Hi guys, would be happy to receive some input on my current problem. I spun up my own Lemmy instance yesterday using the ansible playbook on newly set up VPS with it’s own IPv4. Since I also had an unused domain I choose to use it exclusively for Lemmy. I therefore set the domain in the hosts file to exactly that one. I created the follwing DNS entries in Cloudflare for it:

  • A Record with name www pointing towards the ip
  • A CName pointing the domain without subdomain towards the www.subdomain.de thing

Both without a activating their proxies. As soon as I’m activating their proxies my instances becomes unreachable and if I’m calling www.my-domain.de I’m seeing an Nginx error page. Is there a smart way anyone of you knows how I could setup my dns records in a way that I’m able to use Cloudflare proxies to kinda encapsulate my vps a bit more?

EDIT: I got it solved, first on, I was most probably an idiot when setting the SSL settings. I could be possible that I changed them for the wrong domain. So in the end I did two things. First on I changed the CNAME thing into another A record pointing directly towards the server ip. I suspect this was not the root cause. Because after changing the DNS settings I discovered that again the SSL settings were set to Flexible this is basically a setting where Cloudflare assumes you are somehow unable to get your own SSL certificate on your server and therefore only the traffic between the users browser and them is encrypted but the traffic towards your server is not. That was most probably the main reason since this should cause an infinite forwarding of Cloudflare trying http but my server was redirecting them to https (for more info see here). I set it to Full (strict) meaning now all the traffic is encrypted using my certificate.

After both changes it works now, and when pinging the url some random Cloudflare IP shows up and “my” ip is hidden.

Old DNS settings: Old DNS settings

New DNS settings: New DNS settings

EDIT 1: Changed the title from xyz (SOLVED) to [SOLVED] xyz

  • tjr@innernet.link
    link
    fedilink
    arrow-up
    2
    ·
    2 years ago

    Would need more details such as error logs from the server and what you mean by “proxies”, are you referring to cloudflare’s caching proxy? Also, it is against RFC to CNAME a APEX domain, I am not sure of your exact details but by the way you are explaining things, it seems that you may have done this.

    • ture@rational-racoon.deOP
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      I got it solved, I’ll write a better summary in a edit for the post above.

      Regarding your question, **Error logs: ** There was no error msg in the backend logs on the (got it solved before digging more into the nginx, front end or what ever logs). Imho the request anyway never reached the server so there should have been no msg. But since I’m earning my money as a dev and not as a (dev)ops, and just operate such things on a hobby base I’m not 100% sure. Also the browser just showed lots of status 301 and using ping I just got timeouts.

      What do I mean by proxies? Yeah I mean these Cloudflare caching and whatsoever magic proxy thing that also hides your ip and exposes some Cloudflare IP instead. Makes it e.g. impossible to just do smth like ssh root@your.domain.

      CNAME Yes it’s against RFC to CNAME an APEX domain, you kinda can do this in Cloudflares UI but it’s not actually doing it under hood. It uses CNAME flattening which causes Cloudflare to directly return the IP you’re pointing to.

      For the final solution see above, will post an edit in a few minutes.

    • ture@rational-racoon.deOP
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      I’ll look into it as soon as I’m back at my computer. The playbook contains certbot and requests its own ssl certificate and I also use certbot and cloudflare for my homeserver, so I should be able to easily compare settings there. Haven’t thought of it maybe being an SSL issue since the usual your page is unsafe and so things didn’t pop up.

      • ture@rational-racoon.deOP
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        2 years ago

        Tried turning ssl on/ off; always the same result.

        EDIT: See the edit in the post; most probably it actually helped.

    • ture@rational-racoon.deOP
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Your instance seems to be running on a subdomain. So it seems that is not just something that is specific to running an instance without using a subdomain.