Traefik with Cloudflare Tunnel Certificates?

Hello, I have some big picture questions that could hopefully help me understand what my issue is. I have a homelab setup using Cloudlfare tunnel. I use Cloudflare for my domain name, TLS/SSL certificate, and all of the security that come with it. I’m not too smart to trust myself to do this.

From my understanding by watching a lot of videos and reading blogs, the certificate authentication and security happens between the user (Joe Smith sitting at the library) and Cloudflare. When Joe types “nginx.mydomain.com”, this gets proxied to Cloudflare (I do have the orange cloud enabled), and then Cloudflare sends the request down to my network/Traefik.

My confusion lies in the certificate stuff between Cloudflare and my network. Do I need to tell Traefik about the TLS certificate that Cloudflare is using? I’ve seen many videos that explain how to generate a Zone→DNS→Edit API token from Cloudflare and then add it to the environment variable CF_DNS_API_TOKEN. Is it a good idea to tell Traefik about the TLS certificate? Whenever I try to do this I get this error message “Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”

I’ve also read some blogs saying that Traefik shouldn’t be doing the TLS or HTTPS redirection, all of that is taken care by Cloudflare. But then I’ve also seen plenty of videos where people are adding the label “traefik.http.routers.websecure.tls.domains[0].main=mydomain.com“ and “traefik.http.routers.websecure.tls.domains[0].sans=*.mydomain.com“ to the docker-compose file.

So how exactly does this work? When using Cloudflare tunnel what is the best practice? If I don’t do any of the TLS, redirection, or certificate stuff in Traefik, I am able to access my website from the outside, but is this good?

Cloudflare tunnel establishes an encrypted connection from client to Cloudflare. Cloudflare proxies incoming requests the the configured IP on host, keeps Host header. This can be http, as it is already encrypted by the tunnel.

If you want super duper extra security, you can also encrypt local traffic on your host, by using a TLS cert with Traefik. You can use a self-signed cert (needs additional cfd command to trust any), a dedicated Cloudflare origin cert or a LetsEncrypt cert.

So it doesn’t make any sense to use the same certificate Cloudflare is using on my local host? I am using the basic/free TLS certificate that Cloudflare provides to my domain and subdomain (wildcard cert?). This certificate should stay between the client and Cloudflare?

Lets say I do get an additional certificate from LetsEncrypt, is this what i need to tell Traefik to use? And all of this gets me is a local, self-signed, certificate on my local network. Seems like a good idea, but unnecessary? Does the Cloudflared tunnel need to be aware of this certificate?

For TLS to work, the client needs to trust the source.

Options:

1. Use a signed public TLS cert on host, like LetsEncrypt
2. Use a provider cert for this use case, I think it's called CF origin cert
3. Use a custom created TLS cert and import it to be trusted
4. Tell client to not validate trustchain (cloudflared --no-tls-verify, post)

I would assume you can tell cloudflared to connect to localhost 127.0.0.1, so I would think local encryption is not necessary. Except you have highly confidential data and distrust your IT admin.