Ssl on homelab https://homelab.nbkelley.com/tags/ssl/ Recent content in Ssl on homelab Hugo en Fri, 01 May 2026 00:00:00 +0000 Hinterflix Help Site - Cloudflare Deployment https://homelab.nbkelley.com/docs/services/hinterflix-help-site/ Fri, 01 May 2026 00:00:00 +0000 https://homelab.nbkelley.com/docs/services/hinterflix-help-site/ <h1 id="hinterflix-help-site---cloudflare-deployment">Hinterflix Help Site - Cloudflare Deployment<a class="anchor" href="#hinterflix-help-site---cloudflare-deployment">#</a></h1> <h2 id="what-was-established">What Was Established<a class="anchor" href="#what-was-established">#</a></h2> <p>The Hinterflix help site (<code>help.hinterflix.com</code>) is deployed as a static Hugo site on Cloudflare Workers. The domain is managed within the same Cloudflare account.</p> <h2 id="key-decisions">Key Decisions<a class="anchor" href="#key-decisions">#</a></h2> <ul> <li><strong>Hosting</strong>: Cloudflare Workers Pages (static hosting).</li> <li><strong>Domain</strong>: <code>help.hinterflix.com</code> (root subdomain of <code>hinterflix.com</code>).</li> <li><strong>DNS</strong>: CNAME record pointing to the Cloudflare Workers subdomain (<code>*.workers.dev</code>). Proxy status set to <strong>Proxied</strong> (orange cloud).</li> <li><strong>SSL/TLS</strong>: Automatically provisioned by Cloudflare. &ldquo;Always Use HTTPS&rdquo; enabled in SSL/TLS settings.</li> </ul> <h2 id="configuration-steps">Configuration Steps<a class="anchor" href="#configuration-steps">#</a></h2> <ol> <li> <p><strong>Cloudflare DNS Setup</strong>:</p> Cloudflare Integration: SSL & DNS https://homelab.nbkelley.com/docs/security/cloudflare_integration/ Tue, 25 Mar 2025 00:00:00 +0000 https://homelab.nbkelley.com/docs/security/cloudflare_integration/ <h1 id="cloudflare-integration-ssl--dns">Cloudflare Integration: SSL &amp; DNS<a class="anchor" href="#cloudflare-integration-ssl--dns">#</a></h1> <h2 id="what-was-established">What Was Established<a class="anchor" href="#what-was-established">#</a></h2> <p>Methodology for securing OPNsense and Proxmox web interfaces using Cloudflare&rsquo;s Origin CA certificates and protecting the WAN via Cloudflare-specific firewall rules.</p> <h2 id="key-decisions">Key Decisions<a class="anchor" href="#key-decisions">#</a></h2> <ul> <li><strong>SSL Mode</strong>: Cloudflare SSL/TLS setting must be set to <strong>Full (Strict)</strong>.</li> <li><strong>Security Pattern</strong>: Use <strong>Cloudflare IP Aliases</strong> on OPNsense to restrict WAN HTTPS (Port 443) access exclusively to Cloudflare&rsquo;s IP ranges.</li> <li><strong>DNS Strategy</strong>: Use A records with <strong>Proxy (Orange Cloud)</strong> enabled for web services to leverage DDoS protection.</li> </ul> <h2 id="current-configuration">Current Configuration<a class="anchor" href="#current-configuration">#</a></h2> <h3 id="cloudflare-origin-ssl-opnsense">Cloudflare Origin SSL (OPNsense)<a class="anchor" href="#cloudflare-origin-ssl-opnsense">#</a></h3> <ol> <li><strong>Generate Cert</strong>: In Cloudflare, go to <code>SSL/TLS → Origin Server</code> and create a certificate for the domain.</li> <li><strong>Import to OPNsense</strong>: <ul> <li><code>System → Trust → Certificates</code> → <strong>Import existing Certificate</strong>.</li> <li>Paste PEM (Cert) and Private Key.</li> </ul> </li> <li><strong>Assign to WebUI</strong>: <ul> <li><code>System → Settings → Administration</code> → Set <strong>SSL Certificate</strong> to the imported Cloudflare cert.</li> <li>Restart WebGUI: <code>configctl webgui restart</code>.</li> </ul> </li> </ol> <h3 id="wan-hardening-opnsense">WAN Hardening (OPNsense)<a class="anchor" href="#wan-hardening-opnsense">#</a></h3> <ol> <li><strong>Create Alias</strong>: <code>Firewall → Aliases</code> → <strong>URL Table Alias</strong>. <ul> <li>Name: <code>Cloudflare_IPs</code>.</li> <li>URL: <code>https://www.cloudflare.com/ips-v4</code>.</li> </ul> </li> <li><strong>Firewall Rule</strong>: <code>Firewall → Rules → WAN</code>. <ul> <li><strong>Action</strong>: <code>Pass</code>.</li> <li><strong>Source</strong>: <code>Cloudflare_IPs</code>.</li> <li><strong>Destination Port</strong>: <code>443</code>.</li> </ul> </li> <li><strong>Block Rule</strong>: Add a block rule for port 443 from all other sources at the bottom of the WAN list.</li> </ol> <h2 id="historical-notes">Historical Notes<a class="anchor" href="#historical-notes">#</a></h2> <p>Note: If the browser shows &ldquo;Not Secure&rdquo; after import, ensure the <strong>Cloudflare Origin CA Root Certificate</strong> is also imported into OPNsense <code>System → Trust → Authorities</code>.</p>