<![CDATA[Issues when using Cloudflare Proxy service for Cloudron]]>Recently I started using Cloudflare WAF service to protect my Cloudron instance. I had to proxy requests through Cloudflare for the WAF to work. After enabling Cloudflare proxy, I faced a few problems. I would like to share my setup as well as list out the problems.

My Setup

Cloudflare supports different options for SSL termination, among which Full Mode and Full (Strict) Modes are the two options. Since the origin server (Cloudron) forces all connections to be HTTPS, I used the Full(strict) mode. Also, Cloudflare does not support proxying *.mydomain.org, but only individual subdomains like app1.mydomain.org, app2.mydomain.org.

Cloudflare Dashboard

3c091e2e-c93e-4eb0-b894-1b66d57c74d7-image.png

Cloudflare automatically provisions Edge Certificates for mydomain.org and *.domain.org and then does SSL termination on their end. The origin server (Cloudron) must also have a valid certificate or Cloudflare Origin CA Certificates.

Cloudron Domain Settings

I tested with both DNS Providers here - Cloudflare as well as Wildcard, with same results.

b5e52543-2e92-4498-9e78-f120d95c560a-image.png

Many things are working as expected, but I noticed a few things got broken.

While installing new apps

80f2f3fe-2857-4f30-ab36-bde06fb0c0ca-image.png

  1. When I am using the Wildcard DNS provider or Cloudron, the app installs successfully but I see a certificate error when I open the newly installed app. That's because newapp.mydomain.org is only resolving because of the wildcard *.mydomain.org entry, and it points directly to my Cloudron without proxying through Cloudflare. Since my Cloudflare is using Custom Certificates from Cloudflare Origin CA, web browsers don't trust it. I have to manually go to Cloudflare dashboard and add a new A-Record in proxy mode. Then the certificate errors resolve.

  2. Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

Some Apps Report Wrong IP of Visitors (Cloudflare IPs)

When a website is proxied through Cloudflare, the visitors connect to the Cloudflare servers, and one of the Cloudflare IPs connects to the origin (Cloudron) server. Cloudron does forward the X-Forwarded-For header to the apps, which works in most of the cases, but in this case X-Forwarded-For contains the Cloudflare server's IP instead of the real visitor's IP! That's a bummer. See this online post on Cloudflare IPs where it discusses the ideas to detect the visitor's real IP address. If Cloudron could check for CF-Connecting-IP header and pass that value as X-Forwarded-For, that would solve this issue entirely. Cloudflare publishes the list of IPs it uses to fetch origin content. The ipv4 addresses are here and ipv4 addresses are here.

That's all for now. I'll add more when I face other issues.

]]>https://forum.cloudron.io/topic/6374/issues-when-using-cloudflare-proxy-service-for-cloudronRSS for NodeFri, 13 Mar 2026 02:14:18 GMTMon, 24 Jan 2022 14:54:46 GMT60<![CDATA[Reply to Issues when using Cloudflare Proxy service for Cloudron on Wed, 15 May 2024 20:34:43 GMT]]>@girish Nice, thank you. Have just added them manually.

Be double-nice if they were added automatically when Cloudflare is first used as a DNS Proxy, but I guess I understand that's both an additional feature to maintain, and maybe debatable if everyone would want it happening silently.

]]>https://forum.cloudron.io/post/88541https://forum.cloudron.io/post/88541Wed, 15 May 2024 20:34:43 GMT<![CDATA[Reply to Issues when using Cloudflare Proxy service for Cloudron on Mon, 13 May 2024 11:17:43 GMT]]>@marcusquinn yes, see https://docs.cloudron.io/networking/#trusted-ips

]]>https://forum.cloudron.io/post/88377https://forum.cloudron.io/post/88377Mon, 13 May 2024 11:17:43 GMT<![CDATA[Reply to Issues when using Cloudflare Proxy service for Cloudron on Mon, 13 May 2024 00:16:06 GMT]]>@nj said in Issues when using Cloudflare Proxy service for Cloudron:

Some Apps Report Wrong IP of Visitors (Cloudflare IPs)
When a website is proxied through Cloudflare, the visitors connect to the Cloudflare servers, and one of the Cloudflare IPs connects to the origin (Cloudron) server. Cloudron does forward the X-Forwarded-For header to the apps, which works in most of the cases, but in this case X-Forwarded-For contains the Cloudflare server's IP instead of the real visitor's IP! That's a bummer. See this online post on Cloudflare IPs where it discusses the ideas to detect the visitor's real IP address. If Cloudron could check for CF-Connecting-IP header and pass that value as X-Forwarded-For, that would solve this issue entirely. Cloudflare publishes the list of IPs it uses to fetch origin content. The ipv4 addresses are here and ipv4 addresses are here.

@nj @girish Did the IP forwarding suggestion here ever get implemented?

]]>https://forum.cloudron.io/post/88346https://forum.cloudron.io/post/88346Mon, 13 May 2024 00:16:06 GMT<![CDATA[Reply to Issues when using Cloudflare Proxy service for Cloudron on Sun, 30 Oct 2022 21:44:25 GMT]]>@ajtatum yeah as @benborges said, there's no way to proxy MX via Cloudflare afaik.

]]>https://forum.cloudron.io/post/55134https://forum.cloudron.io/post/55134Sun, 30 Oct 2022 21:44:25 GMT<![CDATA[Reply to Issues when using Cloudflare Proxy service for Cloudron on Sun, 30 Oct 2022 18:12:04 GMT]]>@ajtatum correct, but that's not a cloudron limit, that's how cloudflare & DNS work
the MX can never be proxied hence, somewhat nullifying the whole idea ??

in my usecase, the only solution I have found is for anyone that attempt to resolve my IP directly is sent to my.cloudron.domain (hence cloudflare proxied) but there is nothing you can do for the MX.

]]>https://forum.cloudron.io/post/55123https://forum.cloudron.io/post/55123Sun, 30 Oct 2022 18:12:04 GMT<![CDATA[Reply to Issues when using Cloudflare Proxy service for Cloudron on Sat, 29 Oct 2022 16:44:38 GMT]]>@girish Sorry to revive an old topic and if there's a newer one I apologize, but I was just curious about this as I would prefer to have some sites protected by Cloudflare. I realize for certain subdomains, such as for SMTP server, that can't be proxied. But I think that's the only exception unless you're utilizing Cloudron as an LDAP source then you'd also leave "my.cloudroninstance.com" un-proxied (which isn't ideal as it leaves it vulnerable).

To give you some context, I'm asking because I have dedicated IP addresses and also use Tailscale. So, in Cloudflare I have a list of my dedicated IPs and Tailscale addresses and for some services I setup a WAF rule that simply blocks anyone from even attempting to access the site based on their IP address.

]]>https://forum.cloudron.io/post/55092https://forum.cloudron.io/post/55092Sat, 29 Oct 2022 16:44:38 GMT<![CDATA[Reply to Issues when using Cloudflare Proxy service for Cloudron on Mon, 24 Jan 2022 18:08:34 GMT]]>@nj said in Issues when using Cloudflare Proxy service for Cloudron:

Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

This is the best way to do it.

  • Add the domain in Cloudron with Cloudflare DNS provider
  • Cloudron will always add the A record in DNS Mode.
  • Go to Cloudflare, and turn on proxying.
  • For future DNS changes to this domain, Cloudron has code to "persist" the proxying flag. Just noting this down, since we have code explicitly for this use case.

I agree having a checkbox or something at app install time to enable proxying would be nice.

]]>https://forum.cloudron.io/post/42331https://forum.cloudron.io/post/42331Mon, 24 Jan 2022 18:08:34 GMT