this post was submitted on 17 Sep 2024

28 points (100.0% liked)

Selfhosted

39250 readers

313 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

I cannot seem to figure out how to get caddy automatic HTTPS to work behind cloud flair proxy. (lemmy.world)

submitted 1 day ago* (last edited 1 day ago) by douglasg14b@lemmy.world to c/selfhosted@lemmy.world

10 comments fedilink hide all child comments

Hopefully you all can help!

I've been to hundreds of threads over the last few days trying to puzzle this out, with no luck.

The problem:

Caddy v2 with acme HTTP-1 ACME challenge (Changed from TLS-ALPN challenge)
Cloudflair DNS with proxy ON
All cloudflair https is off
This is a .co domain

Any attempt to get certificates fails with an invalid challenge response. If I try and navigate (or curl) to the challenge directly I always get SSL validation errors as if all the requests are trying to upgrade to HTTPS.

I'm kind of at my wit's end here and am running out of things to try.

If I turn Cloud flare proxy off and go back to TLS-ALPN challenge, everything works as expected. However I do not wish to expose myself directly and want to use the proxy.

What should I be doing?

top 10 comments

sorted by: hot top controversial new old

[–] chiisana@lemmy.chiisana.net 7 points 1 day ago

It is easier to think of the SSL termination in legs.

Client to Cloudflare; if you’re behind orange cloud, you get this for free, don’t turn orange cloud off unless you want to have direct exposure.
Cloudflare to your sever; use their origin cert, this is easiest and secure. You can even get one made specific so your subdomains, or wildcard of your subdomain. Unless you have specific compliance needs, you shouldn’t need to turn this off, and you don’t need to roll your own cert.
Your reverse proxy to your apps; honestly, it’s already on your machine, you can do self signed cert if it really bothers you, but at the end of the day, probably not worth the hassle.

If, however, you want to directly expose your service without orange cloud (running a game server on the same subdomain for example), then you’d disable the orange cloud and do Let’s Encrypt or deploy your own certificate on your reverse proxy.

[–] just_another_person@lemmy.world 7 points 1 day ago* (last edited 1 day ago)

Having an HTTPS enabled server behind a proxy means the server is connecting with the proxy endpoint. That's not how HTTPS works. If you want HTTPS enabled for a server BEHIND a proxy, you would do it at the original hand off (forward proxy), in this case meaning the Cloudflare proxy that clients connect to.

You're seeing the errors because the proxy backend is being told to speak HTTPS with Caddy, and it doesn't work like that.

[–] Cyberkillen@infosec.pub 4 points 1 day ago

I would have a look at your encryption mode on cloudflare, it could be set so that its trying to force https.

https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/

[–] SidewaysHighways@lemmy.world 1 points 1 day ago

Caddy has been kicking my ass also!

[–] Max_P@lemmy.max-p.me 5 points 1 day ago

If you're behind Cloudflare, don't. Just get an origin certificate from CF, it's a cert that CF trust between itself and your server. By using Cloudflare you're making Cloudflare responsible for your cert.

[–] Decronym@lemmy.decronym.xyz 1 points 1 day ago* (last edited 39 minutes ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
CF	CloudFlare
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
SSL	Secure Sockets Layer, for transparent encryption

[Thread #977 for this sub, first seen 18th Sep 2024, 03:15] [FAQ] [Full list] [Contact] [Source code]

[–] Cyberflunk@lemmy.world 1 points 1 day ago (1 children)

In this episode of "Doing everything the hardest way possible."

Cloudflare has SSL, y u need mo?

[–] Akinzekeel@lemmy.world 1 points 1 day ago (2 children)

Can’t speak for OP but I was also attempting this and couldn’t get it working. My use case is that CF tunnels make multiple of my self hosted services available on the Internet via HTTPS and without directly exposing my home IP.

It does however mean that even when I use a service on my home network, everything is being proxied through CF which makes things much slower than they need to be 90% of the time. So my idea is to use caddy in parallel to CF and have a local DNS server point to my homelab, thereby circumventing the proxy whenever I’m on my home network.

But like I said I could not get this working just yet.

[–] mik@sh.itjust.works 1 points 40 minutes ago

I run the setup you're aiming for, and as the other guy said, DNS challenge is the way to go. That's what I do, and it works beautifully. It even works with Caddy auto-https, you just need to build Caddy with the cloudflare-dns plugin.

[–] Cyberflunk@lemmy.world 2 points 1 day ago

You'll need to disable proxy, run certbot, then re enable proxy.

LE won't sign a site already cf encrypted, or behind cf (even with cf SSL disabled.)

You could try a DNS challenge or other method.

https://letsencrypt.org/docs/challenge-types/