SSL Cloudflare Can someone explain how to toggle CF off with Auth. Org. Pulls enabled?

Hi there all!

As I'm relatively new to CMM I'm struggling to understand a few mechanisms in regards to CMM vs Cloudflare as proxy.

Hope some kind experienced CMM techie(s) maybe able to help out a bit and explain a few things or point me elsewhere for answers. Probably, on a deeper level I'm trying to wrap my head around a few server management fundamentals as well so please bear over with me.

My questions probably relates to lack of understanding of how a bidirectional SSL setup works between a CMM server using Cloudflare as proxy. Still I hope to be pointed towards a best practice in regards to how to toggle Cloudflare protection on/off for a domain when the CF proxy setup has been secured activating CF Authentication Origin Pulls.

Point of it all is to be able to test CMM server's performance independently of the CDN - which seems to be a hassle as I earlier today struggled with a bunch of 400 errors trying to 'rollback' the CF pulls.

FYI the setup used looks like this:

• Running latest version of CMM beta branch (123.09beta01)
• Installed WP + SSL cert for my domain using CMM / acmetool via option 22. The chosen option for SSL is option for.
• Setup Cloudflare as proxy running a SSL cert (set to Full mode) and enabled "Authenticated Origin Pulls" via CF as well cf. the safety recommendations in regards to avoiding IP leaks put forward @eva2000 in the start guide.
• Whitelisted Cloudflare IPs on the server following the CMM guide (dont have link to post at hand).

The CF pulls setup worked fine out of the box after setting it all up. No errors whatsoever.

I soon realised that the "Authenticate Origin Pulls" setup was less ideal for my needs as I'm sort of used to toggle the Cloudflare cloud icon in the DNS settings to bypass the proxy in order to test the site / server's performance directly.

However, doing so with AOP active triggers a Nginx 400 error "400 Bad Request - No required SSL certificate was sent" (which I kind of get in hindsight as I reckon the CF origin pulls acts like a sort of two way encryption handshake so guess deactivating breaks the chain?!?)

Anyway, as I still need to test site/server's performance both with / without CF I figured the way forward would be to be simply reversing the steps in the AOP setup as it's a pretty simple process.

So, at CMM I re- commented/inactivated the two CF lines in the SSL cert config file + in CF I toggled the Authentication Origin Pulls feature inactive for the domain in question.

However, this only resulted in the same "400 Bad Request - No required SSL certificate was sent" - whether due to an update delay is the reason I have no clue.

I did try restarting Nginx + other server services and ultimately tried rebooting the server to no effect in regards to 400 errors.

In the end I had zero clue as to how to resolv - so left it with AOP reinstated as active and the site N/A and left it there for 8 hours or so.

Heading back to check the certificate resolves correctly again with AOP active. But as such my basic issue remain unresolved - what is the recommended approach?

Specifically:

• When AOP has been activated for a domain how can I toggle CF off for the domain momentarily in order to test the CMM server without bottlenecking the process in 400 certificate unresolved error issues?
• If it's insufficient to reverse the AOP setup process like I tried - what else is required by default to reverse? The 400 error issue never actually resolved once I tried to deactivate but this may be due to my lack of patience as I only waited an hour or so for new setting to resolve (?)
• If the issue is my lack of patience what is in your experience the expected timeframe before the reverted setting catches on in order without errors?
• ...or should I go about it in a completely different way??

As you can tell I'm sort of shooting in the dark - any help to ease my understanding would be very much appreciated

Thanks!!

 

@JJC84 - thanks for helping out - appreciate it!

Possible I missed something. It was these CMM instructions I followed. Don't think I skipped any steps and all the stuff did work out of the box.

Don't know if you're thinking of the official CF auth key? That was installed on the server for the handshake during the process as I'm on 123.09beta01. Got no errors activating the 2 x CF lines in the SSL conf file seems to suggest that the bidirectional thing was going well...

In the guide linked to above there's this fair warning from Eva2000:

Guess I either missed the implication or just thought it wouldn't be an issue to revert settings for a while in order to test the CMM server ex the proxy in front.

Heading to bed now as it's getting late in my end. Please do let me know if you dig up anything relevant

 

Just to be as specific and to the point bout the current setup involved:

• On the Cloudflare side there's an active SSL certificate set to status of "Full"
• On the CMM server side theres a full and active LetsEncrypt cert (cf. using sub- option 4 in SSL part of the CMM installer).
• Things do "work" in terms of the actual setup with Origin Pulls to CF - it just how to bypass them without getting looped in 4000 errors that's unclear to me (?)

I do not recall generating a SSL certificate at CF as such (is that's not a default thing at CF - my brain's farted out as its too late here). Anyway, if I remember correctly I simply adjusted the status of default SSL cert from "Flexible" to "Full" at the CF end (to get compliance).

So... yeah... guess I'm on the lookout for the best possible practice in regards to switching CF on/off in spite of this AOP 'safety first' setting being active... or at least a best practice and/or insight of the most efficient / less involved way to toggle CF on/off with the AOP part active in order to do some direct testing.

Im way out of my confort zone here. So just trying to be as explicit as possible in order for you to catch my drift... anyway... looking forward for any advice

 

Yup - that I did do cf. my link in last post. Just missed your reply while posting myself. Just trying to make it all more clear where I'm at as the point is not how to get it working rather how to bypass the setup on occation... if that makes sense?

 

Thanks! Awesome of you offering help out like that. Will tuck in now but tried to line my objective up in a nutshell @ post#5 - please do let me know if any ideas or experiences in regards to that goal...

Cheers and thanks again!

 

I know the Swedish chef routine as well - sort of my specialty. Not sure this is pure failure though as things do match up to work. Let me just address your qs before exiting though:

I can sure toggle to grey clouds to disable CF proxy - but the result of doing so would be the mentioned 400 error when browsing the domain. Anyway, my understanding is that was what Eva2000 meant bout the heads up I cited in the grey box in Post #3 above (right?!)

My bad if that was not clear. Should prob have mentioned that in specific terms. Having trouble remembering things like specific file names and dirs as of yet tbh.

Anyway - yes, CMM actually does the lifting in regards to most of this. I have just checked once again at CMM serverside to make sure and it's all there and setup right thanks to latest branch. Eg. I just had to uncomment those 2 lines manually that's all. They were already imported and the cloudflare crt was imported as well dueing the setup context following the link above (or maybe a sublink from that guide - it's sort of a blur). All confirmed - the setup does work.

Anyway, so just to be clear cf. post #5. Issue is not as such that I can't get the certs working per se. The setup in itself seems to be all good and correct. Issue at hand is how to best circumvent said 400 errors - or to put it more straight - how to efficiently bypassing the CF proxy even with this added security measure activated (if possible) in order to test the CMIN server directly?

Evidently the cloud toggle thing won't work in this case.

Do think this sums the matter / questions on my part up the best I'm able... maybe we need point this @eva2000 for a bit of expert insight.

Phew think my brain just pooped... just felt I owed some specific answers to questions as you vert kindly invested you time trying to help me

 

Aaah, okay... makes sense guys!

As I tried the solution of uncommenting the 2 lines in the nginx vhost the resulting 400 errors that seemed persistant threw me off. I do believe I toggled the CF proxy off for the domain as well - so makes sense not to do so next time.

Will proceed testing without toggling the CF proxy off. At least now I have a sense of direction and can proceed with confidence.

Thanks a lot @eva2000 and @JJC84 for helping me getting to the bottom of this and sharing your insight