Force All Web Server Traffic Through CloudFlare

I would like to restrict all web traffic 80 and 443 through Cloudflare

I am able to do this by only allowing traffic outbound to their Proxy Blocks listed here:

With this in mind:
I need a way to push LetsEncrypt to validate certificates through Cloudflare OR to allow LetsEncrypt through my Firewall rules.

I have seen previous posts in which you stated you don’t want to provide a public list of IP blocks that LetsEncrypt will utilize. But I believe that we should atleast be able to get LetsEncrypt to work through an allowed method at least to provide additional layers of security.

Thanks!

Joshua

ACME HTTP-01 validation works by making requests to your website. If you want a certificate for www.example.com, Let’s Encrypt’s validation servers make requests to http://www.example.com/.well-known/acme-challenge/something.

It’s fine if http://www.example.com/ is using Cloudflare, as long as the requests succeed.

TLS-ALPN-01 validation won’t work through Cloudflare’s web proxy.

DNS-01 validation uses DNS queries. It doesn’t make HTTP requests at all.

In other words, Cloudflare should not pose any obstacles, unless you’re using TLS-ALPN-01 validation, or set it to block everything.

If there are configuration issues, they can be fixed.


For proxied (sub)domains, you can also use Cloudflare’s Origin CA instead of Let’s Encrypt.

1 Like

you’d better use Cloudflare origin certificate for talk to cloudflare.

client’s won’t see your lets encrypt cert unless you are using at least business plan from them.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.