How to Proxy Subdomain Traffic Through Cloudflare⚓︎
Summary⚓︎
This article will consist of a guide for using Cloudflare as a reverse proxy for all subdomains of *.davelevine.io.
What is a Reverse Proxy⚓︎
Cloudflare defines a reverse proxy as the following:
A reverse proxy is a server that sits in front of one or more web servers, intercepting requests from clients. This is different from a forward proxy, where the proxy sits in front of the clients. With a reverse proxy, when clients send requests to the origin server of a website, those requests are intercepted at the network edge by the reverse proxy server. The reverse proxy server will then send requests to and receive responses from the origin server.
Advantages⚓︎
When implemented correctly, the following benefits can be had from use of a reverse proxy through Cloudflare:
Benefits
- Increased security
- This results from a website or service never needing to reveal it's origin server's IP address, making it more difficult for an attacker to directly target the origin server.
- Reliability
- This would come in the form of load balancing. Although this is outside the scope of this article, additional information regarding the benefits of load balancing can be found here.
- Increased performance
- Using a reverse proxy can result in increased performance due to caching at the reverse proxy. Since caching is a result of temporarily saving the response data from a particular request, any time a repeat request hits the reverse proxy for the same site, the information cached from the previous visit will populate much faster.
- SSL/TLS encryption
- Making use of SSL/TLS encryption at the reverse proxy can be incredibly beneficial by freeing up resources on the origin server. This is because it requires a certain amount of processing power to encrypt/decrypt outgoing and incoming requests. With Cloudflare being the source of the reverse proxy, the computational resources required for this process is done over their network instead of the network the origin server is sitting on.
How Does a Reverse Proxy Work?⚓︎
In this diagram, all requests from a user's device (D) would get passed directly through Cloudflare (E) and then to it's intended destination (F). Cloudflare (E) is responsible for ensuring that the request continues through the reverse proxy to the origin server.
Implementing for *.davelevine.io⚓︎
Using the above example, the flow of traffic will go as follows:
User Device ---> Internet ---> Cloudflare ---> Origin Server
My domain, davelevine.io, currently has no web server sitting at the root of the domain, but has a number of active subdomains. Most of these subdomains are mapped to services running inside my network, while others are mapped to external services. A list of the aforementioned subdomains is as follows:
| Service | Subdomain | Cloudflare Proxy? | SSL |
|---|---|---|---|
| Bookstack | bookstack.davelevine.io | Yes | Cloudflare |
| Confluence | confluence.davelevine.io | No | Let's Encrypt |
| Diskstation | diskstation.davelevine.io | No | Let's Encrypt |
| Glances | glances.davelevine.io | Yes | Cloudflare |
| Heimdall | heimdall.davelevine.io | Yes | Cloudflare |
| Knowledge | knowledge.davelevine.io | Yes | Cloudflare |
| Nagios XI | nagiosxi.davelevine.io | Yes | Cloudflare |
| Netdata | xendata.davelevine.io | Yes | Cloudflare |
| Ombi | request.davelevine.io | Yes | Cloudflare |
| pfSense | pfsense.davelevine.io | Yes | Cloudflare |
| Plex | xen-plex.davelevine.io | Yes | Cloudflare |
| Portainer | portainer.davelevine.io | Yes | Cloudflare |
| Status | status.davelevine.io | Yes | Cloudflare |
| Tautulli | tautulli.davelevine.io | Yes | Cloudflare |
| Unifi | unifi.davelevine.io | No | Let's Encrypt |
All addresses except for Knowledge and Status are mapped through Squid Reverse Proxy on pfSense.
pfSense⚓︎
- Open Services --> Squid Reverse Proxy, ensure that the HTTPS Reverse Proxy is configured as follows:
- Open Web Servers and set the entry as follows:
- Open Mappings and set the entry as follows:
- Navigate back to General and click on Refresh CRL. This will update any settings that were changed for the reverse proxy configuration.
Cloudflare⚓︎
Once the web server has been mapped on pfSense, the DNS record can now be updated from within Cloudflare.
- Open the Cloudflare Dashboard and navigate to the DNS Management for davelevine.io.
- Although outside the scope of this article, since DDNS is already configured on pfSense, it's assumed that the wildcard DNS record has the correct IP address, which will need to be noted for adding any A records.
- Select Add Record and add the following:
| Type | Name | IPv4 Address | TTL | Proxy Status |
|---|---|---|---|---|
| A | xen-plex | ::Current IP for wildcard DNS:: | Auto | Proxied |
- Save the changes and see if https://xen-plex.davelevine.io is now accessible. If not, it could be one of two things holding it up:
- Log back into pfSense and click on Refresh CRL again.
- Purge cache on Cloudflare
For the purpose of reverse proxying Xen-Plex, NGINX will need to be properly configured on the Xen-Plex web server. This will be covered in another article and linked once available.
SSL/TLS Configuration⚓︎
For most sites that are proxied through Cloudflare, an SSL certificate will automatically be added to any HTTPS site.
In order to make use of the SSL certificate, open the Cloudflare Dashboard and navigate to SSL/TLS. The exact configuration may vary depending on the web server configuration, but for the purposes of this article, should look like the following:
If set to Full (strict), if an origin certificate is not installed on the origin server, the SSL connection will fail and will not fall back to HTTP. If it's not possible to install an origin certificate on the origin server, you can navigate to Page Rules and configure a page rule to set SSL to the required mode. This is most notable for custom status pages for Uptime Robot.
An origin certificate will need to be created and added to pfSense as an Intermediate CA Certificate. This can be seen in the first screenshot in the pfSense section.
To confirm the SSL certificate has been put in place and is valid, navigate to https://xen-plex.davelevine.io and click on the Lock icon next to the https in the address bar. You will see Certificate (Valid) in the menu. Clicking on the Certificate (Valid) option will display the following:
References⚓︎
https://www.cloudflare.com/learning/cdn/cdn-load-balance-reliability/
https://blog.uptimerobot.com/configuring-cloudflare-for-status-pages-with-custom-domains/
https://support.cloudflare.com/hc/en-us/articles/360019093151-Managing-DNS-records-in-Cloudflare
https://github.com/toomuchio/plex-nginx-reverseproxy/blob/master/nginx.conf