this post was submitted on 02 Feb 2025
22 points (89.3% liked)

Selfhosted

60093 readers
564 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 30 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
22
Nextcloud behind Cloudflare zero trust (feddit.nl)
submitted 1 year ago by cctl01@feddit.nl to c/selfhosted@lemmy.world
17 comments fedilink hide all child comments
 

For some time, I've hidden my nextclould behind CF zero trust. When refreshing certificates via letsencrypt I would manually disable the tunnel, refresh and re-enable the tunnel. Now that letsencrypt will no longer notify me via email I need a more robust (read automated) way of refreshing certs. Do I have any options other than disabling zero trust? (the advantage would be I no longer need vpn to have the mobile app working).

you are viewing a single comment's thread
view the rest of the comments
[โ€“] chiisana@lemmy.chiisana.net 2 points 1 year ago (1 children)

If you can serve content locally without tunnel (ie no CGNAT or port block by ISP), you can configure your server to respond only to cloudflare IP range and your intranet IP range; slap on the Cloudflare origin cert for your domain, and trust it for local traffic; enable orange cloud; and tada. Access from anywhere without VPN; externally encrypted between user <> cloudflare and cloudflare <> your service; internally encrypted between user <> service; and only internally, or someone via cloudflare can access it. You can still put the zero trust SSO on your subdomain so Cloudflare authenticates all users before proxying the actual request.

[โ€“] cctl01@feddit.nl 2 points 1 year ago* (last edited 1 year ago)

This worked great. For those looking to apply the same solution. And running Nextcloud in snap. You need a cert.pem, key.pem and chain.pem file. The latter can be found here: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate The cert and key can be generated from your Cloudflare Dashboard under Domains > SSL/TLS > Edge Certificate.

Place all three files in /var/snap/nextcloud/12345/certs/live/ where 12345 can vary for you.

Finally sudo nextcloud.enable-https custom cert.pem key.pem chain.pem Profit!