Recommendations for Caddy and Cloudflare proxy

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

a. System environment:

Ubuntu 22.04 on OCI (Oracle Cloud) VM, systemd:

Linux ejectum-server 5.15.0-1025-oracle #31-Ubuntu SMP Fri Nov 25 17:03:15 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux

b. Command:

Caddy runs through systemd, i may do a "sudo systemctl reload caddy" between edits but that's pretty much it.

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

## 1. Serve ejectum.net
ejectum.net {
	# Set this path to your site's directory.
	root * /var/www/ejectum.net/static-site/v1

	#Fetch the Certbot-managed Certificates
	tls {
		dns cloudflare --Blah--Blah-Blah--
		resolvers 1.1.1.1
		client_auth {
			mode require_and_verify
			trusted_ca_cert_file /var/lib/caddy/.local/share/caddy/certificates/authenticated_origin_pull_ca.pem
		}
	}

	# Enable the static file server.
	file_server

	log {
		level DEBUG
		output file /var/log/caddy/ejectum.net-static.log {
			roll_size 100MiB
			roll_keep 5
			roll_keep_for 720h
		}
	}
}

3. The problem I’m having:

Caddy noob here, I’m just an artist trying to setup a website, please be patient :slight_smile:

I would like to hear your thoughts on using caddy to serve a simple static site and at the same time use Cloudlfare’s proxy. Ideally, I would like to use the caddy-generated /managed Letsencrypt certificates (in case I move away from Cloudlfare at some point).

I’ve been following the info attached on the link below.

  • Caddy, is using my cloudflare API key just fine, generates a certificate and when I bypass the cloudlfare proxy I get a straight “A” score in ssl tests. All fine and dandy here :slight_smile:

  • If I enable Cloudflare’s proxy and Cloudflare’s SSL/TLS encryption mode is Full, i get a B score ssl tests.

  • If I enable Cloudflare’s proxy and Cloudflare’s SSL/TLS encryption mode is Strict, nothing works :sob:.

This will be just a personal website, nothing critical. I would like to hear your thoughts on what’s the best way to go about this.

4. Error messages and/or full log output:

Paste logs/commands/output here.
USE THE PREVIEW PANE TO MAKE SURE IT LOOKS NICELY FORMATTED.

5. What I already tried:

I have tried switching through all of the available Cloudflare SSL settings: Full, Full (strict)

6. Links to relevant resources:

Certs are kinda irrelevant unless you are using something that would delegate responsibility. For example, you are a bank and want to certify you are that bank and if something fails you can claim an insurance on the cert and the cert authority, thus cloudflare giving you a cert is nothing but a marketing gimmick when you can use self issued certs through certbot zerossl etc.

As for why isn’t in working, or why it gives you lower scores without knowing the domain, I can only assume it is because the cert uses outdated protocols like TLS 1.1 or SSL 1, 2 and even 3. While caddy exclusively uses TLS 1.3 and 1.2.

Overall, I would recommend just sticking with caddy automatic https. It’s really not worth the hassle, specially if it is not your field.

Thanks for sharing your thoughts viro :slight_smile:

I thought that the domain i’m talking about is visible in the caddy file (ejectum.net). I’m actually asking what kind of settings you experienced users go for when you decide to have caddy manage your cerificates and use Cloudflare’s proxy at the same time.

Hey! I’m an experienced Caddy + Cloudflare user! I just set mine to Full (Strict) and full send it. Technically you don’t need to do anything else at all (emphasis mine):

When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/

When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/

This means that Caddy, behind a Full (Strict) Cloudflare configuration, can solve HTTP-01 challenges. The courteous thing to do would be to disable TLS-ALPN challenges in order to reduce unnecessary challenge requests (since Caddy will try it and inevitably fail). But that is again not strictly necessary because Caddy will try HTTP-01 after failing TLS-ALPN, so it’ll Just Work™. All HTTP-01 challenges come in over plain HTTP, so Cloudflare will pass them through no issue per above. Once it’s got a valid certificate, it’ll serve the site, and because the cert is valid, when Cloudflare does strict HTTPS validation, all should be A-OK.

All that means, however…

This is a problem. Especially if you’ve gone above and beyond to do DNS validation behind Cloudflare and believe you’ve got valid certificates. This should Just Work™.

I’d suggest adding the debug global option to your Caddyfile, running it, making a request to your website, and then pasting the log output from that transaction here so maybe we can figure out why Cloudflare isn’t seeing a valid certificate from Caddy.

I’m also curious about this discrepancy. Any chance we could get links to the individual SSL Labs tests you’ve referenced here?

2 Likes

Thanks @Whitestrake :blush:

Remove this from your config, it’s not useful to override the defaults, with the defaults. If a TLS version 1.4 was created, this would prevent Caddy from just using it by default because your config would prevent it. It’s best to let Caddy use defaults when possible, so we can upgrade your security with smart defaults, as necessary.

2 Likes

Thanks to both of you for the suggestions :slight_smile:

I have a feeling that my cloudflare settings are wrong. I have disabled all caching from cloudlfare ()

francis, ive updated my caddyfile (removed the protocols section and disabled the client_auth thingy)

whitestrake, from what i can understand, right now my static site is being served straight off my server with the certificates that caddy generated. could you please take a look and see if there’s anything terribly wrong with it?

If the caddy-generated certificate looks ok, should i go for SSL full or SSL full (strict)?

cloudflare paused

Here are the SSL Test results

I tried to attach a log here but it exceeds the maximum size for a post

Had a quick look! All functional, all checks out as I’d expect it to for a standalone Caddy server without Cloudflare in front.

Strict.

HTTPS achieves two related but things:

  1. Encrypts your communication to prevent it from being read in transit
  2. Ensures that the server the client is connecting to is who it says it is

When Cloudflare is not using strict cert verification (i.e. Full non-Strict), the benefits of #2 are thrown out the window (for the Cloudflare<->Origin communications, which is half of the path from the client to your server through the internet). When you have a valid certificate, Full (Strict) should Just Work™.

1 Like

Many thanks Whitestrake :grin:

Looks like i had messed up some of the ssl settings buried among one million places inside Cloudlfare. All done :slight_smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.