Cloudflare proxies with Traefik?

abishur · December 29, 2023, 6:02pm

I currently have traefik setup to let me connect to my local services on my network and use DNS rewrites to access everything.

For example, if I go to ha.local.mydomain.com, I have a DNS rewrite that grabs that and sends it to my traefik container which then sends the request to the appropriate IP address for my home assistant VM.

All that works fine, or at least it was. Today I decided to switch on cloudflare’s proxy option instead of forwarding requests straight to my IP address. And I got that working to by create an SSL origin key/private key combination.

I added it into my Home Assistant’s configuration like so:

http:
  ssl_certificate: /ssl/origin.pem
  ssl_key: /ssl/cfprivkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.14.0/23
    - 173.245.48.0/20
    - 103.21.244.0/22
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 141.101.64.0/18
    - 108.162.192.0/18
    - 190.93.240.0/20
    - 188.114.96.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17
    - 162.158.0.0/15
    - 104.16.0.0/13
    - 104.24.0.0/14
    - 172.64.0.0/13
    - 131.0.72.0/22

And I can access it remotely with no issue, but I can no longer access it through traefik. I get a bad gateway response. And to access it locally I have to use https://myip:8123 which works, but I get a certificate error.

What do I need to do to be able to use traefik for my local network and cloudflare for my remote access? I mean traefik is already configured to get SSL certs from cloudflare, do I need to add in my origin and private key in traefik’s config someplace?

odwide · December 30, 2023, 5:04am

You get a certificate error obviously because the certificate does not match the IP, it’ll only match the FQDN/domain it was issued for.

Why do you have whole networks as trusted proxies instead of just Traefik and Cloudflare’s IP?

HA is now encrypting the connection to both Cloudflare and Traefik. Since you can access it remotely, Cloudflare has no problem with it, but apparently Traefik does, thus the Bad Gateway error.

Did you configure Traefik to initiate an HTTPS connection to the upstream gateway (HA). Is HA’s certificate trusted by Traefik? If issued by Cloudflare most likely is, but just in case.

abishur · December 30, 2023, 5:54am

Yes traefik uses https to communicate with HA. It is also configured to generate certs for each of my endpoints under my local.domainname.com domain.

And this is where i sure my error lies, but i don’t know the resolution. Treafik is creating a cert to provide a secure connection, but obviously that’s different than the origin cert I’ve created on cloudflare’s side.

I’m trying to figure out how to get the two sides to play nicely. Im thinking it has something with configuring traefik as my endpoint with the cloudflare origin cert rather than ha directly

abishur · December 30, 2023, 5:55am

Everything except the first one are cloudflare’s ip. The first one is my network which I’ve set broadly while im troubleshooting issues before tightening things up

odwide · December 30, 2023, 4:22pm

How are you arranging to send the traffic to Traefik when inside your LAN? Split DNS?

You could set Traefik to debug log requests and see what it complains about.