Load Balanced Domain works and doesn't work

user56 · June 8, 2021, 12:59am

Hi All,

We just now this very second finished configuring our second bare metal machine and setting up the awesomeness which is Cloudflare Load Balancing.

Problem: www resolves fine and load balancing does work when Proxying is disabled. When we go to enable proxying, www reports a Cipher mismatch in our certificate.

We tried disabling SSL altogether, waited an hour to ensure TTL was met, but www never resolved. As soon as Proxying was re-disabled, www started resolving again.

Our individual hosts are running NodeJS backends reverse proxied through Nginx, with our wildcard certificate on each www host, then CF load balanced by region.

Are we in need of some configuration in Nginx to handle Cloudflare’s proxying?

The Unfufadoo Team

Damian · June 8, 2021, 11:06am

Hi there,

If I understand correctly the LB pool is reporting as unhealthy because of a TLS mismatch?

My suspicion is that you need to configure your host header in your Load balancer monitor settings for your site - like this:

If this does not work for you, I would encourage you to contact Cloudflare support - so we can take a look at your configuration.

user56 · June 18, 2021, 12:24am

Hi Damian,

Sorry for the long delay. I am looking into this now. I will reply if that is the fix.

Jeff

user56 · June 18, 2021, 12:54am

Damian,

I setup a monitor for each of our nodes in the load balancer. Made sure the request header Host was set for each node. Waited for a Healthy status and then re-enabled proxying. Immediately we start seeing this error:

This site can’t provide a secure connection

www.unfufadoo.net uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

We are using our own wildcard certificate which works fine when we are not proxying.

Any ideas?

Jeff

Damian · June 18, 2021, 9:23am

When you proxy through Cloudflare, we act as the termination point for SSL traffic - so we present a certificate at our edge. We call these ‘Edge Certificates’. If there is no certificate at our edge, you would see this error.

You need to enable you have your Universal SSL enabled on Cloudflare and that the certificate is present under the SSL/TLS > Edge Certificates section of our dashboard.

If you want to see your own wildcard certificate when proxying through Cloudflare, you need to be on our Business plan and upload that certificate to our edge - https://support.cloudflare.com/hc/en-us/articles/200170466-Managing-Custom-SSL-certificates

user56 · June 18, 2021, 11:48am

Ok so the solution is to use Cloudflare’s certificate or pay $200 a month just so we can use our own certificate that we paid for already? No thanks we will just use the free tier and load balance that way. Our wildcard certificate was expensive so we intend on using it.

Damian · June 18, 2021, 1:00pm

You can still use it to encrypt the connection between Cloudflare and your origin server (using full strict SSL) - but it will not be the certificate that is presented the client browser.

Unfortunately the solution if you do want to see that certificate is to disable our proxy or upload it to our edge on business plan. Our Load balancing does still work when you are not proxying through us and does not need to be orange-clouded - so that is good news.

system · July 18, 2021, 1:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.