Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Cloudflare Setup Questions

Cloudflare Setup Questions

Scheduled Pinned Locked Moved Support
cloudflaredomains
3 Posts 2 Posters 991 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • colonelpanicC Offline
      colonelpanicC Offline
      colonelpanic
      wrote on last edited by girish
      #1

      I have a handful of questions regarding the best practices when using Cloudflare. Thanks in advance to anyone that can assist in clarifying these.

      First question, the Cloudron Docs for Cloudflare mention that proxying must be disabled for the my subdomain. I changed the Mail Server Location when setting up email to email.domain.tld. Can someone confirm that I can setup proxying for my.domain.tld and just not turn it on for email.domain.tld?

      Since email.domain.tld cannot be proxied, what would be the downside of using a domain that doesn't have any websites on it? I'm hosting a handful of web services on domain.tld, but I have another domain that isn't being used for anything at this time. Is it worth making the changes? Thoughts?

      Current Email setup on Cloudron:
      CleanShot 2022-02-09 at 09.56.59@2x.png




      Second question. Are the settings in the screenshots below the recommended settings if I'm using Cloudflare as the DNS provider.

      I assume that renewing the Let's Encrypt certificate would not be an issue with the proxy turned on because Cloudron is using a DNS challenge instead of HTTP challenge. Is that a true statement?

      What would be the benefit of creating a Wildcard Origin Cert on Cloudflare and uploading it instead of using Let's Encrypt? I don't do this with the services I host on my homelab because I don't want to have to go through Cloudflare to access those services—I want to keep them entirely internal. However, I'm using Cloudron on a VPS and don't see that being an issue. If someone else has considered this, what did you decide on and why?

      Cloudron settings for a domain:
      CleanShot 2022-02-09 at 09.59.17@2x.png

      Cloudflare settings for a DNS:
      CleanShot 2022-02-09 at 10.04.33@2x.png

      Cloudflare settings for SSL/TLS Overview:
      CleanShot 2022-02-09 at 10.07.12@2x.png

      Cloudflare settings for SSL/TLS Edge Certificates:
      CleanShot 2022-02-09 at 10.10.24@2x_1.png

      I assume HSTS might be recommended and I've considered enabling it, but I want to make sure I've got the HTTPS nailed down first.

      CleanShot 2022-02-09 at 10.10.24@2x_2.png

      Again, thanks in advance to anyone that has an input or thoughts!

      girishG 2 Replies Last reply
      0
      • colonelpanicC colonelpanic

        I have a handful of questions regarding the best practices when using Cloudflare. Thanks in advance to anyone that can assist in clarifying these.

        First question, the Cloudron Docs for Cloudflare mention that proxying must be disabled for the my subdomain. I changed the Mail Server Location when setting up email to email.domain.tld. Can someone confirm that I can setup proxying for my.domain.tld and just not turn it on for email.domain.tld?

        Since email.domain.tld cannot be proxied, what would be the downside of using a domain that doesn't have any websites on it? I'm hosting a handful of web services on domain.tld, but I have another domain that isn't being used for anything at this time. Is it worth making the changes? Thoughts?

        Current Email setup on Cloudron:
        CleanShot 2022-02-09 at 09.56.59@2x.png




        Second question. Are the settings in the screenshots below the recommended settings if I'm using Cloudflare as the DNS provider.

        I assume that renewing the Let's Encrypt certificate would not be an issue with the proxy turned on because Cloudron is using a DNS challenge instead of HTTP challenge. Is that a true statement?

        What would be the benefit of creating a Wildcard Origin Cert on Cloudflare and uploading it instead of using Let's Encrypt? I don't do this with the services I host on my homelab because I don't want to have to go through Cloudflare to access those services—I want to keep them entirely internal. However, I'm using Cloudron on a VPS and don't see that being an issue. If someone else has considered this, what did you decide on and why?

        Cloudron settings for a domain:
        CleanShot 2022-02-09 at 09.59.17@2x.png

        Cloudflare settings for a DNS:
        CleanShot 2022-02-09 at 10.04.33@2x.png

        Cloudflare settings for SSL/TLS Overview:
        CleanShot 2022-02-09 at 10.07.12@2x.png

        Cloudflare settings for SSL/TLS Edge Certificates:
        CleanShot 2022-02-09 at 10.10.24@2x_1.png

        I assume HSTS might be recommended and I've considered enabling it, but I want to make sure I've got the HTTPS nailed down first.

        CleanShot 2022-02-09 at 10.10.24@2x_2.png

        Again, thanks in advance to anyone that has an input or thoughts!

        girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #2

        @colonelpanic said in Cloudflare Setup Questions:

        First question, the Cloudron Docs for Cloudflare mention that proxying must be disabled for the my subdomain. I changed the Mail Server Location when setting up email to email.domain.tld. Can someone confirm that I can setup proxying for my.domain.tld and just not turn it on for email.domain.tld?

        Yes, correct. You can turn on proxying for my.domain.tld after changing the mail server location. One thing is that Cloudflare proxying provides two benefits - caching and security benefits like hiding the IP. If you use email on the same server, the latter benefit is not achievable. Because one can always find your IP using host -t MX domain.tld and then host -t A email.domain.tld .

        Since email.domain.tld cannot be proxied, what would be the downside of using a domain that doesn't have any websites on it?

        Hmm, only thing I can think of is that some domain names appear to have some TLDs appear to have "bad" reputation inherently. For example, domains like tk are so abused that you cannot even automated using cloudflare. I don't have any hard information on this, maybe look up the TLD in some spam look up sites for reputation.

        1 Reply Last reply
        1
        • colonelpanicC colonelpanic

          I have a handful of questions regarding the best practices when using Cloudflare. Thanks in advance to anyone that can assist in clarifying these.

          First question, the Cloudron Docs for Cloudflare mention that proxying must be disabled for the my subdomain. I changed the Mail Server Location when setting up email to email.domain.tld. Can someone confirm that I can setup proxying for my.domain.tld and just not turn it on for email.domain.tld?

          Since email.domain.tld cannot be proxied, what would be the downside of using a domain that doesn't have any websites on it? I'm hosting a handful of web services on domain.tld, but I have another domain that isn't being used for anything at this time. Is it worth making the changes? Thoughts?

          Current Email setup on Cloudron:
          CleanShot 2022-02-09 at 09.56.59@2x.png




          Second question. Are the settings in the screenshots below the recommended settings if I'm using Cloudflare as the DNS provider.

          I assume that renewing the Let's Encrypt certificate would not be an issue with the proxy turned on because Cloudron is using a DNS challenge instead of HTTP challenge. Is that a true statement?

          What would be the benefit of creating a Wildcard Origin Cert on Cloudflare and uploading it instead of using Let's Encrypt? I don't do this with the services I host on my homelab because I don't want to have to go through Cloudflare to access those services—I want to keep them entirely internal. However, I'm using Cloudron on a VPS and don't see that being an issue. If someone else has considered this, what did you decide on and why?

          Cloudron settings for a domain:
          CleanShot 2022-02-09 at 09.59.17@2x.png

          Cloudflare settings for a DNS:
          CleanShot 2022-02-09 at 10.04.33@2x.png

          Cloudflare settings for SSL/TLS Overview:
          CleanShot 2022-02-09 at 10.07.12@2x.png

          Cloudflare settings for SSL/TLS Edge Certificates:
          CleanShot 2022-02-09 at 10.10.24@2x_1.png

          I assume HSTS might be recommended and I've considered enabling it, but I want to make sure I've got the HTTPS nailed down first.

          CleanShot 2022-02-09 at 10.10.24@2x_2.png

          Again, thanks in advance to anyone that has an input or thoughts!

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #3

          @colonelpanic said in Cloudflare Setup Questions:

          I assume that renewing the Let's Encrypt certificate would not be an issue with the proxy turned on because Cloudron is using a DNS challenge instead of HTTP challenge. Is that a true statement?

          Yes. Proxying can be left turned on, Cloudron will manage to get certs via DNS challenge.

          What would be the benefit of creating a Wildcard Origin Cert on Cloudflare and uploading it instead of using Let's Encrypt?

          AFAIK, there is no benefit. I think the wildcard origin cert is intended for cases where one cannot get a valid cert via DNS or HTTP automation (like some intranets that block outbound access).

          1 Reply Last reply
          2
          Reply
          • Reply as topic
          Log in to reply
          • Oldest to Newest
          • Newest to Oldest
          • Most Votes


            • Login

            • Don't have an account? Register

            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Bookmarks
            • Search