Our developers needs to have end to end TLS for testing purpose on their workstation, for advanced authentication needs
What steps have you taken to resolve the issue?
We configured a set of tunnels in TCP mode targeting our frontend
Our frontend is in charge of terminating the TLS communication because of advanced authentication needs we have (we use mTLS, Kerberos with KKDCP, etc).
So far it seems that cloudflared always add their own certificate on the frontend and never let the communication to be a raw TCP on port 443.
Is there a way with cloudflare tunnels to let our developer have their own certificates when testing locally?
So what we tried to do as standardize setup for our developer here is a managed tunnel, each of them having their own set of services with standard name pattern such as:
.example.com
mtls..example.com
kkdcp..example.com
etc
All of those hostname in the managed tunnels targeting tcp://host.docker.internal:4080 with the idea that our locally run frontend will handle each FQDN as we currently do for our production clusters.
The HTTP Policy you refer here is turned off completely, I have a message on the configuration panel saying Your policies are inactive. To start enforcing them, turn on the Proxy and TLS decryption under Settings / Network.
I understand the question you’re asking, I’m trying to understand the context for the use case and how it’s being implemented / tested. Because it’s not clear what you actually want / need to achieve.
In the end state, when your product is beyond testing… is it going to be accessible to the general internet? If so, do you intend to utilize any Cloudflare related functionality for the application?
There are plenty of ways for your dev to get a Let’s Encrypt cert for a hostname. Have them use DNS-01 and take that aspect of this whole process out of the equation.
Is this a new product? If so, why is it being developed with mTLS? What problem is it trying to solve by using it?
Sorry I keep seeking clarification and I think you believe either I am trying to be difficult or that I understand things that seem clear to you, but are not clear to me.
Right now it appears to me that you have a public hostname being proxied () by Cloudflare and routing traffic through a tunnel to the origin. Proxied records on Cloudflare use Cloudflare to act as a MiTM for TLS. The exception to that would be Cloudflare Spectrum which is available on an Enterprise plan. Cloudflare has mTLS options for but they don’t work like the dev is probably expecting… so again trying to understand more about the context.
Why is a tunnel involved? Can’t you simply set the record to DNS only and allow traffic through your firewall? Or allow the developer to simply test on the local network directly to the server? Test devices and developer workstation? Is the webserver running on the developer’s workstation? Are the devices like IoT devices connecting to an app?
Again I apologize, but it’s unclear what problem is being solved for here and context matters.
That’s the thing I wants to disable: TLS proxying without MITM behavior. Allowing end to end TLS communication
Because testing with a client over cellular network for example require FQDN reachable over the Internet
We are a full remote company, we cannot ask all our developers to have complex local network setup with split DNS capabilities.
Managed endpoints of all kind connecting to a management server and authentication server
Previously we were doing it with ngrok, maybe the solution is to stay on ngrok. I wanted to move on cloudflare as the management console give me more centralization capabilities…
) by Cloudflare and routing traffic through a tunnel to the origin. Proxied records on Cloudflare use Cloudflare to act as a MiTM for TLS. The exception to that would be Cloudflare Spectrum which is available on an Enterprise plan. Cloudflare has mTLS options for 