You are not logged in.
Hello
We have a mORMot service running on our customers various servers publishing/collecting some company-specific data, and it works great!
However it's http and not so secure, and installing/updating certificates on all these workstations/servers demands a little too much work to achieve.
Only for testing, I have now signed up for a Cloudflare account and added a domain.
I then created Type A DNS subdomain-records for all the customer servers, made them proxied and pointed them to our customers servers fixed IP:s. customer1.myservice.com
Always use HTTPS is set to True.
My SSL/TLS encryption mode is at this point set to Flexible, and the communication for now to the origin servers is plain http.
This way I get an unique web-address for every customer, (so far they have accessed the webpage directly by the IP adress) the servers ip:s are "hided" from end users, and they have a https connection.
So far it looks good, but the traffic from cloudflare to the origin servers is still http and not secured.
So now for my questions:
1. Is Cloudflare a good solution for this?
2. Is there any way to restrict the incoming traffic to the origin servers to accept only cloudflare traffic. Cloudflares ip scopes can change and they do not recommend to limit incoming traffic to these, .htaccess is the recommended way to restrict traffic... what is the mormot/windows way?
3. There is a thing called "Authenticated origin pulls" in cloudflare, or should I use the "cloudflare workers" feature?
4. Is there any guide on how to install the cloudflare certificate on the windows/mormot server. (I have managed to create/install a self signed certificate, but not succeded to install the free Cloudflare TLS certificate )
5. What are your experiences of Cloudflare? Is there anyone using it in front of mormot?
Best regards Kim Granlund
Last edited by Kixemi (2021-07-13 14:09:01)
Offline
What I would do is to add a Linux/BSD nginx reverse proxy with Let's Encrypt certificates in front of the mORMot server - especially if the mORMot server is on Windows.
The mORmot server could have a sub-domain name like srv1.mydomain.net with HTTPS traffic between CloudFlare and itself.
And I will keep this "srv1.mydomain.net" name private.
Then the main mydomain.net TLS would be handled at Cloudflare level.
Only the main public URI would be redirected from mydomain.net to srv1.mydomain.net.
Some "hidden" URI may be available for internal use (audit, monitoring, support, administration) directly to srv1.mydomain.net.
And I would tune Cloudflare so that any static content would be cached by CF.
Offline