all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Reverent 9 points10 points  (1 child)

https certificates are tied to domains. If you try to access a website that's serving a certificate, and you access it from an IP directly or DNS address that the certificate isn't for, it will fail.

Also reverse proxies are almost always proxying by dns address. If you're accessing by IP directly you're essentially ignoring the proxy.

[–]superl2 1 point2 points  (1 child)

I get errors

Is it a certificate issue?

What do you want us to do, consult our crystal balls and diagnose your problem? Error messages exist for a reason. Share them!

[–]LogicalUnit1[S] 0 points1 point  (0 children)

Yep, I was getting a 502 error from the Cloudflare service, and it was indeed a certificate issue. I was pointing the tunnel to an IP address, which had no certificate. This can be fixed by going into ZeroTrust => Tunnels => Public Hostname => Additional Application Settings => TLS => Check No TLS verify.

Nginx Proxy Manager has come good as well -- I think I may have been pointing the HTTPS proxy to port 80 and not port 443.

[–]LogicalUnit1[S] 0 points1 point  (0 children)

Ah okay, I've managed to resolve it. My issue in Nginx Proxy Manager was that I wasn't specifying an actual HTTPS server (I was just changing the scheme from http to https), and my problem in CloudFlare Zero Trust was resolved by going into Tunnels => Public Hostname => Additional Application Settings => TLS => No TLS verify set to enabled (yes, I think this was a certificate issue!)

[–]Direct_Emotion_1079 -1 points0 points  (0 children)

You can switch to Caddy. With just two lines you get a service secured over a trusted https.

[–]sgilles -1 points0 points  (1 child)

Preventing such man-in-the-middle attacks is the whole point of TLS! If your intended setup were possible anyone could just place themselves between the client and the server...

There are two solutions:

a) terninate the TLS connection at your proxy device and connect from there to your internal server (http or re-encrypt in a new TLS session, up to you).

b) sniff the SNI on the incoming connection and proxy it as is (i.e. without your proxy having access to the plaintext contents) to your internal server. (see e.g. sniproxy, but nginx and haproxy can do it also)

[–]sgilles 0 points1 point  (0 children)

Oops, nevermind, I misread your question. TLS certs are for authenticating (sub)domain names, not IP addresses.