Trellis + Bedrock behind CloudFlare

Ivan_Svaljek · September 18, 2016, 9:39am

I have a Trellis + Bedrock setup behind CloudFlare. The CloudFlare SSL is setup as Full SSL so it requires SSL on the host. For the host SSL I’m using LetsEncrypt that comes bundled with Trellis.
I know LetsEncrypt requires a periodic refresh of something (certificate I guess) so I’m not sure what will happen with this action when CloudFlare is active and handles the DNS.

The other question is that I can’t seem to turn off the Lets Encrypt by provisioning the server with
ssl:
enabled: false
I tried provisioning with tag --wordpress and --letsencrypt but redirect to https still occured for files wordpress and not.

benword · September 18, 2016, 3:46pm

I believe that even behind CloudFlare that the Let’s Encrypt renewal should still work as expected (I hope)…

Have not yet tried this before but it might be a Trellis bug

fullyint · September 18, 2016, 4:01pm

I’m not familiar with integrating CloudFlare SSL with Trellis LE, but you’ll find some searchable discussion, e.g., this.

Regarding “I can’t seem to turn off the Lets Encrypt,” maybe this will help:

Failure to establish connection when provisioning via ansible-playbook server.yml

Note that if you end up choosing to set ssl enabled: false … your browser’s exposure to the letsencrypt setup for that domain will likely have an associated HSTS header for the domain. If you return to http [vs https] … you’ll need to clear the HSTS header using something like this.

The HSTS header instructs your browser to remember to automatically load your site as https only for some period of time. If your site moves back to http only, the browser obediently won’t load that http version till the original HSTS header has expired, or till it is cleared manually. This is designed to prevent man-in-the-middle attacks that could try to “downgrade” a user’s connection from https to http.

In other words, Trellis and your server will obey your command to turn off LE SSL, but you need to give your personal browser the message too. A different browser that never visited the site will not have the HSTS header set and will not have the issue.

RiFi2k · September 29, 2016, 2:20am

Just saw this, just want to throw this out there in case anyone else uses Cloudflare and Trellis.

So I found it’s way easier and less error prone to use Cloudflare Origin Certs instead of LetsEncrypt. For one you can set the Origin certs to be good for up to 15 years and they support wildcards as well. So for staging I normally just use one domain with a bunch of subdomains for all the sites and I only need one wildcard Origin Cert from Cloudflare. example1.domain.com - example2.domain.com, etc.

So for example, you turn Cloudflare crypto to Full (Strict), then generate yourself an Origin cert and configure Trellis with the manual SSL setting and include your files from Cloudflare.

Now for bonus points you can automate the whole thing using the Cloudflare CLI for linux.

Also to fix the syslog warnings about ssl-stapling you can bundle

Then going further you can easily set up Authenticated Origin Pulls in Cloudflare and Nginx

darjanpanic · September 29, 2016, 11:44am

@RiFi2k Could you use this setup for subdomain Multisite Network with domain mapping also to get the https?

RiFi2k · October 5, 2016, 11:52pm

@darjanpanic For sure they issue all their certificates by default to work for all first level wildcard subdomains.

So for example the main certificate is issued for:
example.com
*.example.com
Then the origin certs are issued the exact same way, so you would for sure only need the single origin cert for all your subdomains.

The issue lies in configuring the DNS with Cloudflare for each new subdomain on-demand.

Now if you were not allowing others to provision sites on your network and you did it all manually you could just hop over to Cloudflare and make a new DNS A record (Cloudflare’s DNS changes are activated instantly- https://blog.cloudflare.com/never-deal-with-dns-propagation-again/ ) then as soon as you click the Orange cloud next to the record that site will already be fully configured with an SSL certificate (the origin certs are just extra security and allowing you to not have to rewrite URLS with a plugin or whatever).

But if you were crafty you could use the links I put in my above post and use their CLI or API to automatically create the DNS records as the new sites are provisioned in the multisite, then you would be the man, and people would probably want to kiss you if you integrated it with the Domain Mapping Plugin.

RiFi2k · October 5, 2016, 11:51pm

As an added bonus if anyone wants to use Cloudflare with Trellis for their SSL certificates I’ll include a link to a gist I just threw up with my modified version of the nginx.conf file from Trellis.

This version will restore the correct IP address for use in NGINX and also I modified the logging part so if you look at your access logs they will have the correct IP address in them instead of just showing Cloudflare’s IP address (Cloudflare proxies all your traffic so their IP is what ends up showing up without doing this, but they are nice enough to send the real IP along as well you just need to capture it).

My edits are line 38 - 66 and also 86 - 89 if your curious.

Cloudflare Restore Real IP NGINX Config - https://gist.github.com/RiFi2k/1ec986966bffc9117a23cf865f01aeee

TangRufus · September 16, 2017, 2:08pm

Now you can use create Cloudflare Origin CA certificates in Trellis just like letsencrypt.

I am curious about why you need that “Cloudflare Restore Real IP NGINX Config”. My servers seems getting read IPs without patching anything.

jeffbyrnes · December 18, 2020, 2:27am

Thanks for mentioning this, I replaced LetsEncrypt with trellis-cloudflare-origin-ca and it works like a charm!