Our domain is resolved by Active Directory for internal clients and by Cloudflare for external clients. If I use Origin Certificates, do I need to add the Cloudflare CA as a trusted root to my internal clients?
Nobody has replied, so I’ll say Yes. I know that works in a standalone situation, so if AD lets you do that internally for your org, that should take care of it.
If your AD DNS is resolving to the Cloudflare IP then no. If it’s not… why do you trust your users? I don’t trust my users… but yes, adding the origin CA certificate chain would allow them to connect without a certificate error if they are using the origin IP…but users…
I would ideally force my internal users to go through Cloudflare, but I’d have to put in A records to point to the Cloudflare IP address. Is that guaranteed to be static?
I think that’s the solution I should pursue. Is there any situation where .cdn.cloudflare.net will not work as a CNAME?
If the ‘target’ record (record less the cname) doesn’t exist it will fail. Otherwise… it should work. Are there /any/ edge cases? Yes. But they are rare (can’t have a TXT record for a CNAME) record for example.
DNS is always full of corner cases, but I have multiple customers using this strategy in prod reliably.
Awesome. I can’t imagine I’d ever point to anything other than an A or CNAME record. I’m assuming LB records are whatever I entered for targets (A or CNAME).
Yes… DNS traversal delegates to Cloudfare who ultimately resolves based on your DNS setting.