Can I avoid using Cloudflare provided certs when using Tunnel and Public Hostnames?

I am trying to use Cloudflare zero-trust tunnels to proxy my home server. I have Nextcloud and a few personal websites behind a Nginx Proxy manager instance, all running in Docker containers. Yesterday, I added the cloudflared Docker into my Docker Network and got the tunnel working, along with subdomains for all of the different services.

However, I noticed that all the subdomains I configured in Public Hostnames are using Cloudflare certs instead of my Let’s Encrypt certs that Nginx Proxy Manager generates. Doesn’t this mean that Cloudflare can decrypt the content? How can this be considered zero-trust?

My question is how do I effectively make this passthrough? I don’t want Cloudflare to decrypt and reencrypt along the way. Is there a way to do this?

Yes, that is what it means. Most of Cloudflare’s products depend on knowing the content.
Caching for example would be very useless otherwise.

1 Like

Use the Warp client and tunnels to perform network routing. Then use unproxied records pointing to the private network IPs of the origins.

2 Likes

Do I have to use the WARP client instead of cloudflared? I like cloudflared because I can run it inside a Docker and there’s an official image. Does such a thing exist for WARP?

End user uses Warp, cloudflared is still used for access to the origin.

Thanks for the info, I misunderstood what WARP was. Okay so to recap, each end user installs WARP on their machine, which allows them access the origin with private IPs we configure in the tunnel. The end user machine knows what these private IPs are via non-proxied DNS records. Gotcha.

Unfortunately, I can’t expect every user on my Nextcloud to install WARP. Is there really no other way to passthrough the connection? I don’t need caching or any of the other features, I just want to be able to hide my home IP.

Cloudflare spectrum, but it doesn’t use tunnels on the backend… It’s also billed very differently from normal plans / traffic.

1 Like

Darn. I was afraid of that. Well, thanks for the support and info @cscharff and @Laudian! I am brand new to Cloudflare and this really helped clarify a lot of things for me.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.