Join Log in
Score:0
Pigeoni avatar Server

Cloudflare Tunnel without having to also use noTLSVerify?

au flag
Pigeoni

I’ve got a simple domain setup on an Ubuntu server running Apache (literally just displays a static HTML file); I set it up with LetsEncrypt and it was working without issue. I wanted a bit more security so decided to use Cloudflare.

I setup the DNS through Cloudflare and it was working flawlessly once I setup the SSL to use the Cloudflare certs (so it would stop the ‘too many redirects error’). This too, worked really well.

Then I read that I could use Tunnels (and then not have to use port forwarding - better security for my home network) so I set up a Cloudflare Tunnel (following this tutorial: https://www.youtube.com/watch?v=hrwoKO7LMzk)

I can make it work if I set this in my config.yml file:

originRequest:
  noTLSVerify: true

I would like to make it work without having to include that snippet - as I would like it to be secure traffic between CF and my Apache server.

My config file is very simple:

tunnel: <id>
credentials-file: /route/to/<id>.json

ingress:
  - hostname mydomain.com
    service: https://localhost:443

  - service: http_status404

The errors I see in cloudflared service is this:

Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for *.mydomain.com, mydomain.com, not localhost"

What is the best way to avoid using the noTLSVerify in my config but still getting the tunnel to work?

My Apache VirtualHost looks like this:

<VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName mydomain.com
        ServerAlias www.mydomain.com
        DocumentRoot /var/www/html/mydomain/public_html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
#Old Certs From LE
#SSLCertificateFile /etc/letsencrypt/live/mydomain.com-0001/chain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com-0001/private_key.pem
SSLCertificateFile /root/.cloudflared/cf_pem.pem
SSLCertificateKeyFile /root/.cloudflared/cf_key.key
</VirtualHost>

Any help would be greatly appreciated.

If there is no harm/danger/security risks involved with setting noTLSVerify to true, then I will use it, but otherwise I would prefer not to - just can’t figure out how not to!

1110
1 + 0
ssl
Score:0
nik avatar Server
ch flag
nik

It's complaining that the LetsEncrypt certificate you have on your machine is for *.mydomain.com, but the cloudflared daemon is trying to use it to verify the origin at localhost. The easiest thing to do here is to add an originRequest section into your ingress rule.

e.g.

ingress:
  - hostname mydomain.com
    service: https://localhost:443
    originRequest:
        originServerName: mydomain.com

This will tell cloudflared's TLS verification algorithm to accept certificates for that domain even though it's connecting to a different one.

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/local-management/ingress/#origin-configuration

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.