Automated Let's Encrypt with CloudFlare - Githubissues

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)

https://www.bunkerweb.io

GNU Affero General Public License v3.0

6.39k stars 360 forks source link

Automated Let's Encrypt with CloudFlare #99

Closed ptr1337 closed 3 years ago

ptr1337 commented 3 years ago

Hey,

since youre already using CertBot, there should be a easy way to implement that in to your project. Since many guys probally using Cloudflare as a extra security layer for not leaking the ip or anything else.

ENV=APITOKEN (NOT GLOBAY KEY PLS) :D and that should be mostly all.

Ill take a watch later if i find a easy implementation.

Regards.

fl0ppy-d1sk commented 3 years ago

Hi @ptr1337,

What about using the certbot/certbot-cloudflare ? You have an example here with the "classical" DNS challenge. I will try to make one with certbot/certbot-cloudflare when I have time.

ptr1337 commented 3 years ago

I switched now to your proxy, but in im not getting the real ip ?

Tried with Proxy Header, WhitelistIP and so on. but i dont get it.

fl0ppy-d1sk commented 3 years ago

Hello @ptr1337,

Can you share more information please ? What you are trying to achieve, your architecture (e.g. : behind a reverse proxy ? as a reverse proxy ? both ?), your environment variables, logs, things you tried, commands, compose, ... There is an issue template for bugs, maybe you should open a new one ?

fl0ppy-d1sk commented 3 years ago

From what I understand, you are trying to use bunkerized-nginx behind CloudFlare and get the real IP of the clients ? If that's the case, you should have a look at :

PROXY_REAL_IP : set it to yes to activate the realip module
PROXY_REAL_IP_FROM : list of IP / subnets of CloudFlare to trust (maybe that ?)
PROXY_REAL_IP_HEADER : the header used by CloudFlare containing the real IP (default is set to X-Forwarded-For, looks like CloudFlare is sending that header)

ptr1337 commented 3 years ago

My bad .. I used the wrong configuration options.

I’ll take a watch later, but that should work!

fl0ppy-d1sk commented 3 years ago

Hey @ptr1337,

Here is a gift for you : certbot-cloudflare example. Feel free to test it and report any bug.

fl0ppy-d1sk commented 3 years ago

@ptr1337 : one gift is not enough, here is another one.

ptr1337 commented 3 years ago

Hey @fl0ppy-d1sk ,

I read the dev branch since long time and considering to use it with the webui. Is it possible to use the webui + cloudflare zertificates ? And how about multiple websites ?

Regards and thanks for your great work!

fl0ppy-d1sk commented 3 years ago

Hello @ptr1337,

I won't recommend using the dev branch, everything is moving from day to day, it's far from stable. But maybe you can stick to a specific commit which is working for you or wait until the next release :).

It should work with cloudflare and multiple websites but you'll need to "mix" both configurations (e.g. : certbot-cloudflare and web-ui). The web UI is just a web service after all and you can use bunkerized-nginx as a reverse proxy in front of it.

ptr1337 commented 3 years ago

Alright.

i waiting for the stable release from the dev branch. And then gonna test it. Thank you!

Then i think my final switch is comming!