Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Connection error with Cloudflare proxying

    Support
    cloudflare
    3
    13
    941
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guyds @girish last edited by girish

      @girish thanks, that's very clear!

      In the meantime I experimented a bit with putting my Cloudron on a subdomain and I noticed strange behaviour where the Cloudron dashboard was not accessible anymore. It showed a red bar at the top saying is was reloading or restarting or something similar.

      I'm using Cloudflare and noticed the my subdomain was proxied so I turned off the proxying in Cloudflare and then the Cloudron dashboard was accessible again.

      The SSL setting was set to Full (strict), so that should be ok I guess?

      I seem to remember now that the free version of Cloudflare, which I'm currently using, has some limitations regarding the proxying of wildcard subdomains.
      If that's the case, then the only option is to assign different domains for each Cloudron.

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @guyds last edited by

        @guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.

        For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it? Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare. You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.

        G 1 Reply Last reply Reply Quote 0
        • G
          guyds @girish last edited by guyds

          @girish said in Single domain, multiple cloudrons?:

          @guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.

          I tried that, but unfortunately that didn't work.

          For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it?
          Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare.

          It's using the Cloudflare DNS provider, so that should be ok I guess?

          You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.

          Rocket Loader is not enabled and I completely purged the Cloudflare cache, but still it doesn't work when I turn on the CF proxy when using a subdomain for the Cloudron.

          After hitting shift-refresh in the browser (Firefox), I get the following error:

          cloudron_error_when_cf-proxy_enabled_with_subdomain.png

          Edit: to be clear, when I use the main domain everything works fine with the proxy enabled

          girish 1 Reply Last reply Reply Quote 0
          • girish
            girish Staff @guyds last edited by

            @guyds If you have CF proxying enabled, then you will always see some Cloudflare UI. Something like below.

            5901341a-ba39-4848-a6fa-d81b8a935904-image.png

            In your case, the Secure Connection Failed, I think means something related to browser/HSTS or something. Can you try in another device/browser or clear the browser cache? In Firefox, it's a bit tricky to clear HSTS. Usually, what I do is open my "History" and then right click on the site and there is a "Forget about this site" option.

            G 1 Reply Last reply Reply Quote 1
            • G
              guyds @girish last edited by

              @girish You're right, it seems to be related to Firefox.
              I tried on 4 different pc's, both regular and private mode, and always that same error. So it has nothing to do with caching but with Firefox in general 🤔
              When I use chrome or another chrome based browser it works fine.

              girish 1 Reply Last reply Reply Quote 0
              • girish
                girish Staff @guyds last edited by

                @guyds oh maybe https://appuals.com/how-to-fix-ssl_error_no_cypher_overlap/

                G 1 Reply Last reply Reply Quote 0
                • G
                  guyds @girish last edited by

                  @girish thanks for that link.
                  However, in the meantime I'm experiencing the same issue with the chrome based browsers.

                  So to summarize:
                  When I use a regular domain there are no issues.
                  When I switch to a subdomain, the Cloudron isn't accessible anymore on Firefox, but on chrome based browsers it works.
                  After 10 or 15 mins however, I'm getting a similar error on the Chrome based browsers.
                  When I turn of the CF proxy for the subdomain, it also works fine in any browser.

                  So there definitely seems to be an issue with proxying a sub-sub-domain (my.sub.domain.tld) through CF.

                  girish 1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff @guyds last edited by

                    @guyds You can check curl https://my.sub.domain.tld with CF proxying turned on. If that doesn't work (gives some TLS/TLS warnings), you can simply open a ticket with Cloudflare.

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      guyds @girish last edited by

                      @girish That doesn't work either:

                      curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
                      

                      So I'll open a ticket with CF.

                      Thanks for following up on this issue!

                      1 Reply Last reply Reply Quote 0
                      • G
                        guyds last edited by

                        Ok, so I was correct when I said I seemed to remember there are some limitations with CF proxy and subdomains in the free plan.
                        When trying to open a ticket with CF regarding this issue I was pointed to the following link on their community:
                        https://community.cloudflare.com/t/subdomain-too-deep/81872

                        The certificates available with the free account (universal certificates) cover only one level of subdomains so my.domain.tld is covered, but my.sub.domain.tld isn't.

                        girish 1 Reply Last reply Reply Quote 3
                        • girish
                          girish Staff @guyds last edited by

                          @guyds Ah, good to know. Did not know this limitation!

                          humptydumpty 1 Reply Last reply Reply Quote 0
                          • humptydumpty
                            humptydumpty @girish last edited by

                            @girish I just ran into this issue and I'm glad I found this thread. Can you please add the limitation as a note to the docs. TIA! https://docs.cloudron.io/domains/#cloudflare-dns

                            girish 1 Reply Last reply Reply Quote 1
                            • girish
                              girish Staff @humptydumpty last edited by

                              @humptydumpty done

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Powered by NodeBB