Traefik conditional certificate for same URL

shiftymccool@programming.dev to Selfhosted@lemmy.world – 20 points –

Hey all!

I have a bunch of services running on my home server and was looking to expose some of them publicly via Cloudflare tunnel. This is done and working great using the origin server certificate and strict TLS.

Up until now, I've been using self-signed certs internally but now I don't want to deal with the "proceed anyway" crap on browsers. I have Traefik set up to get certs from Cloudflare using DNS challenge and that seems to be working.

So, now my problem is: how do I switch between these certificates for the same URL when I'm internal vs public? I'd rather keep that traffic local if I'm at home, which is also working, I just can't figure out how to get Traefik to use the appropriate certificate depending on if the request is coming from my LAN or Cloudflare.

Any suggestions? Is there a better way to accomplish what I want to do?

EDIT: Looks like I'm just going full Cloudflare on this one, thanks for your help everyone!

17

You are viewing a single comment

I somewhat wonder if CloudFlare is issuing two different certs. An "internal" cert your servers use to serve to CloudFlare, which uses a private CA only valid for CloudFlare's internal services. CloudFlare's tunnel service validates against that internal CA, and then serves traffic using an actual public CA signed cert to public internet traffic.

Honestly though, I kinda think you should just go with serving everything entirely externally. Either you trust CloudFlare's tunnels, or you don't. If you don't trust CloudFlare to protect your services, you shouldn't be using it at all.

That's what I'm settling on. However, it's not just about trust, some of the services I'm exposing deal with moving files and I'm mostly interested in higher speeds associated with local transfers as well as not using up my internet data cap.

Here's a drawing of what I think might be happening to your private traffic: traffic diagram

One major benefit to this approach is CloudFlare does not need to revoke an entire public certificate authority (CA) if a singular private tunnel's Certificate Authority is compromised.