You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm all but an security expert, so maybe I'm just wrong. But thinking about it I would think that enabling traefik's serversTransports.insecureSkipVerify is in most situations a much safer option than going down from Full (strict) to Full SSL/TLS Encryption in the Cloudflare settings.
As far as I understand it these settings do pretty much the same. They disable verification of the Certificates of the proxied service behind them.
The difference is that while the communication between Traefik and the thing it proxies to is usually at the most in a local network and often may actually be just on the localhost), while the communication between Traefik and Cloudflare is through the Internet.
The best thing would be IMAO if one could, on either of these, disable verification for just one specific i.e. subdomain, but both are apparently only global (not sure why?).
On second thoughts, I'm not sure how much attack surface our setup with our one WAN IP is opening. Maybe its safe after all? I guess spoofing the dynamic DNS shortly after a change is not easy, which is the only thing I can actually think of. But still its probably not impossible either. Anyways I think this still would be an interesting discussion so I'll issue this anyways.
Also I just thought of a way to disable verification for one specific subdomain. With PageRules. Unfortunately we Free Cloudflare Account peasants are limited to only 3 of these.
The text was updated successfully, but these errors were encountered:
I'm all but an security expert, so maybe I'm just wrong. But thinking about it I would think that enabling traefik's
serversTransports.insecureSkipVerify
is in most situations a much safer option than going down fromFull (strict)
toFull
SSL/TLS Encryption in the Cloudflare settings.As far as I understand it these settings do pretty much the same. They disable verification of the Certificates of the proxied service behind them.
The difference is that while the communication between Traefik and the thing it proxies to is usually at the most in a local network and often may actually be just on the localhost), while the communication between Traefik and Cloudflare is through the Internet.
And if one follows your example here https://www.smarthomebeginner.com/traefik-2-docker-tutorial/#Why_did_I_include_NextCloud_as_an_Example than one has to reduce security in one of the two things, because otherwise either Traefik or Cloudflare will reject self-signed certificates.
The best thing would be IMAO if one could, on either of these, disable verification for just one specific i.e. subdomain, but both are apparently only global (not sure why?).
On second thoughts, I'm not sure how much attack surface our setup with our one WAN IP is opening. Maybe its safe after all? I guess spoofing the dynamic DNS shortly after a change is not easy, which is the only thing I can actually think of. But still its probably not impossible either. Anyways I think this still would be an interesting discussion so I'll issue this anyways.
Also I just thought of a way to disable verification for one specific subdomain. With PageRules. Unfortunately we Free Cloudflare Account peasants are limited to only 3 of these.
The text was updated successfully, but these errors were encountered: