Back

Cloudflare SSL

  • 0
  • Self Hosted
Tanner Meade
11 Aug, 2023, 02:46

I'm trying to make sure I understand how Appwrite works with SSL, specifically with Cloudflare. I understand that Appwrite uses LetsEncrypt to generate the SSL certificates in the cert worker using the webroot method. So instead of using DNS ("when I visit the url it resolves to the IP of the origin") it demonstrates to letsencrypt that it has control of the origin by hosting a file at a specified location.

There are recommendations on this discord server to set Cloudflare to Full and Flexible, however I'm not sure if both are correct and if both are correct why so.

I believe that Full can work for your primary domain (which are the environment variables _APP_DOMAIN and _APP_DOMAIN_TARGET) and Flexible can cause issues if you've set Appwrite's env var _APP_OPTIONS_FORCE_HTTPS to enabled because Cloudflare will expect HTTP (port 80) but Appwrite changes it to HTTPS (port 443)... and it cycles like that forever until you get the too many redirects error.

So can Appwrite work with Cloudflare with Full SSL, _APP_OPTIONS_FORCE_HTTPS enabled, with all the generation of certificates working correctly?

TL;DR
The user is discussing SSL configuration with Cloudflare and Appwrite. They are exploring different settings and trying to determine the correct setup. One possible solution mentioned is to set Cloudflare to Full SSL and ensure that the `_APP_OPTIONS_FORCE_HTTPS` option is enabled in Appwrite. The user is still seeking clarification on whether both Full and Flexible SSL configurations are correct and why. There is no definitive solution provided in the thread.
Tanner Meade
11 Aug, 2023, 03:08

I believe Appwrite actually needs Cloudflare to be set to Flexible, though I'm still figuring out why.

Drake
11 Aug, 2023, 04:36

Looking at their docs, full (not strict) might work. I would think flexible doesn't work because the communication between cloudflare and Appwrite must be https

Tanner Meade
11 Aug, 2023, 04:38

As in Appwrite requires https (only because _APP_OPTIONS_FORCE_HTTPS is enabled)?

Tanner Meade
11 Aug, 2023, 04:40

I think the way Cloudflare Full SSL works (not strict) is it expects the origin server to have some sort of SSL setup, but Cloudflare doesn't manage it at all.

Tanner Meade
11 Aug, 2023, 04:40

If that is correct, then it makes sense to me how it works.

Drake
11 Aug, 2023, 04:41

When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.

Tanner Meade
11 Aug, 2023, 04:44

Ya, I've been reading those docs. If you have both Cloudflare's Always Use HTTPS and have Appwrite's _APP_OPTIONS_FORCE_HTTPS enabled, my hypothesis is that both connections are secure and always have to be secure. And Appwrite will automatically renew the SSL for the Cloudflare to Appwrite connection. Cloudflare will automatically renew the client to Cloudflare SSL.

Drake
11 Aug, 2023, 04:45

Appwrite would have a self signed certificate because the acme challenge wouldn't pass

Drake
11 Aug, 2023, 04:45

Port 80 http traffic is required for the acme challenge

Tanner Meade
11 Aug, 2023, 04:46

That's what I was thinking is wrong with my hypothesis. I'm trying to understand a way around this so Cloudlfare to Appwrite is secure.

Tanner Meade
11 Aug, 2023, 04:47

Reading from https://appwrite.io/docs/certificates

Currently, Appwrite is using the ACME HTTP challenge to issue an TLS certificate. This forces us to generate certificates for port 443 when the challenge itself is performed on port 80. At this point, other ports will not work. To overcome this limit, you can set Appwrite on a separate sub-domain or use your own certificate or proxy server in front of Appwrite.

Drake
11 Aug, 2023, 04:48

Have you set it to now and what's wrong?

Tanner Meade
11 Aug, 2023, 04:49

Well, currently I've got it at Full, but I think it was changed in the past 90 days which means it could easily be working because port 80 (HTTP) was open in the past and Appwrite was able to be issued a certitificate.

Tanner Meade
11 Aug, 2023, 04:51

If that's accurate, then within the next 90 days Appwrite's certificate will expire and it won't be renewed.

Drake
11 Aug, 2023, 04:58

Maybe you can create a new domain now to test

Tanner Meade
11 Aug, 2023, 05:03

Do you know why pointing a different subdomain to Appwrite that is not the subdomain in _APP_DOMAIN works without adding a "custom domain" to Appwrite?

Tanner Meade
11 Aug, 2023, 05:05

Or is it that just the console works if you do that? I was expecting only the _APP_DOMAIN and _APP_DOMAIN_TARGET to work without adding them to custom domains.

Drake
11 Aug, 2023, 05:08

What do you mean by "work"? Do you have cloudflare enabled? Does your browser say your domain has a valid certificate?

Tanner Meade
11 Aug, 2023, 05:14

Web browser says it has a valid certificate when visiting the console via new subdomain that is not _APP_DOMAIN and is not in custom domains.

Tanner Meade
11 Aug, 2023, 05:15

Login seems to work well too in native app. Returns session object and no logs printing out. Might need to login via web app to see for sure if it is using local storage.

Drake
11 Aug, 2023, 05:16

Do you have cloudflare proxy enabled?

Tanner Meade
11 Aug, 2023, 05:16

yes

Drake
11 Aug, 2023, 05:17

So i think cloudflare is serving you that certificate. That's why it's valid

Reply

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more