Ilkka Tengvall@ikkeT@mementomori.social
@watchfulcitizen@goingdark.social whoa, you have taken extra steps to docunent it. I'll take a look. In meanwhile I found out last night I can set domain name matching the original cert in tunnel serrings, which removes the problem. Then I learned tunneld is actually mitm. I wasted time setting letsencrypt certs with cert-manager to my apache pod, as cloudflare does re-encrypt the traffic in the middle. I don't know if this can be avoided.
Watchful Citizen@watchfulcitizen@goingdark.social
@ikkeT@mementomori.social Yeah I've gone way overboard with my #homelab lol. My own #instance runs there too, tuned for ~1000 users but it's just me + 5 others.
Strict mode in #Cloudflare just means theyβll validate the cert from my end when connecting origin > edge, so the second TLS leg is trusted/encrypted. But with Tunnel, the first leg still terminates at Cloudflare. Both hops are encrypted, but Cloudflareβs in the middle by design. Only #DNS only or Spectrum gives true end-to-end.