I use Nginx Reverse Proxy docker container with setting to point to another container at 172.17.0.3:8080
It works fine locally,
Cloudflare is setup as usual to point to the IP, not enforce SSL (just for tests), 80 and 443 are open and I can reach the machine using the subdomain.
But when reaching the subdomain, I get an unusual error:
Your connection is not private
...
NET::ERR_CERT_AUTHORITY_INVALID
Subject: CloudFlare Origin Certificate
Issuer: CloudFlare, Inc.
Expires on: Apr 13, 2035
Current date: Jul 21, 2020
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MI..
It sees the certificate but claims it’s invalid.
I agree the cert is not on the final server but on the reverse proxy server, but that’s the goal of it right?
And frankly, I don’t know how to add a cert to a Tomcat server on a container.
Any idea?
Thank you @sandro
Weird, I tried without and with Cloudflare DNS proxy.
You’re right, now I get a 502 bad gateway. The valid certificate is not mine but the Cloudflare DNS service one (valid until October 2020).
Sorry, domain is private for now. We’re a non-profit org with limited security skills (mine).
Yeah, I can reach the IP with http for testing purpose.
But once I switch to https, I get ERR_HTTP2_PROTOCOL_ERROR
And the certificate is nginx localhost, because I didn’t add a route for the IP (I can’t since it wants a (syb)domain)
We are mixing now a lot of things here. If the domain is proxied you should not get the error you mentioned.
The protocol error is a completely different issue and if I remember correctly there were issues when you sent invalid HTTP headers, which then break HTTP 2. I would suggest you use the search here as there were several threads about that.
Let’s drop the IP test. It’s not relevant.
All my previous deployments using cloudflare and SSL on containers went fine when I added the cert to the final server/container.
Now, there are 2 changes from previous working setups:
Our IP4 address is almost static", it was a long one a few weeks ago (4*3, 12 digits) but now we have a small one (5 digits). Maybe not related.
Nginx reverse proxy is added in the loop.
I use Nginx Proxy Manager because UI is nice to add and change routes. But maybe it’s not working well.
If you know another solution for reverse proxy with a full UI to add routes, please let me know.
What I would suggest at this point is you pause Cloudflare, install a Lets Encrypt certificate instead of an Origin certificate (otherwise you will always have the warning), and first get the site to work properly on HTTPS without the proxies. Only once that is working you should unpause Cloudflare.
Side note: While you were writing, I switched off and on some SSL settings in cloudflare:
Automatic HTTPS Rewrites
TLS 1.3
Opportunistic Encryption
Always Use HTTPS
Now it’s back to previous settings, but error is now: ERR_TOO_MANY_REDIRECTS
And I also tested to disable the proxy host and the https worked directly by throwing Nginx server HTTP version (“Congratulations, …”)
Maybe I’m wrong, but it looks like 2 different problems (cloudflare settings, maybe cache invovled, and Nginx) are mixing things up.
At this point these settings do not matter anymore as you are not going via Cloudflare. Maybe you still have the old IP address and need to wait for DNS propagation.
A Nginx Proxy Manager issue I think.
I can reach the server using my domain name on http with specific port.
Do you know a “visual alternative” to Nginx Proxy Manager? A container of a kind of “webmin” for routing and taking care of SSL?
, in the latter case simply wait until your resolver updated the record on its side.
always Full strict. Flexible is just as insecure as HTTP.