. Panelica updates all 15 A records in parallel
6. All zones show Synced

15 DNS updates in 10 seconds. On the Cloudflare dashboard, this would be 15 separate zone edits.

Scenario C: Investigating Email Delivery Problems

Situation: Emails from [email protected] are landing in Gmail recipients' spam folders. The client reports that some emails are rejected entirely.

1. Diagnosis and fix:Cloudflare → DNS: Select the zone, inspect existing records
2. Find: SPF record exists but uses ~all (softfail) instead of -all (hardfail)
3. Find: No DKIM record exists
4. Find: No DMARC record exists
5. Cloudflare → Quick Actions: Click "Sync Mail DNS"
6. Panelica creates the missing DKIM and DMARC records, updates the SPF record to -all, adds the mail subdomain SPF record
7. Status: SPF (updated), DKIM (created), DMARC (created), Mail SPF (created)
8. Wait 15 minutes for DNS propagation
9. Send test email — passes SPF, DKIM, and DMARC alignment

One-click fix for a complex 6-record email authentication problem.

Scenario D: Multi-Account Management for a Hosting Company

Situation: A hosting company manages 3 Cloudflare accounts (Free, Pro, and Business tier) with a total of 50 zones. They need a unified view and the ability to perform bulk operations across accounts.

1. Setup:Connect all 3 Cloudflare accounts as separate credentials in Panelica
2. Name them: "Free Tier Clients", "Pro Tier Clients", "Business Tier Clients"
3. Set "Pro Tier Clients" as default
4. In the Zones tab, select "All Accounts" — see all 50 zones in one unified list
5. Filter by account using the credential dropdown when needed
6. Each zone operation automatically uses the correct credential

Result: One panel, three accounts, fifty zones. Switch between accounts with a dropdown. No separate logins. No browser tabs. The credential selector follows you across all 7 tabs — DNS, Firewall, Analytics, Quick Actions all respect the selected account.

13. Security Model — How Your API Keys Are Protected

Cloudflare API keys provide full access to your account. Protecting them is critical.

┌─────────────────────────────────────────────────────────────────┐ │ API KEY SECURITY MODEL │ │ │ │ STORAGE │ │ ├── API keys encrypted with AES-256 before database write │ │ ├── Encryption key derived from panelica.conf master key │ │ ├── Masked display in UI: ****a1b2 (last 4 chars only) │ │ └── Never exposed in API responses or logs │ │ │ │ ACCESS CONTROL │ │ ├── Each credential bound to user_id (ownership) │ │ ├── Fail-closed credential passing: │ │ │ Every operation requires explicit credential_id │ │ │ No implicit "use whatever" — must specify which account │ │ ├── RBAC: Users can only access their own credentials │ │ └── Exception: ROOT can access other ROOT credentials │ │ (needed for OpsAI cross-server operations) │ │ │ │ TRANSPORT │ │ ├── All Cloudflare API calls over HTTPS (TLS 1.2+) │ │ ├── API key decrypted in memory only at call time │ │ ├── IPv4-only HTTP client (prevents IPv6 DNS leaks) │ │ └── SSRF protection: Private/reserved IPs rejected │ │ │ │ AUDIT │ │ ├── Every API call logged to cloudflare_logs table │ │ ├── Request payload, response, duration, status recorded │ │ ├── Credential ID tracked per operation │ │ └── Logs viewable in Quick Actions → Activity Log │ │ │ │ VALIDATION │ │ ├── Credentials tested on save (GET /user) │ │ ├── is_valid flag updated on each test │ │ ├── last_validated_at timestamp recorded │ │ └── validation_error stored for debugging │ │ │ └─────────────────────────────────────────────────────────────────┘

Best practice: Use Cloudflare API Tokens (scoped) instead of Global API Keys when possible. A scoped token can be limited to specific zones and permissions — if compromised, the blast radius is smaller. Panelica supports both authentication methods.

The Complete Feature Map

┌─────────────────────────────────────────────────────────────────┐ │ PANELICA CLOUDFLARE MODULE — COMPLETE MAP │ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ ZONES │ │ DNS │ │FIREWALL │ │ PAGE │ │ │ │ │ │ │ │ (WAF) │ │ RULES │ │ │ ├─────────┤ ├─────────┤ ├─────────┤ ├─────────┤ │ │ │• List │ │• A │ │• Block │ │• URL │ │ │ │• Create │ │• AAAA │ │• Allow │ │ pattern│ │ │ │• Delete │ │• CNAME │ │• JS │ │• Cache │ │ │ │• IP sync│ │• MX │ │ Chal. │ │ level │ │ │ │• Bulk │ │• TXT │ │• Managed│ │• SSL │ │ │ │ sync │ │• NS │ │ Chal. │ │• Forward│ │ │ │• Multi │ │• SRV │ │• Log │ │• HTTPS │ │ │ │ account│ │• CAA │ │• Skip │ │• Status │ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ QUICK │ │ANALYTICS│ │SETTINGS │ │ │ │ ACTIONS │ │ │ │ │ │ │ ├─────────┤ ├─────────┤ ├─────────┤ │ │ │• Purge │ │• Traffic│ │• Multi │ │ │ │ cache │ │• Band- │ │ account│ │ │ │• Dev │ │ width │ │ creds │ │ │ │ mode │ │• Threats│ │• Default│ │ │ │• Under │ │• Status │ │ proxy │ │ │ │ Attack │ │ codes │ │• Default│ │ │ │• SSL │ │• Country│ │ TTL │ │ │ │ mode │ │• 24h/7d │ │• Audit │ │ │ │• HTTPS │ │ /30d │ │ logs │ │ │ │• IP sync│ │ │ │ │ │ │ │• Mail │ │ │ │ │ │ │ │ DNS │ │ │ │ │ │ │ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ 40 API Endpoints | 26 Permissions | 7 Tabs | AES-256 Keys │ │ │ └─────────────────────────────────────────────────────────────────┘

Manage Cloudflare Without Leaving Your Panel

DNS, firewall, cache, SSL, analytics, email authentication — everything in one place. Connect multiple accounts. Control everything from where you already manage your server.

Try Panelica Today

Panelica Cloudflare Integration — because switching between dashboards should not be part of your workflow.