I have a handful of questions regarding the best practices when using Cloudflare. Thanks in advance to anyone that can assist in clarifying these.
First question, the Cloudron Docs for Cloudflare mention that proxying must be disabled for the my
subdomain. I changed the Mail Server Location when setting up email to email.domain.tld
. Can someone confirm that I can setup proxying for my.domain.tld
and just not turn it on for email.domain.tld
?
Since email.domain.tld
cannot be proxied, what would be the downside of using a domain that doesn't have any websites on it? I'm hosting a handful of web services on domain.tld
, but I have another domain that isn't being used for anything at this time. Is it worth making the changes? Thoughts?
Current Email setup on Cloudron:
Second question. Are the settings in the screenshots below the recommended settings if I'm using Cloudflare as the DNS provider.
I assume that renewing the Let's Encrypt certificate would not be an issue with the proxy turned on because Cloudron is using a DNS challenge instead of HTTP challenge. Is that a true statement?
What would be the benefit of creating a Wildcard Origin Cert on Cloudflare and uploading it instead of using Let's Encrypt? I don't do this with the services I host on my homelab because I don't want to have to go through Cloudflare to access those services—I want to keep them entirely internal. However, I'm using Cloudron on a VPS and don't see that being an issue. If someone else has considered this, what did you decide on and why?
Cloudron settings for a domain:
Cloudflare settings for a DNS:
Cloudflare settings for SSL/TLS Overview:
Cloudflare settings for SSL/TLS Edge Certificates:
I assume HSTS might be recommended and I've considered enabling it, but I want to make sure I've got the HTTPS nailed down first.
Again, thanks in advance to anyone that has an input or thoughts!