Cloudflare Gateway Pi-hole Scripts (CGPS)
Cloudflare Gateway allows you to create custom rules to filter HTTP, DNS, and network traffic based on your firewall policies. This is a collection of scripts that can be used to get a similar experience as if you were using Pi-hole, but with Cloudflare Gateway - so no servers to maintain or need to buy a Raspberry Pi!
About the individual scripts
cf_list_delete.js- Deletes all lists created by CGPS from Cloudflare Gateway. This is useful for subsequent runs.
cf_list_create.js- Takes an input.csv file containing domains and creates lists in Cloudflare Gateway
cf_gateway_rule_create.js- Creates a Cloudflare Gateway rule to block all traffic if it matches the lists created by CGPS.
cf_gateway_rule_delete.js- Deletes the Cloudflare Gateway rule created by CGPS. Useful for subsequent runs.
- Support for basic hosts files
- Full support for domain lists
- Automatically cleans up filter lists: removes duplicates, invalid domains, comments and more
- Works fully unattended
- Whitelist support, allowing you to prevent false positives and breakage by forcing trusted domains to always be unblocked.
- Optional health check: Sends a ping request ensuring continuous monitoring and alerting for the workflow execution.
- Node.js installed on your machine
- Cloudflare Zero Trust account - the Free plan is enough. Use the Cloudflare documentation for details.
- Cloudflare email, API key (NOT the API token), and account ID
- A file containing the domains you want to block - max 300,000 domains for the free plan - in the working directory named
input.csv. Mullvad provides awesome DNS blocklists that work well with this project. A bash script that downloads recommended blocklists,
get_recommended_filters.sh, is included.
- Optional: You can whitelist domains by putting them in a file
whitelist.csv. You can also use the
get_recomended_whitelist.shBash script to get the recommended whitelists.
- Clone this repository.
npm installto install dependencies.
.envand fill in the values.
- If this is a subsequent run, execute
node cf_list_delete.js(in order) to delete old data.
- If you're on Linux and haven't downloaded any filters yourself, use the
get_recommended_filters.shscript to download recommended filter lists (about 250 000 domains).
node cf_list_create.jsto create the lists in Cloudflare Gateway. This will take a while.
node cf_gateway_rule_create.jsto create the firewall rule in Cloudflare Gateway.
Running in GitHub Actions
These scripts can be run using GitHub Actions so your filters will be automatically updated and pushed to Cloudflare Gateway. This is useful if you are using a frequently updated malware blocklist.
Please note that the GitHub Action downloads the recommended blocklists and whitelist by default. You can change this behavior by editing the file.
- Create a new empty, private repository. Forking or public repositories are discouraged, but supported - although the script never leaks your API keys and GitHub Actions secrets are automatically redacted from the logs, it's better to be safe than sorry.
- Create the following GitHub Actions secrets in your repository settings:
CLOUDFLARE_API_KEY: Your Cloudflare API key
CLOUDFLARE_ACCOUNT_ID: Your Cloudflare account ID
CLOUDFLARE_ACCOUNT_EMAIL: Your Cloudflare account email
CLOUDFLARE_LIST_ITEM_LIMIT: The maximum number of blocked domains allowed for your Cloudflare Zero Trust plan. Use 300000 for the free plan or if you're unsure.
PING_URL: /Optional/ The HTTP(S) URL to ping (using curl) after the GitHub Action has successfully updated your filters. Useful for monitoring.
- Create a new file in the repository named
.github/workflows/main.ymlwith the contents of
auto_update_github_action.ymlfound in this repository. The default settings will update your filters every week at 3 AM UTC. You can change this by editing the
- Enable GitHub Actions in your repository settings.
DNS setup for Cloudflare Gateway
- Go to your Cloudflare Zero Trust dashboard, and navigate to Gateway -> DNS Locations.
- Click on the default location or create one if it doesn't exist.
- Configure your router or device based on the provided DNS addresses.
Alternatively, you can install the Cloudflare WARP client and log in to Zero Trust. This method proxies your traffic over Cloudflare servers, meaning it works similarly to a commercial VPN.
Pi-hole or Adguard Home?
- Complex setup to get it working outside your home
- Requires a Raspberry Pi
- DNS filtering is disabled after 300,000 queries per month on the free plan
- Requires a valid credit card
- Limit of 300k domains on the free plan
a hosts file?
- Potential performance issues, especially on Windows
- No filter updates
- Doesn't work for your mobile device
- No statistics on how many domains you've blocked
MIT License. See
LICENSE for more information.
If you would like to donate to support this project, you can do so via Liberapay - click the Sponsor button or see my GitHub profile for the link.