Is it possible to limit IP address which can access to Cloudron instance login page?
-
@will Can you give you source for the information that Cloudflare does not see inside the encryption session? I am a bit skeptical. The TLS tunnel goes to them, not to your own server. The whole point of their service is for them to handle the session so they can do some smart caching. The only more or less similar thing I know of is their Keyless SSL technology ( https://support.cloudflare.com/hc/en-us/articles/360022014111 ) which allows them to still terminate the encrypted session while not having the keys.
@mehdi Yeah I think Im mistaken on that.
We are implimenting an enterprise TSL Break & Inspect (man in the middling everyone's TLS) and it requires the endpoint to have the certificate of the Proxy accepted on box.
Basically, if Cloudflare was breaking and inspecting TLS sessions in order to cache, you'd need their TLS cert on your server.
Normal TLS
[You] -------TLS Tunnel ------- [Destination Server]Break & Inspect TLS
[You] ------ TLA Tunnel to Cloudflare (TLS Session 1) ------ [Cloudflare Proxy] ----- TLS Tunnel to Destination (TLS Session 2) --------- [Destination Server]So instead of the destination's certificate, you'd be seeing Cloudflare's cert. I'll look into it more, I don't want to give bad advice.
-
@mehdi Yeah I think Im mistaken on that.
We are implimenting an enterprise TSL Break & Inspect (man in the middling everyone's TLS) and it requires the endpoint to have the certificate of the Proxy accepted on box.
Basically, if Cloudflare was breaking and inspecting TLS sessions in order to cache, you'd need their TLS cert on your server.
Normal TLS
[You] -------TLS Tunnel ------- [Destination Server]Break & Inspect TLS
[You] ------ TLA Tunnel to Cloudflare (TLS Session 1) ------ [Cloudflare Proxy] ----- TLS Tunnel to Destination (TLS Session 2) --------- [Destination Server]So instead of the destination's certificate, you'd be seeing Cloudflare's cert. I'll look into it more, I don't want to give bad advice.
-
@will When you enable, Cloudflare proxying, you do see their cert (or the cert you have provided them with).
It's basically a break-and-inspect that they do. Except their root certificate is already trusted by most machines by default ^^
