LukeParke/documentation-coolify
1
0
Fork 0
mirror of https://github.com/LukeHagar/documentation-coolify.git synced 2025-12-06 12:27:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #50 from birdyboy18/main

Browse Source 
Updated Cloudflare tunnels docs to include how you can allow setting https in the UI
This commit is contained in:
🏔️ Peak
2024-10-30 13:23:17 +01:00
committed by GitHub
parent 690646a0ee 9738d01093
commit 5a05b9c957
1 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
src/content/docs/knowledge-base/cloudflare/tunnels.mdx
View File

@@ -136,6 +136,68 @@ For this you need to set `SSL/TLS` to `Full` in the `SSL/TLS` menu on Cloudflare
If you would like to add a new resource, you only need to do point 6 and 7.
</Aside>
### Full HTTPS/TLS Setup (Traefik/Coolify Proxy)
<Aside type="note">
Before proceeding with the below make sure you have your Cloudflare tunnel
and domain setup to be working with http and the https redirect as explained
above. The next steps make modifications so that you can set https in
Coolify and it works as you would expect.
</Aside>
<Aside type="caution">
If you are also using a subdomain that points to your Coolify instance that is on the same tunnel you want to configure, make sure you're still able to access your UI through the server IP (`server.ip:PORT` - i.e `192.168.x.x:8000`) before doing these changes.
The default is port `8000`. If you changed or disabled that port make sure you can access it via the set port, or that port is open again on the server.
Once you've done the below steps, it won't work for a bit until you set the Coolify instance domain to also be `https://` in the Coolify UI (`Settings -> Instance's Domain`).
</Aside>
The above setup with the redirect from `http -> https` in Cloudflare gets you most the of the way by using their tunnels.
However you'll likely find yourself having some issues with some services where the domain name is configured as an environment variable as a http url in a service and then fails because the urls mismatch due to the automatic redirect.
This becomes particularly important with some services when you first try to set them up and configure them.
Authentication services such as [Logto](/docs/services/logto) are affected where the JWT token issuer is different from the callback url, this makes initial setup of the service impossible, unless a alternative URL is provided to the compose somehow.
The best way to be able to solve this would be to be able to set `https://` on the domains for your services, or within your [wildcard domain](/docs/knowledge-base/server/introduction#wildcard-domain) to always be https in Coolify.
If you've tried this, you may have run into the issue where you get caught in a redirect loop.
To set up Coolify wildcard domains so that you can set `https://` in the url for services etc. Then you'll need to do and configure the following things:
<Steps>
1. Create a new origin certificate in Cloudflare for the domain you want to set it up for (`*.yourdomain.com`, `yourdomain.com`).
2. Add it to the origin server and configure the Traefik proxy to use the newly created certificate (see [custom-ssl-certs](/docs/knowledge-base/traefik/custom-ssl-certs) on how to get them on your server). You can add this configuration through the UI if you like. We called it `cert.yaml`.
```yaml
tls:
certificates:
- certFile: /traefik/certs/yourdomain.com.cert
keyFile: /traefik/certs/yourdomain.com.key
```
3. Set SSL/TLS encryption mode to full (strict) in Cloudflare.
4. Configure the tunnel to use `https` and then in the tunnel `Additional application settings -> TLS` set the Origin Server Name to be the root domain you want it to be (i.e - `yourdomain.com`)
<Aside type="tip">
You need to set the dropdown to be `https` before the TLS option appears
in the "Additional application settings" area
</Aside>
5. Set "Always Use HTTPS" in Cloudflare (`managing your domain -> SSL/TLS -> Edge Certificates`).
6. Set a `https` domain name on any service in Coolify as a subdomain of the domain name we just setup - i.e `https://myproject.yourdomain.com`.
</Steps>
If configured correctly all of your traffic to any of the subdomains will now work on `https` as the FQDN in the UI and when visiting in a browser.
## Post Setup
After everything is setup, you can fully disable direct access to your server by disabling all the ports (except `SSH (port:22 by default)`) on your firewall.