TLS Error Cloudflared -> Traefik -> Service on Kubernetes

TLDR: Are there any security concerns to just using "invalid" tls certs internally to a cluster? Is there any way to tell the tunnel to check if the tls matches the external hostname of a service not the internal? I have a k8s cluster with no load balancer. I intend to use a cloudflare tunnel to expose traefik to the internet. I plan to use traefik to reverse proxy the services to expose. I have a wildcard tls cert for the external hostnames of the services. If I disable TLS verification everything works perfectly. When I try to enable tls verification it fails because the certificate traefik is serving does not match the internal hostname. It matches the external hostname.
2024-08-17T11:41:53Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for foo.example.com, not traefik.traefik" connIndex=3 dest=https://foo.example.com event=0 ip=<Redacted> type=http
2024-08-17T11:41:53Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: failed to verify certificate: x509: certificate is valid for foo.example.com, not traefik.traefik" connIndex=3 dest=https://foo.example.com event=0 ip=<Redacted> type=http
No description
2 Replies
drangon
drangonOP5mo ago
IDK how I managed to mark the picture a spoiler but it is just a capture of the config for cloudflared tunnel ingress
drangon
drangonOP5mo ago
OFC I find the answer after looking for 3 hours and giving up and asking. originServerName https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#originservername
Cloudflare Docs
Origin configuration | Cloudflare Zero Trust docs
Origin configuration parameters determine how cloudflared proxies traffic to your origin server. You can configure these settings in the dashboard for remotely-managed tunnels, or add them to your configuration file for locally-managed tunnels.
Want results from more Discord servers?
Add your server