TLS Error Cloudflared -> Traefik -> Service on Kubernetes
TLDR: Are there any security concerns to just using "invalid" tls certs internally to a cluster? Is there any way to tell the tunnel to check if the tls matches the external hostname of a service not the internal?
I have a k8s cluster with no load balancer. I intend to use a cloudflare tunnel to expose traefik to the internet.
I plan to use traefik to reverse proxy the services to expose.
I have a wildcard tls cert for the external hostnames of the services.
If I disable TLS verification everything works perfectly.
When I try to enable tls verification it fails because the certificate traefik is serving does not match the internal hostname. It matches the external hostname.
2 Replies
IDK how I managed to mark the picture a spoiler but it is just a capture of the config for cloudflared tunnel ingress
OFC I find the answer after looking for 3 hours and giving up and asking.
originServerName
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#originservername
Cloudflare Docs
Origin configuration | Cloudflare Zero Trust docs
Origin configuration parameters determine how cloudflared proxies traffic to your origin server. You can configure these settings in the dashboard for remotely-managed tunnels, or add them to your configuration file for locally-managed tunnels.