Comment by ThunderSizzle

8 hours ago

I think partially is not having to worry about certs is a nice reason to hide behind the proxy. Also, to help hide your IP address, I guess.

Of course, on the other hand, I know that relying on Cloudflare cert's is basically inviting a MITM attack.

6 comments

ThunderSizzle

> I think partially is not having to worry about certs is a nice reason to hide behind the proxy.

Use Caddy. I never worry about certs.

ThunderSizzle 7 hours ago

Interesting. I've done a lot of manual work to set up a whole nginx layer to properly route stuff through one domain to various self-hosted services, with way to many hard lessons when I started this journey (from trying to do manual setup without docker, to moving onto repeatable setups via docker, etc.).
The setup appears very simple in Caddy - amazingly simple, honestly. I'm going to give it a good try.
immibis 1 hour ago

Or certbot-plugin-nginx if you prefer a bit less magic.

Don't you need a cert anyway to secure the connection from Cloudflare to your server?

omcnoe 7 hours ago

Cloudflare explicitly supports customers placing insecure HTTP only sites behind a cloudflare HTTPS.
It's one of the more controversial parts of the business, it makes the fact that the traffic is unencrypted on public networks invisible to the end user.
ThunderSizzle 7 hours ago

You could use a self-signed cert, since cloudflare doesn't care about that.