CD
Cloudflare Developers15mo ago
Xiaojiba

308 for newly bought domain

Hey, I just bought a domain on cloudfare : https://citeasy.app However, I can't seem to access it. I have setup my traefik like I use to do it with Google Domains I'll post screens to my Cloudflare config bellow
No description
No description
12 Replies
Xiaojiba
XiaojibaOP15mo ago
My docker-compose traefik config : 
    labels:
      - traefik.enable=true
      - traefik.docker.network=gateway

      # HTTPS management
      - traefik.http.routers.citeasy.entryPoints=secure
      - traefik.http.routers.citeasy.rule=Host(`citeasy.app`)
      - traefik.http.routers.citeasy.tls=true
      - traefik.http.routers.citeasy.tls.certresolver=letsencrypt
    labels:
      - traefik.enable=true
      - traefik.docker.network=gateway

      # HTTPS management
      - traefik.http.routers.citeasy.entryPoints=secure
      - traefik.http.routers.citeasy.rule=Host(`citeasy.app`)
      - traefik.http.routers.citeasy.tls=true
      - traefik.http.routers.citeasy.tls.certresolver=letsencrypt
This app exposes port 3000, but it's not the real issue => I can't even access my real server
Chaika
Chaika15mo ago
This is usually caused by your SSL/TLS Mode being “Flexible” when it should be “Full (Strict)”. You can find this setting in the Cloudflare dashboard, within your website, under SSL/TLS → Overview, or via this magic link: https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls 1. Set it to “Full (Strict)”, and then see.
Xiaojiba
XiaojibaOP15mo ago
I've just configure it to be Full, retrying Thanks It's working ! Thanks brooooo @chaika.me Now that it's working, could you please tell me what does it change ? Basically it uses my certificate instead of a cloudflare one ?
Chaika
Chaika15mo ago
With Proxy enabled, CF will always use its certificate. It's impossible for CF to do what it needs to do (caching, etc) while using your certificate/maintaining encryption. "Flexible" is just the insecure default it picks if the domain is added without any web server or info to go off. Cloudflare sends HTTP Requests to your origin, which responds with an HTTPS Redirect, which it proxies back, infinitely until your browser gives up. Switching it to Full (Strict) makes Cloudflare send HTTPS requests to your origin (if the visitor is over https), which your origin correctly responds to https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/
No description
Xiaojiba
XiaojibaOP15mo ago
Alright so Full is better for security, right ? Thanks a lot for the explanation !
Chaika
Chaika15mo ago
Full (Strict) is best yea, it's same security as the browser would normally have for certificates basically
Xiaojiba
XiaojibaOP15mo ago
Big thaaank
Hello, I’m Allie!
Hello, I’m Allie!15mo ago
Can't CF use your Certificate?
Chaika
Chaika15mo ago
If you have biz or ent and uploaded it to CF sure, but I would argue at that opint it becomes "its certificate" and not your origins. It's not possible for CF to serve the origin's cert without you uploading it, because it needs to decrypt the request/be able to create its own responses without involving the origin
Hello, I’m Allie!
Hello, I’m Allie!15mo ago
Isn't that what Keyless SSL is?
Keyless SSL · Cloudflare SSL/TLS docs
Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS …
Hello, I’m Allie!
Hello, I’m Allie!15mo ago
Cloudflare uses your certs without having the keys?
Chaika
Chaika15mo ago
That's very enterprise, you still need to upload your cert, and that also still involves your origin, well, a "key server" running on your own infrastructure Certainly not as simple as just switching between modes
Want results from more Discord servers?
Add your server