Traefik, cloudflare proxy and splitdns - how to use different certificates on entrypoints?

Traefik Traefik v3 (latest)
,
1

Hi everyone, I need help configuring certificates in Traefik based on whether traffic is coming from the internet or my local network. I'm using split DNS and want to have different entry points use different certificates and authentication methods.

So far, I've been using Let’s Encrypt, and everything worked fine, but now I want to hide my server’s identity from the internet using Cloudflare Proxy and Origin Certificates. Here’s my current config:

entryPoints:
  web:
    asDefault: true
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    asDefault: true
    address: ":443"
    http:
      tls:
        certResolver: le
        domains:
          - main: "example.org"
            sans:
              - "*.example.org"
    http3: {}

  public:
    address: ":8443"
    http:
      tls: {}
      middlewares:
        - "xxx@file"
        - "xxx@file"

What I Want to Achieve:

  • web and websecure should work as they currently do, handling internal traffic using Let’s Encrypt certificates.
  • public should use Cloudflare Origin Certificates to hide the server's identity for traffic coming from the internet, routed via Cloudflare.

The Problem:

When I try to use Cloudflare certificates for public, I’m facing a couple of issues depending on configuration:

  1. websecure also starts using Cloudflare certificates, which blocks access from my local network, where I want to keep using Let’s Encrypt.
  2. Attempting to use certificateStore doesn’t fix the issue because Traefik seems to ignore this configuration with dynamic certificates (as per documentation).

I want Traefik to differentiate certificates based on where the traffic is coming from (split DNS):

  • Internet traffic through Cloudflare should use the Cloudflare Origin Certificate on public.
  • Internal traffic should continue using Let’s Encrypt on websecure.

The Question:

How can I configure Traefik to properly handle certificates based on entry points and traffic sources (split DNS)? How do I get Cloudflare Origin Certificates to work only on the public entry point without affecting the rest of the traffic?

Thanks in advance for the help!

2

You can only assign one certResolver per entrypoint directly, meaning per port. But you can also assign a certResolver to a router.

You can try to have no certResolver on entrypoint and use different routers for external and internal, maybe using
rule=Host() && ClientIP(), with dedicated certResolvers.

3

Thank you for answer. Aren't certResolver configuration option directly related to ACME protocol? Cloudflare provides certificates as .pem and .key.

I was trying to set certificates "just like that", but as I mentioned - Traefik choose those certs in internal communication, instead of ACME provided ones, which lead me to SSL errors. I must provide this certificates just to public entrypoint...

  certificates:
    - certFile: /etc/traefik/cloudflare.pem
      keyFile: /etc/traefik/cloudflare.key```
4

You can declare loaded TLS certs as default, then they will be used for any site, no custom Traefik cert will be used (doc).

5

Hey, thanks again! :blush:

I think my situation is still a bit different from what was suggested. My routers don’t use the default configuration—they have specific hosts defined for both entrypoints.

For context, I have service.mydomain.com:

• Public DNS resolves it to 1.2.3.4

• At home, it resolves to 2.3.4.5

It’s the same service, exposed via two different entrypoints. Each entrypoint listens on a different network interface and applies different middlewares.

What I need:

• For Entrypoint1 (home), I want to use ACME certificates from Let’s Encrypt, trusted by my local devices.

• For Entrypoint2 (public), I want to use a Cloudflare Origin certificate, which is only trusted by Cloudflare and ideally by Traefik itself, but not by my devices.

The challenge is serving different certificates (ACME vs. Cloudflare Origin) for the same router/service, depending on which entrypoint is used. Right now, both entrypoints are linked to the same domain, and if I set both ACME and Cloudflare certificates in the default certificate store, Traefik serves the wrong certificate (Cloudflare’s) even when I’m accessing the service from home.

How can I configure Traefik to serve the correct certificate (ACME or Cloudflare) based on the entrypoint?

I imagine it can work like this, but I don't understand how to configure it in traefik. Putting certificates under public.http.tls.certificates is not valid traefik configuraion.

  websecure:
    asDefault: true
    address: ":443"
    http:
      tls:
        certResolver: le
        domains:
          - main: "example.org"
            sans:
              - "*.example.org"
    http3: {}

  public:
    address: ":8443"
    http:
      tls:
        certificates:
          - certFile: /etc/traefik/cloudflare.pem
            keyFile: /etc/traefik/cloudflare.key

Thanks in advance for your help!

6

Why do you want two TLS certs? Why use different ports?

You could use a single entrypoint. service.mydomain.com resolves externally to 1.2.3.4, it resolves internally to 2.3.4.5.

If you want different middlewares, you can use two routers, one with ClientIP() to identify internal clients.

7

Its simplest way to apply different middlewares on different entrypoints. I dont need any kind of auth internally, but externally I want to make sure eveyrthing is behind auth. It doesn't seem to be edge case but practical use case. Its way easier than defining another 30 routers just to add middleware.

Externally im fowarding 443->8443 and I want to make sure, that Cloudflare proxy will hide my identity and actual ip address. mTLS is additional layer of security, so no one can access my exposed resources using ip address. Sure, firewall will apply as well.

So, basically, traefik isnt able to handle different sets of certificates for different entrypoints? Thats what I suppose when read in docs "any other certificate store than default will be ignored".

8

There is only one certificate store. But you should be able to assign a different certResolver to each entrypoint.

Also mTLS should be possible (doc).