Help me Understand operation with Cloudflared and Caddy #151
Description
I saw the Caddyfile provided int he Pull requests and as I had already set up Caddy to try to get nextcloud working so thought I'd just use it for OpenCloud.
The problem is I changed ISP and now have DS-Lite, hence no IPv4. I tried and failed to get Caddy with Cloudflared working with Nextcloud and was open to trying OpenCloud due to a more streamlined feature-set and faster operation. So far I'm impressed and happy with it. It is indeed faster and providing all I need for family use and the development team is very responsive.
Just to expand on my setup, I want to use OpenCloud from my LAN, and from my mobile phone or workplace when not at home. I could potentially open up a port but this only works with IPv6 due to DS-Lite and iPhone in particular did not seem to like a domain without an IPv4 record. So I went down the Cloudflared path as I already have Cloudflare for DNS.
It looks like this:
- Internal:
- client requests opencloud.domain.com --> PiHole responds with Caddy address --> Caddy looks up opencloud.local and Pihole responds with Opencloud address. This is true for Opencloud, Collabora and Wopiserver.
- External:
- client requests opencloud.domain.com --> Cloudflare tunnel looks for opencloud.domain.local --> PiHole responds with Caddy address --> Caddy looks up opencloud.local and PiHole responds with Opencloud address.
I've now configured Caddy to use the cloudflare module and it is working, originally it was not because I'd blocked alternative DNS providers at the router and forgotten about it. I also had to switch from the Fritz box router for DHCP to the PiHole for DHCP because Fritz Box does not allow defining a local domain and every local dns query would end up with fritz.box appended.
With those details resolved I still have a problem that the certificate changes depending on whether I access externally or Internally.
I was under the impression that the Cloudflare Caddy module would allow it to acquire the certificate from Cloudflare but this appears to not be the case.
So I think I have two options:
- Don't use Caddy, I think Cloudflare should be sufficient and then delete the local DNS records. Presumably, because Cloudflare is a reverse proxy, I do not modify my .env file and continue to use the reverse proxy version otherwise Traeffik would introduce the same certificate issues, right? Then set "Insecure=true". I quickly tested this and cannot get it to work. I get 401 errors.
- Configure Cloudflare to use the Origin certificate - seems doable but rather complicated: https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/
- Configure Caddy to use the Cloudflare certificate - may be the easiest. - https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/ ...Ok, I just tried this step and I also get 401 errors.
If you can provide some clues as to how I can access the server using Cloudflare Tunnel and not requiring two different certificates. Many thanks.