Connection error with Cloudflare proxying
-
@guyds said in Single domain, multiple cloudrons?:
I suppose each Cloudron needs a unique domain name because of the DNS records that are being created when installing a Cloudron: DKIM, SPF, DMARC?
Yes, and also because we need a unique location to access the dashboard.
what if the domain that's being used for a Cloudron already has e-mail related DNS records, for example when it's already configured for use with G Suite or Office 365? Will Cloudron modify those records, override them or just ignore them?
If you have an existing DMARC, it don't touch it. Otherwise, it will put the default strict DMARC policy. DKIM uses a unique selector domain, so it won't affect other DKIM entries. The SPF is modified with "a: my.<domain.com" into the existing SPF.
@girish thanks, that's very clear!
In the meantime I experimented a bit with putting my Cloudron on a subdomain and I noticed strange behaviour where the Cloudron dashboard was not accessible anymore. It showed a red bar at the top saying is was reloading or restarting or something similar.
I'm using Cloudflare and noticed the my subdomain was proxied so I turned off the proxying in Cloudflare and then the Cloudron dashboard was accessible again.
The SSL setting was set to Full (strict), so that should be ok I guess?
I seem to remember now that the free version of Cloudflare, which I'm currently using, has some limitations regarding the proxying of wildcard subdomains.
If that's the case, then the only option is to assign different domains for each Cloudron. -
@girish thanks, that's very clear!
In the meantime I experimented a bit with putting my Cloudron on a subdomain and I noticed strange behaviour where the Cloudron dashboard was not accessible anymore. It showed a red bar at the top saying is was reloading or restarting or something similar.
I'm using Cloudflare and noticed the my subdomain was proxied so I turned off the proxying in Cloudflare and then the Cloudron dashboard was accessible again.
The SSL setting was set to Full (strict), so that should be ok I guess?
I seem to remember now that the free version of Cloudflare, which I'm currently using, has some limitations regarding the proxying of wildcard subdomains.
If that's the case, then the only option is to assign different domains for each Cloudron.@guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.
For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it? Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare. You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.
-
@guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.
For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it? Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare. You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.
@girish said in Single domain, multiple cloudrons?:
@guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.
I tried that, but unfortunately that didn't work.
For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it?
Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare.It's using the Cloudflare DNS provider, so that should be ok I guess?
You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.
Rocket Loader is not enabled and I completely purged the Cloudflare cache, but still it doesn't work when I turn on the CF proxy when using a subdomain for the Cloudron.
After hitting shift-refresh in the browser (Firefox), I get the following error:
Edit: to be clear, when I use the main domain everything works fine with the proxy enabled
-
@girish said in Single domain, multiple cloudrons?:
@guyds That could just be a temporary cloudflare proxying/caching issue. Usually turning the proxying on/off in Cloudflare fixes it.
I tried that, but unfortunately that didn't work.
For the Full (strict) to work, the domain in Cloudron should use one of the automated DNS providers. Does it?
Because otherwise, it will have to get certs from Let's Encrypt via HTTP, which won't work when proxying via Cloudflare.It's using the Cloudflare DNS provider, so that should be ok I guess?
You can also check if there are any errors in the browser console. IIRC, there is something like Rocket Loader or something in Cloudflare which has to be disabled. When enabled, Cloudflare injects some javascript which won't load in Cloudron dashboard because of CSP.
Rocket Loader is not enabled and I completely purged the Cloudflare cache, but still it doesn't work when I turn on the CF proxy when using a subdomain for the Cloudron.
After hitting shift-refresh in the browser (Firefox), I get the following error:
Edit: to be clear, when I use the main domain everything works fine with the proxy enabled
@guyds If you have CF proxying enabled, then you will always see some Cloudflare UI. Something like below.
In your case, the Secure Connection Failed, I think means something related to browser/HSTS or something. Can you try in another device/browser or clear the browser cache? In Firefox, it's a bit tricky to clear HSTS. Usually, what I do is open my "History" and then right click on the site and there is a "Forget about this site" option.
-
@guyds If you have CF proxying enabled, then you will always see some Cloudflare UI. Something like below.
In your case, the Secure Connection Failed, I think means something related to browser/HSTS or something. Can you try in another device/browser or clear the browser cache? In Firefox, it's a bit tricky to clear HSTS. Usually, what I do is open my "History" and then right click on the site and there is a "Forget about this site" option.
@girish You're right, it seems to be related to Firefox.
I tried on 4 different pc's, both regular and private mode, and always that same error. So it has nothing to do with caching but with Firefox in general
When I use chrome or another chrome based browser it works fine. -
@girish You're right, it seems to be related to Firefox.
I tried on 4 different pc's, both regular and private mode, and always that same error. So it has nothing to do with caching but with Firefox in general
When I use chrome or another chrome based browser it works fine. -
@girish thanks for that link.
However, in the meantime I'm experiencing the same issue with the chrome based browsers.So to summarize:
When I use a regular domain there are no issues.
When I switch to a subdomain, the Cloudron isn't accessible anymore on Firefox, but on chrome based browsers it works.
After 10 or 15 mins however, I'm getting a similar error on the Chrome based browsers.
When I turn of the CF proxy for the subdomain, it also works fine in any browser.So there definitely seems to be an issue with proxying a sub-sub-domain (my.sub.domain.tld) through CF.
-
@girish thanks for that link.
However, in the meantime I'm experiencing the same issue with the chrome based browsers.So to summarize:
When I use a regular domain there are no issues.
When I switch to a subdomain, the Cloudron isn't accessible anymore on Firefox, but on chrome based browsers it works.
After 10 or 15 mins however, I'm getting a similar error on the Chrome based browsers.
When I turn of the CF proxy for the subdomain, it also works fine in any browser.So there definitely seems to be an issue with proxying a sub-sub-domain (my.sub.domain.tld) through CF.
-
@guyds You can check
curl https://my.sub.domain.tldwith CF proxying turned on. If that doesn't work (gives some TLS/TLS warnings), you can simply open a ticket with Cloudflare. -
Ok, so I was correct when I said I seemed to remember there are some limitations with CF proxy and subdomains in the free plan.
When trying to open a ticket with CF regarding this issue I was pointed to the following link on their community:
https://community.cloudflare.com/t/subdomain-too-deep/81872The certificates available with the free account (universal certificates) cover only one level of subdomains so my.domain.tld is covered, but my.sub.domain.tld isn't.
-
Ok, so I was correct when I said I seemed to remember there are some limitations with CF proxy and subdomains in the free plan.
When trying to open a ticket with CF regarding this issue I was pointed to the following link on their community:
https://community.cloudflare.com/t/subdomain-too-deep/81872The certificates available with the free account (universal certificates) cover only one level of subdomains so my.domain.tld is covered, but my.sub.domain.tld isn't.
-
@girish I just ran into this issue and I'm glad I found this thread. Can you please add the limitation as a note to the docs. TIA! https://docs.cloudron.io/domains/#cloudflare-dns
-
@girish I just ran into this issue and I'm glad I found this thread. Can you please add the limitation as a note to the docs. TIA! https://docs.cloudron.io/domains/#cloudflare-dns
