Some guidance on migrating all webserver + ssl to internal network

Hi,
Before I start, I would like to mention that I’m pretty old school in terms of web, pretty much html in vim, and still rolling with my ipsec vpn - so if my assumptions are stupid / wrong, please correct me and don’t be afraid to use substantial mallet while doing that. Having that out of the way:

I would like to move my website that has ssl from external server into a local network vm. My understanding is that couldflare will cache stuff, and since webpage will be very static - that should not pose much of a problem.

My edge router is pfsense based.

From what I’ve gathered so far, best way for me would be to spin up reverse proxy, to be able to point to my website and possibly few other services, while automagically throwing ssl on top of all of those outside requests, while still being able to use good old plaintext internally. For that I assume, that pfsense haproxy would be the best, as also pfsense could also control the certificates, but here my dilemma starts, AFAIK, Cloudflare provides certificates - but here in documentations and howtoo there is a terms “origin certificate” that if I read correctly is only intended for encryption router ↔ Cloudflare. I assume that if I would open free account with Cloudflare, then all requests pointing at my local services would be going through Cloudflare - using their own certs, while Cloudflare would then forwards requests (if not cached) to my router usign the “origin certificate” … right ?

Additionally, I use google for corporate email, but I can just leave a dns (MX) record in Cloudflare for google mail servers, and all should be OK … but some of my internal services DO generate emails that so far have worked pretty much flawesly with google DNS servers and have been popping up in my mailboxes without problems (like backup failure, upgrade failures etc) - I know that I might be paranoid, but don’t want to put my self situation without a solution.

Now going back to the internal services, I was intending to fireup a personal file hosting service, since sometimes for work purposed I need to share some binaries and as much as using google drive does work, I wanted to give people ability to load files as well (like 64GB sd card image, so I can test what colleagues cooked on their own) and some of my customers have strong opinions about using gdrive. Reason I asked is that in free plan I’ve seen that they have a post limit of 100MB … so I’m not sure how that would translate to this specific situation.

Welcome to the Cloudflare Community.

Much of what you are working out how to orchestrate on the LAN side will be off- topic for the Cloudflare Community, but for the Cloudflare parts, you should be able to get plenty of assistance here.

As a die-hard memember of team Encrypt All The Things, I discourage the use of HTTP even internally. It just doesn’t make sense anymore when you can use DNS-01 challenges with Let’s Encrypt CA and Cloudflare DNS to get publicly trusted certificates automatically.

I don’t see any reason that you would need to change anything with your Google Workspace email.

Make sure your application supports chunked uploads and you shouldn’t be impacted by that.

You have a lot going on in this post, so if I didn’t answer something you were hoping to get to, it probably wasn’t intentional.

@epic.network thanks for your reply:
yeah, the lan part - I do understand that that part will lay solely on me The nature of the beast

The “let’s encrypt my shoe laces” does seem like a good solution, until you loose internet connection and you can’t get to the vital services. Granted, you can use local cert and that’s beside scope of that discussion, but I do understand and partially agree with your argument.

Thanks for G workspaces headsup.

Chunked upload - I’ll have to look into this so thanks for a pointer !

ps. don’t worry, it’s like dating - it’s not the problem when some answer some of your questions, it’s a problem “when nobody calls” ;D So again, thanks for some answers !

Let’s Encrypt certificates have a 90 day lifespan, so unless you lose internet access for three months or more at a time, you will be fine. The pfSense ACME app works with Cloudflare DNS.