cloudflare

command
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 17, 2026 License: MIT Imports: 1 Imported by: 0

Documentation

Overview

Example: a statute deployment fronted by Cloudflare with origin AutoTLS.

Cloudflare terminates TLS at its edge and re-encrypts to the origin. This origin runs autocert with the HTTP-01 challenge (TLS-ALPN-01 cannot work behind Cloudflare because the proxy strips custom ALPN). The BehindCloudflare() option does two things:

  • Drops "acme-tls/1" from the listener's ALPN advertisement so autocert does not choose TLS-ALPN-01 and quietly fail.
  • Marks requests on this listener as trusted-proxy so CF-Connecting-IP and True-Client-IP become the authoritative client IP for rate limiting, access logs, and IP-hash load balancing.

Cloudflare-side prerequisites:

  • SSL/TLS mode: Full (Strict).
  • "Always Use HTTPS" disabled (or bypassed) for the path /.well-known/acme-challenge/* so HTTP-01 reaches the origin on :80.
  • WAF rule that does not block requests to the same path.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL