I'm trying to make sure I understand how Appwrite works with SSL, specifically with Cloudflare. I understand that Appwrite uses LetsEncrypt to generate the SSL certificates in the cert worker using the webroot method. So instead of using DNS ("when I visit the url it resolves to the IP of the origin") it demonstrates to letsencrypt that it has control of the origin by hosting a file at a specified location.
There are recommendations on this discord server to set Cloudflare to Full and Flexible, however I'm not sure if both are correct and if both are correct why so.
I believe that Full can work for your primary domain (which are the environment variables _APP_DOMAIN
and _APP_DOMAIN_TARGET
) and Flexible can cause issues if you've set Appwrite's env var _APP_OPTIONS_FORCE_HTTPS
to enabled
because Cloudflare will expect HTTP (port 80) but Appwrite changes it to HTTPS (port 443)... and it cycles like that forever until you get the too many redirects error.
So can Appwrite work with Cloudflare with Full SSL, _APP_OPTIONS_FORCE_HTTPS
enabled, with all the generation of certificates working correctly?
I believe Appwrite actually needs Cloudflare to be set to Flexible, though I'm still figuring out why.
Looking at their docs, full (not strict) might work. I would think flexible doesn't work because the communication between cloudflare and Appwrite must be https
As in Appwrite requires https (only because _APP_OPTIONS_FORCE_HTTPS
is enabled)?
I think the way Cloudflare Full SSL works (not strict) is it expects the origin server to have some sort of SSL setup, but Cloudflare doesn't manage it at all.
If that is correct, then it makes sense to me how it works.
When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
Ya, I've been reading those docs. If you have both Cloudflare's Always Use HTTPS and have Appwrite's _APP_OPTIONS_FORCE_HTTPS
enabled, my hypothesis is that both connections are secure and always have to be secure. And Appwrite will automatically renew the SSL for the Cloudflare to Appwrite connection. Cloudflare will automatically renew the client to Cloudflare SSL.
Appwrite would have a self signed certificate because the acme challenge wouldn't pass
Port 80 http traffic is required for the acme challenge
That's what I was thinking is wrong with my hypothesis. I'm trying to understand a way around this so Cloudlfare to Appwrite is secure.
Reading from https://appwrite.io/docs/certificates
Currently, Appwrite is using the ACME HTTP challenge to issue an TLS certificate. This forces us to generate certificates for port 443 when the challenge itself is performed on port 80. At this point, other ports will not work. To overcome this limit, you can set Appwrite on a separate sub-domain or use your own certificate or proxy server in front of Appwrite.
Have you set it to now and what's wrong?
Well, currently I've got it at Full, but I think it was changed in the past 90 days which means it could easily be working because port 80 (HTTP) was open in the past and Appwrite was able to be issued a certitificate.
If that's accurate, then within the next 90 days Appwrite's certificate will expire and it won't be renewed.
Maybe you can create a new domain now to test
Do you know why pointing a different subdomain to Appwrite that is not the subdomain in _APP_DOMAIN
works without adding a "custom domain" to Appwrite?
Or is it that just the console works if you do that? I was expecting only the _APP_DOMAIN
and _APP_DOMAIN_TARGET
to work without adding them to custom domains.
What do you mean by "work"? Do you have cloudflare enabled? Does your browser say your domain has a valid certificate?
Web browser says it has a valid certificate when visiting the console via new subdomain that is not _APP_DOMAIN
and is not in custom domains.
Login seems to work well too in native app. Returns session object and no logs printing out. Might need to login via web app to see for sure if it is using local storage.
Do you have cloudflare proxy enabled?
yes
So i think cloudflare is serving you that certificate. That's why it's valid
Recommended threads
- Realtime with multiple connections
I need the Realtime on multiple Collections for diffrent applicational logic. So my question is: Is there a way to have only 1 Websocket connection or do I need...
- Can't login or deploy functions in Appwr...
Hello, since i updatet to the appwrite cli 6.1.0 i can't login or deploy functions with the cli. When i call the command: "appwrite get account --verbose" i ge...
- Create admin user?
I'm not really sure how this is supposed to work, I installed Appwrite through docker-compose and set it up. When I launched the app and went into it, I created...