Cloudflare Setup Questions

colonelpanic

I have a handful of questions regarding the best practices when using Cloudflare. Thanks in advance to anyone that can assist in clarifying these.

First question, the Cloudron Docs for Cloudflare mention that proxying must be disabled for the my subdomain. I changed the Mail Server Location when setting up email to email.domain.tld. Can someone confirm that I can setup proxying for my.domain.tld and just not turn it on for email.domain.tld?

Since email.domain.tld cannot be proxied, what would be the downside of using a domain that doesn't have any websites on it? I'm hosting a handful of web services on domain.tld, but I have another domain that isn't being used for anything at this time. Is it worth making the changes? Thoughts?

Current Email setup on Cloudron:

---

---

---

Second question. Are the settings in the screenshots below the recommended settings if I'm using Cloudflare as the DNS provider.

I assume that renewing the Let's Encrypt certificate would not be an issue with the proxy turned on because Cloudron is using a DNS challenge instead of HTTP challenge. Is that a true statement?

What would be the benefit of creating a Wildcard Origin Cert on Cloudflare and uploading it instead of using Let's Encrypt? I don't do this with the services I host on my homelab because I don't want to have to go through Cloudflare to access those services—I want to keep them entirely internal. However, I'm using Cloudron on a VPS and don't see that being an issue. If someone else has considered this, what did you decide on and why?

Cloudron settings for a domain:

Cloudflare settings for a DNS:

Cloudflare settings for SSL/TLS Overview:

Cloudflare settings for SSL/TLS Edge Certificates:

I assume HSTS might be recommended and I've considered enabling it, but I want to make sure I've got the HTTPS nailed down first.

Again, thanks in advance to anyone that has an input or thoughts!

girish

@colonelpanic said in Cloudflare Setup Questions:

First question, the Cloudron Docs for Cloudflare mention that proxying must be disabled for the my subdomain. I changed the Mail Server Location when setting up email to email.domain.tld. Can someone confirm that I can setup proxying for my.domain.tld and just not turn it on for email.domain.tld?

Yes, correct. You can turn on proxying for my.domain.tld after changing the mail server location. One thing is that Cloudflare proxying provides two benefits - caching and security benefits like hiding the IP. If you use email on the same server, the latter benefit is not achievable. Because one can always find your IP using host -t MX domain.tld and then host -t A email.domain.tld .

Since email.domain.tld cannot be proxied, what would be the downside of using a domain that doesn't have any websites on it?

Hmm, only thing I can think of is that some domain names appear to have some TLDs appear to have "bad" reputation inherently. For example, domains like tk are so abused that you cannot even automated using cloudflare. I don't have any hard information on this, maybe look up the TLD in some spam look up sites for reputation.

girish

@colonelpanic said in Cloudflare Setup Questions:

I assume that renewing the Let's Encrypt certificate would not be an issue with the proxy turned on because Cloudron is using a DNS challenge instead of HTTP challenge. Is that a true statement?

Yes. Proxying can be left turned on, Cloudron will manage to get certs via DNS challenge.

What would be the benefit of creating a Wildcard Origin Cert on Cloudflare and uploading it instead of using Let's Encrypt?

AFAIK, there is no benefit. I think the wildcard origin cert is intended for cases where one cannot get a valid cert via DNS or HTTP automation (like some intranets that block outbound access).