this post was submitted on 02 Feb 2025
21 points (92.0% liked)

Selfhosted

41674 readers
640 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
21
Nextcloud behind Cloudflare zero trust (feddit.nl)
submitted 2 days ago by cctl01@feddit.nl to c/selfhosted@lemmy.world
17 comments fedilink hide all child comments
 

For some time, I've hidden my nextclould behind CF zero trust. When refreshing certificates via letsencrypt I would manually disable the tunnel, refresh and re-enable the tunnel. Now that letsencrypt will no longer notify me via email I need a more robust (read automated) way of refreshing certs. Do I have any options other than disabling zero trust? (the advantage would be I no longer need vpn to have the mobile app working).

top 17 comments
sorted by: hot top controversial new old
[–] chiisana@lemmy.chiisana.net 2 points 23 hours ago (1 children)

If you can serve content locally without tunnel (ie no CGNAT or port block by ISP), you can configure your server to respond only to cloudflare IP range and your intranet IP range; slap on the Cloudflare origin cert for your domain, and trust it for local traffic; enable orange cloud; and tada. Access from anywhere without VPN; externally encrypted between user <> cloudflare and cloudflare <> your service; internally encrypted between user <> service; and only internally, or someone via cloudflare can access it. You can still put the zero trust SSO on your subdomain so Cloudflare authenticates all users before proxying the actual request.

[–] cctl01@feddit.nl 1 points 10 hours ago* (last edited 10 hours ago)

This worked great. For those looking to apply the same solution. And running Nextcloud in snap. You need a cert.pem, key.pem and chain.pem file. The latter can be found here: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate The cert and key can be generated from your Cloudflare Dashboard under Domains > SSL/TLS > Edge Certificate.

Place all three files in /var/snap/nextcloud/12345/certs/live/ where 12345 can vary for you.

Finally sudo nextcloud.enable-https custom cert.pem key.pem chain.pem Profit!

[–] hendrik@palaver.p3x.de 11 points 2 days ago* (last edited 2 days ago) (2 children)

Maybe you can use letsencrypt's DNS-01 challenge. That works without an HTTP connection. But ultimately, I don't think you need a certificate on the server, doesn't Cloudflare tunnel the traffic (unencrypted) and terminate the HTTPS on their side?

[–] KairuByte@lemmy.dbzer0.com 2 points 1 day ago

It can be unencrypted, but isn’t a requirement.

[–] cctl01@feddit.nl 1 points 2 days ago

Thanks for the reply, among all answers I chose this. Just because it works for me.

[–] Moonrise2473@feddit.it 5 points 2 days ago* (last edited 2 days ago) (1 children)

Behind a cloudflare tunnel you can use a self signed or expired certificate, just check the "no TLS verify" checkbox

Edit: or use DNS based verification, nginx proxy manager can do it automatically using cloudflare api when behind cloudflare tunnels

[–] cctl01@feddit.nl 1 points 2 days ago (1 children)

Thanks for the reply, among all answers I chose this. Just because it works for me.

[–] SaltySalamander@fedia.io 3 points 2 days ago (2 children)

Are you a bot?

[–] cctl01@feddit.nl 1 points 1 day ago

Would a bot tell you? 🧐

[–] curbstickle@lemmy.dbzer0.com 1 points 2 days ago* (last edited 2 days ago) (1 children)

No posts/c9mments in like a year and a half, then this... I'd guess yes.

[–] cctl01@feddit.nl 2 points 1 day ago (1 children)

3 people independently advice dns challenge. They all deserve the same appreciation don't they?

[–] curbstickle@lemmy.dbzer0.com 1 points 1 day ago (1 children)

I don't think a copy/paste answer comes across as appreciation, no.

It comes across weird, especially on a low activity account, and seems like a bot response that got stuck.

[–] dreadbeef@lemmy.dbzer0.com 1 points 1 day ago (1 children)

I'm just a passive observer and it's fine. You can assume it's a bot but that's not on them. They seem legitimate and my assumption is maybe English isn't their first language.

[–] curbstickle@lemmy.dbzer0.com 1 points 1 day ago

With the other comments since, yeah not a bot. Early on with the long gap, then a post and the same commen t being the only comment - yeah that looks like a bot.

Its not an indictment of them, just observation.

[–] MangoPenguin@lemmy.blahaj.zone 3 points 2 days ago (1 children)

DNS-01 challenge with letsencrypt. Or use cloudflare tunnel and don't use https internally.

[–] cctl01@feddit.nl 1 points 2 days ago

Thanks for the reply, among all answers I chose this. Just because it works for me.

[–] Shimitar@downonthestreet.eu 1 points 2 days ago

Setup a cron that does it once per day, when you don't need it, like certbot does. Easy.