Is an Origin Server SSL cert (from the regular Dashboard) necessary for a Cloudflare Tunnel?
I have a local HTTP Wordpress website running on a NAS and the tunnel running on the same system. I have the Cloudflare SSL mode set to Flexible. Do I still need to install an origin server certificate to set it to Full (Strict)? The SSL/TLS Recommender is suggesting to switch it, but I don’t know if there’s much of a payback to try to install an origin server cert inside a container, or if it’s even necessary at all with a tunnel since the tunnel has it’s own.
The NAS just has self-signed certificates but AFAIK there is no certificate for Docker container services - at least not until their next OS and Docker app comes out.
SSL seems to work with the site. I get a GTS CA verification and no warnings on sites like SSL Checker. This seems to be the Cloudflare certificate working. I have HTTPS Rewrite and HTTP to HTTPS forwarding on in Cloudflare.
Brief rundown:
I have a WordPress site up and running on a Synology NAS with Docker (the older Docker app, not the beta 7.2 Container Manager thing).
- 3 containers: wordpress:latest, mariadb:latest, and cloudflared
- I’m using mapped folders in place of Docker volumes because it’s a NAS and easier to do maintenance on text files.
- All connected to the default bridge network.
- Linked the wordpress container to mariadb, and cloudflared to wordpress. Without these, the default bridge doesn’t seem to make the connection between them (maybe something to do with name resolution of the container names).
- I used environment variables in the Docker app for the database setup in both mariadb and wordpress.
- I just modified the cloudflared execution command to include the tunnel setup.
- Domain is set up in Cloudflare DNS. Configured the site using the domain in place of the local IP so the Wordpress settings show the https domain properly so permalinks should be configured from the get-go. I had tried a few unsuccessful tests to get it set up originally, but I discovered a problem with local DNS resolution on my PC that was causing all the headaches. tl;dr: a reboot fixed it after scratching my head for hours trying to clear caches everywhere.
I have the wordpress container port forwarded in Docker to a local port, but I’ll probably remove that since it doesn’t need to be there. I just added it at the start in case I had issues.
I DO NOT have ports forwarded to WAN…because I don’t want to! I want to try to keep all the containers isolated from the LAN, but also not expose the LAN (including services) to the Internet by punching holes open in the firewall, hence the reason to use Cloudflare Tunnels. I don’t have a reason to access my NAS remotely, and even if I did, I would rather use a tunnel in place of exposing ports to WAN. Why even give someone a chance to scan for security exploits?