Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Issues when using Cloudflare Proxy service for Cloudron

Issues when using Cloudflare Proxy service for Cloudron

Scheduled Pinned Locked Moved Solved Feature Requests
cloudflare
8 Posts 5 Posters 1.9k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • njN Offline
    njN Offline
    nj
    wrote on last edited by girish
    #1

    Recently I started using Cloudflare WAF service to protect my Cloudron instance. I had to proxy requests through Cloudflare for the WAF to work. After enabling Cloudflare proxy, I faced a few problems. I would like to share my setup as well as list out the problems.

    My Setup

    Cloudflare supports different options for SSL termination, among which Full Mode and Full (Strict) Modes are the two options. Since the origin server (Cloudron) forces all connections to be HTTPS, I used the Full(strict) mode. Also, Cloudflare does not support proxying *.mydomain.org, but only individual subdomains like app1.mydomain.org, app2.mydomain.org.

    Cloudflare Dashboard

    3c091e2e-c93e-4eb0-b894-1b66d57c74d7-image.png

    Cloudflare automatically provisions Edge Certificates for mydomain.org and *.domain.org and then does SSL termination on their end. The origin server (Cloudron) must also have a valid certificate or Cloudflare Origin CA Certificates.

    Cloudron Domain Settings

    I tested with both DNS Providers here - Cloudflare as well as Wildcard, with same results.

    b5e52543-2e92-4498-9e78-f120d95c560a-image.png

    Many things are working as expected, but I noticed a few things got broken.

    While installing new apps

    80f2f3fe-2857-4f30-ab36-bde06fb0c0ca-image.png

    1. When I am using the Wildcard DNS provider or Cloudron, the app installs successfully but I see a certificate error when I open the newly installed app. That's because newapp.mydomain.org is only resolving because of the wildcard *.mydomain.org entry, and it points directly to my Cloudron without proxying through Cloudflare. Since my Cloudflare is using Custom Certificates from Cloudflare Origin CA, web browsers don't trust it. I have to manually go to Cloudflare dashboard and add a new A-Record in proxy mode. Then the certificate errors resolve.

    2. Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

    Some Apps Report Wrong IP of Visitors (Cloudflare IPs)

    When a website is proxied through Cloudflare, the visitors connect to the Cloudflare servers, and one of the Cloudflare IPs connects to the origin (Cloudron) server. Cloudron does forward the X-Forwarded-For header to the apps, which works in most of the cases, but in this case X-Forwarded-For contains the Cloudflare server's IP instead of the real visitor's IP! That's a bummer. See this online post on Cloudflare IPs where it discusses the ideas to detect the visitor's real IP address. If Cloudron could check for CF-Connecting-IP header and pass that value as X-Forwarded-For, that would solve this issue entirely. Cloudflare publishes the list of IPs it uses to fetch origin content. The ipv4 addresses are here and ipv4 addresses are here.


    That's all for now. I'll add more when I face other issues.

    Founder / Coder • My Apps

    girishG marcusquinnM 2 Replies Last reply
    0
    • njN nj

      Recently I started using Cloudflare WAF service to protect my Cloudron instance. I had to proxy requests through Cloudflare for the WAF to work. After enabling Cloudflare proxy, I faced a few problems. I would like to share my setup as well as list out the problems.

      My Setup

      Cloudflare supports different options for SSL termination, among which Full Mode and Full (Strict) Modes are the two options. Since the origin server (Cloudron) forces all connections to be HTTPS, I used the Full(strict) mode. Also, Cloudflare does not support proxying *.mydomain.org, but only individual subdomains like app1.mydomain.org, app2.mydomain.org.

      Cloudflare Dashboard

      3c091e2e-c93e-4eb0-b894-1b66d57c74d7-image.png

      Cloudflare automatically provisions Edge Certificates for mydomain.org and *.domain.org and then does SSL termination on their end. The origin server (Cloudron) must also have a valid certificate or Cloudflare Origin CA Certificates.

      Cloudron Domain Settings

      I tested with both DNS Providers here - Cloudflare as well as Wildcard, with same results.

      b5e52543-2e92-4498-9e78-f120d95c560a-image.png

      Many things are working as expected, but I noticed a few things got broken.

      While installing new apps

      80f2f3fe-2857-4f30-ab36-bde06fb0c0ca-image.png

      1. When I am using the Wildcard DNS provider or Cloudron, the app installs successfully but I see a certificate error when I open the newly installed app. That's because newapp.mydomain.org is only resolving because of the wildcard *.mydomain.org entry, and it points directly to my Cloudron without proxying through Cloudflare. Since my Cloudflare is using Custom Certificates from Cloudflare Origin CA, web browsers don't trust it. I have to manually go to Cloudflare dashboard and add a new A-Record in proxy mode. Then the certificate errors resolve.

      2. Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

      Some Apps Report Wrong IP of Visitors (Cloudflare IPs)

      When a website is proxied through Cloudflare, the visitors connect to the Cloudflare servers, and one of the Cloudflare IPs connects to the origin (Cloudron) server. Cloudron does forward the X-Forwarded-For header to the apps, which works in most of the cases, but in this case X-Forwarded-For contains the Cloudflare server's IP instead of the real visitor's IP! That's a bummer. See this online post on Cloudflare IPs where it discusses the ideas to detect the visitor's real IP address. If Cloudron could check for CF-Connecting-IP header and pass that value as X-Forwarded-For, that would solve this issue entirely. Cloudflare publishes the list of IPs it uses to fetch origin content. The ipv4 addresses are here and ipv4 addresses are here.


      That's all for now. I'll add more when I face other issues.

      girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #2

      @nj said in Issues when using Cloudflare Proxy service for Cloudron:

      Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

      This is the best way to do it.

      • Add the domain in Cloudron with Cloudflare DNS provider
      • Cloudron will always add the A record in DNS Mode.
      • Go to Cloudflare, and turn on proxying.
      • For future DNS changes to this domain, Cloudron has code to "persist" the proxying flag. Just noting this down, since we have code explicitly for this use case.

      I agree having a checkbox or something at app install time to enable proxying would be nice.

      ajtatumA 1 Reply Last reply
      1
      • girishG girish

        @nj said in Issues when using Cloudflare Proxy service for Cloudron:

        Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

        This is the best way to do it.

        • Add the domain in Cloudron with Cloudflare DNS provider
        • Cloudron will always add the A record in DNS Mode.
        • Go to Cloudflare, and turn on proxying.
        • For future DNS changes to this domain, Cloudron has code to "persist" the proxying flag. Just noting this down, since we have code explicitly for this use case.

        I agree having a checkbox or something at app install time to enable proxying would be nice.

        ajtatumA Offline
        ajtatumA Offline
        ajtatum
        wrote on last edited by
        #3

        @girish Sorry to revive an old topic and if there's a newer one I apologize, but I was just curious about this as I would prefer to have some sites protected by Cloudflare. I realize for certain subdomains, such as for SMTP server, that can't be proxied. But I think that's the only exception unless you're utilizing Cloudron as an LDAP source then you'd also leave "my.cloudroninstance.com" un-proxied (which isn't ideal as it leaves it vulnerable).

        To give you some context, I'm asking because I have dedicated IP addresses and also use Tailscale. So, in Cloudflare I have a list of my dedicated IPs and Tailscale addresses and for some services I setup a WAF rule that simply blocks anyone from even attempting to access the site based on their IP address.

        benborgesB girishG 2 Replies Last reply
        0
        • ajtatumA ajtatum

          @girish Sorry to revive an old topic and if there's a newer one I apologize, but I was just curious about this as I would prefer to have some sites protected by Cloudflare. I realize for certain subdomains, such as for SMTP server, that can't be proxied. But I think that's the only exception unless you're utilizing Cloudron as an LDAP source then you'd also leave "my.cloudroninstance.com" un-proxied (which isn't ideal as it leaves it vulnerable).

          To give you some context, I'm asking because I have dedicated IP addresses and also use Tailscale. So, in Cloudflare I have a list of my dedicated IPs and Tailscale addresses and for some services I setup a WAF rule that simply blocks anyone from even attempting to access the site based on their IP address.

          benborgesB Offline
          benborgesB Offline
          benborges
          wrote on last edited by
          #4

          @ajtatum correct, but that's not a cloudron limit, that's how cloudflare & DNS work
          the MX can never be proxied hence, somewhat nullifying the whole idea ??

          in my usecase, the only solution I have found is for anyone that attempt to resolve my IP directly is sent to my.cloudron.domain (hence cloudflare proxied) but there is nothing you can do for the MX.

          BenB

          1 Reply Last reply
          1
          • ajtatumA ajtatum

            @girish Sorry to revive an old topic and if there's a newer one I apologize, but I was just curious about this as I would prefer to have some sites protected by Cloudflare. I realize for certain subdomains, such as for SMTP server, that can't be proxied. But I think that's the only exception unless you're utilizing Cloudron as an LDAP source then you'd also leave "my.cloudroninstance.com" un-proxied (which isn't ideal as it leaves it vulnerable).

            To give you some context, I'm asking because I have dedicated IP addresses and also use Tailscale. So, in Cloudflare I have a list of my dedicated IPs and Tailscale addresses and for some services I setup a WAF rule that simply blocks anyone from even attempting to access the site based on their IP address.

            girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #5

            @ajtatum yeah as @benborges said, there's no way to proxy MX via Cloudflare afaik.

            1 Reply Last reply
            0
            • nebulonN nebulon marked this topic as a question on
            • nebulonN nebulon has marked this topic as solved on
            • njN nj

              Recently I started using Cloudflare WAF service to protect my Cloudron instance. I had to proxy requests through Cloudflare for the WAF to work. After enabling Cloudflare proxy, I faced a few problems. I would like to share my setup as well as list out the problems.

              My Setup

              Cloudflare supports different options for SSL termination, among which Full Mode and Full (Strict) Modes are the two options. Since the origin server (Cloudron) forces all connections to be HTTPS, I used the Full(strict) mode. Also, Cloudflare does not support proxying *.mydomain.org, but only individual subdomains like app1.mydomain.org, app2.mydomain.org.

              Cloudflare Dashboard

              3c091e2e-c93e-4eb0-b894-1b66d57c74d7-image.png

              Cloudflare automatically provisions Edge Certificates for mydomain.org and *.domain.org and then does SSL termination on their end. The origin server (Cloudron) must also have a valid certificate or Cloudflare Origin CA Certificates.

              Cloudron Domain Settings

              I tested with both DNS Providers here - Cloudflare as well as Wildcard, with same results.

              b5e52543-2e92-4498-9e78-f120d95c560a-image.png

              Many things are working as expected, but I noticed a few things got broken.

              While installing new apps

              80f2f3fe-2857-4f30-ab36-bde06fb0c0ca-image.png

              1. When I am using the Wildcard DNS provider or Cloudron, the app installs successfully but I see a certificate error when I open the newly installed app. That's because newapp.mydomain.org is only resolving because of the wildcard *.mydomain.org entry, and it points directly to my Cloudron without proxying through Cloudflare. Since my Cloudflare is using Custom Certificates from Cloudflare Origin CA, web browsers don't trust it. I have to manually go to Cloudflare dashboard and add a new A-Record in proxy mode. Then the certificate errors resolve.

              2. Even if I'm using Cloudflare DNS Provider using API Token, Cloudron adds an A-Record but the certificate error still shows up because the A-Record is still in DNS-Only mode. If Cloudron gave an option to set the A-Record in Proxy Mode while installing the app, I didn't have to go to Cloudflare and change the record from DNS Only mode to Proxied Mode and wait for DNS to propagate.

              Some Apps Report Wrong IP of Visitors (Cloudflare IPs)

              When a website is proxied through Cloudflare, the visitors connect to the Cloudflare servers, and one of the Cloudflare IPs connects to the origin (Cloudron) server. Cloudron does forward the X-Forwarded-For header to the apps, which works in most of the cases, but in this case X-Forwarded-For contains the Cloudflare server's IP instead of the real visitor's IP! That's a bummer. See this online post on Cloudflare IPs where it discusses the ideas to detect the visitor's real IP address. If Cloudron could check for CF-Connecting-IP header and pass that value as X-Forwarded-For, that would solve this issue entirely. Cloudflare publishes the list of IPs it uses to fetch origin content. The ipv4 addresses are here and ipv4 addresses are here.


              That's all for now. I'll add more when I face other issues.

              marcusquinnM Offline
              marcusquinnM Offline
              marcusquinn
              wrote on last edited by
              #6

              @nj said in Issues when using Cloudflare Proxy service for Cloudron:

              Some Apps Report Wrong IP of Visitors (Cloudflare IPs)
              When a website is proxied through Cloudflare, the visitors connect to the Cloudflare servers, and one of the Cloudflare IPs connects to the origin (Cloudron) server. Cloudron does forward the X-Forwarded-For header to the apps, which works in most of the cases, but in this case X-Forwarded-For contains the Cloudflare server's IP instead of the real visitor's IP! That's a bummer. See this online post on Cloudflare IPs where it discusses the ideas to detect the visitor's real IP address. If Cloudron could check for CF-Connecting-IP header and pass that value as X-Forwarded-For, that would solve this issue entirely. Cloudflare publishes the list of IPs it uses to fetch origin content. The ipv4 addresses are here and ipv4 addresses are here.

              @nj @girish Did the IP forwarding suggestion here ever get implemented?

              Web Design https://www.evergreen.je
              Development https://brandlight.org
              Life https://marcusquinn.com

              1 Reply Last reply
              0
              • girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #7

                @marcusquinn yes, see https://docs.cloudron.io/networking/#trusted-ips

                marcusquinnM 1 Reply Last reply
                1
                • girishG girish

                  @marcusquinn yes, see https://docs.cloudron.io/networking/#trusted-ips

                  marcusquinnM Offline
                  marcusquinnM Offline
                  marcusquinn
                  wrote on last edited by
                  #8

                  @girish Nice, thank you. Have just added them manually.

                  Be double-nice if they were added automatically when Cloudflare is first used as a DNS Proxy, but I guess I understand that's both an additional feature to maintain, and maybe debatable if everyone would want it happening silently.

                  Web Design https://www.evergreen.je
                  Development https://brandlight.org
                  Life https://marcusquinn.com

                  1 Reply Last reply
                  0
                  Reply
                  • Reply as topic
                  Log in to reply
                  • Oldest to Newest
                  • Newest to Oldest
                  • Most Votes


                  • Login

                  • Don't have an account? Register

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Bookmarks
                  • Search