Hey all!
I have a bunch of services running on my home server and was looking to expose some of them publicly via Cloudflare tunnel. This is done and working great using the origin server certificate and strict TLS.
Up until now, I’ve been using self-signed certs internally but now I don’t want to deal with the “proceed anyway” crap on browsers. I have Traefik set up to get certs from Cloudflare using DNS challenge and that seems to be working.
So, now my problem is: how do I switch between these certificates for the same URL when I’m internal vs public? I’d rather keep that traffic local if I’m at home, which is also working, I just can’t figure out how to get Traefik to use the appropriate certificate depending on if the request is coming from my LAN or Cloudflare.
Any suggestions? Is there a better way to accomplish what I want to do?
EDIT: Looks like I’m just going full Cloudflare on this one, thanks for your help everyone!
Why would you need to continue using the self-signed certificates for the Cloudflare connection? Just use the valid certificate for all connections.
I’m not using self-signed anymore, I’m getting them from Cloudflare via DNS challenge
There’s two ways around the symptoms you’re trying to treat:
- Don’t bother with internal vs external. Always route through external which gets encrypted by the origin cert to CloudFlare and then CloudFlare to your browser. This is simplest in that you don’t need to manage two sets of DNS records and you don’t end up with different certificates for the same domain (in the odd event where you end up needing to do something like certificate pinning). Or;
- Just add the origin cert to your systems’ trust store. You know the certificate, it will encrypt the traffic anyway, also you’re accessing the service via intranet so there’s really no attack vector here.
Probably worth calling out that although 1 feels like there’s more hops (and there absolutely are), with any decent internet, you’re probably not going to feel it. This is because the edge server is probably situated very close to your ISP (that’s how they make sure everything responds quickly) so your over all round trip should only be affected by a negligible amount of time that you most likely won’t notice.
Barring any Traefik tricks that allows me to accomplish what I’m after, I was thinking of going with your “third” option of just letting it use Cloudflare for everything but, I had to check with the experts first before just doing it.
I have some apps that complain or, in one case, flat out doesn’t work if the cert is invalid. I’ve been working around it (sort of) but it would be nice to have it set up “correctly” for once. If routing all traffic through Cloudflare is the answer, so be it ¯_(ツ)_/¯
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CA (SSL) Certificate Authority CF CloudFlare DNS Domain Name Service/System IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption
4 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.
[Thread #743 for this sub, first seen 10th May 2024, 01:55] [FAQ] [Full list] [Contact] [Source code]