Documentation
¶
Overview ¶
Example: a statute deployment fronted by Cloudflare with origin AutoTLS.
Cloudflare terminates TLS at its edge and re-encrypts to the origin. This origin runs autocert with the HTTP-01 challenge (TLS-ALPN-01 cannot work behind Cloudflare because the proxy strips custom ALPN). The BehindCloudflare() option does two things:
- Drops "acme-tls/1" from the listener's ALPN advertisement so autocert does not choose TLS-ALPN-01 and quietly fail.
- Marks requests on this listener as trusted-proxy so CF-Connecting-IP and True-Client-IP become the authoritative client IP for rate limiting, access logs, and IP-hash load balancing.
Cloudflare-side prerequisites:
- SSL/TLS mode: Full (Strict).
- "Always Use HTTPS" disabled (or bypassed) for the path /.well-known/acme-challenge/* so HTTP-01 reaches the origin on :80.
- WAF rule that does not block requests to the same path.
Click to show internal directories.
Click to hide internal directories.