SSL for tunnel to Wordpress running on Synology NAS docker

Is an Origin Server SSL cert (from the regular Dashboard) necessary for a Cloudflare Tunnel?

I have a local HTTP Wordpress website running on a NAS and the tunnel running on the same system. I have the Cloudflare SSL mode set to Flexible. Do I still need to install an origin server certificate to set it to Full (Strict)? The SSL/TLS Recommender is suggesting to switch it, but I don’t know if there’s much of a payback to try to install an origin server cert inside a container, or if it’s even necessary at all with a tunnel since the tunnel has it’s own.

The NAS just has self-signed certificates but AFAIK there is no certificate for Docker container services - at least not until their next OS and Docker app comes out.

SSL seems to work with the site. I get a GTS CA verification and no warnings on sites like SSL Checker. This seems to be the Cloudflare certificate working. I have HTTPS Rewrite and HTTP to HTTPS forwarding on in Cloudflare.

Brief rundown:

I have a WordPress site up and running on a Synology NAS with Docker (the older Docker app, not the beta 7.2 Container Manager thing).

  • 3 containers: wordpress:latest, mariadb:latest, and cloudflared
  • I’m using mapped folders in place of Docker volumes because it’s a NAS and easier to do maintenance on text files.
  • All connected to the default bridge network.
  • Linked the wordpress container to mariadb, and cloudflared to wordpress. Without these, the default bridge doesn’t seem to make the connection between them (maybe something to do with name resolution of the container names).
  • I used environment variables in the Docker app for the database setup in both mariadb and wordpress.
  • I just modified the cloudflared execution command to include the tunnel setup.
  • Domain is set up in Cloudflare DNS. Configured the site using the domain in place of the local IP so the Wordpress settings show the https domain properly so permalinks should be configured from the get-go. I had tried a few unsuccessful tests to get it set up originally, but I discovered a problem with local DNS resolution on my PC that was causing all the headaches. tl;dr: a reboot fixed it after scratching my head for hours trying to clear caches everywhere.

I have the wordpress container port forwarded in Docker to a local port, but I’ll probably remove that since it doesn’t need to be there. I just added it at the start in case I had issues.

I DO NOT have ports forwarded to WAN…because I don’t want to! I want to try to keep all the containers isolated from the LAN, but also not expose the LAN (including services) to the Internet by punching holes open in the firewall, hence the reason to use Cloudflare Tunnels. I don’t have a reason to access my NAS remotely, and even if I did, I would rather use a tunnel in place of exposing ports to WAN. Why even give someone a chance to scan for security exploits?

You don’t need an SSL certificate on the origin of a tunnel to enable Strict SSL. The cloudflared tunnel handles the SSL between Cloudflare and itself.

I kinda thought maybe, but I wasn’t sure where the Cloudflare connection ends in a setup like that, i.e. if the cloudflared container certificate applies to the wordpress container since they have separate hostnames and container IP’s. When I initially had the DNS caching issues, I thought it might’ve been an issue with Wordpress’s domain handling, so obviously I tried switching the protocol from HTTP to HTTPS and back again which didn’t solve it…frustrating.

Anyway it works now. I’ll set it to Strict. Thanks for the tip.

I wish Cloudflare would make this clear in the documentation. There seems to be a disconnect between the main services and Tunnel options that overlap them. Just a mention to say “hey you don’t need an origin certificate on your server because our tunnel complies with TLS certification in a browser”, and I would’ve been able to figure out the problem a lot sooner.

Just as an additional comment.

You don’t necessarily need to have a certificate if the Tunnel instance runs on the same machine as the origin server. Should you route that to another machine, or especially across networks, then you should definitely still employ a certificate.

Yeah I wasn’t sure, considering I’m using a bridge network in Docker, but the origin “server” running WordPress is a separate container from the cloudflared instance. Maybe the container link option solved that.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.