Argo tunnel & SSL

Hello, I have a newbie question about tunnels and SSL.

By default when creating a tunnel with my linux server, all communications are encrypted by SSL provided by Cloudflare? Or I need to also issue a certificate on the server?

This question comes to my head because I’m using Cloudflare on some web servers and the option for SSL is on FULL (strict) encryption, meaning that the communication between the client and Cloudflare and server is always under SSL. But for tunnels?

Thank you.

When using tunnels, Cloudflare handles all the encryption from the user to the tunnel connector. You can use SSL on your origin server, but personally I don’t.

Hey! it will do any difference if I use SSL on my origin server?

Maybe if the tunnel communicates directly from inside the origin server we don’t need SSL on the origin server… Does this makes sense?

Thank you.

It actually isn’t, respectively only under a non-validated connection, which renders SSL pointless. You need to be on Full Strict.

@Cyb3r-Jak3’s response is absolutely spot on, given you are connecting locally. Should you connect somewhere else on HTTP, then you’d still have a security issue.

1 Like

I have edited my first post as I was mistaken, the connection was on Full (strict) not only on Full.
So now, on Full (strict) the connection between the client, Cloudflare and the server is always under SSL?

And to fully understand the tunnel and SSL Cloudflare uses, if my server is at my office and has ports blocked by firewall and is only accessible by the tunnel, the information exchanged is always under Cloudflare SSL encryption and no need to issue a SSL cert locally on the server?

Or the SSL that Cloudflare uses is between the tunnel connector and client but need a SSL for the tunnel connector and my server?

Thanks.

First one

Cloudflare handles the encryption from the user all the way to the connector (running cloudflared). There is no real reason to have SSL between the connector and the origin server.

2 Likes

@sandro @Cyb3r-Jak3 thank you very much to confirm this.

One last question, I’m routing to an internal app inside my machine with the tunnel and is on http://localhost:80. So accessing with https://domain.com is handled by Cloudflare’s SSL. The problem is that I can also access using http. How can I limit/redirect access only using https from outside?

I want the connection to my machine only by https.

There is the Always use HTTPS option here you can enable, which will redirect any HTTP requests to HTTPS.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.