Just serve the CloudFlare certs. If the URL is the same, it won't matter. Doesn't matter if you're talking to a local private address like 192.166.1.100 or a public IP. If you're accessing it via a DNS name, that is what is validated, not the underlying IP.
PS. If you tried this and are having issues. We need more details about how things are set up, and how you are accessing them.
I somewhat wonder if CloudFlare is issuing two different certs. An "internal" cert your servers use to serve to CloudFlare, which uses a private CA only valid for CloudFlare's internal services. CloudFlare's tunnel service validates against that internal CA, and then serves traffic using an actual public CA signed cert to public internet traffic.
Honestly though, I kinda think you should just go with serving everything entirely externally. Either you trust CloudFlare's tunnels, or you don't. If you don't trust CloudFlare to protect your services, you shouldn't be using it at all.
Here's a drawing of what I think might be happening to your private traffic: traffic diagram
One major benefit to this approach is CloudFlare does not need to revoke an entire public certificate authority (CA) if a singular private tunnel's Certificate Authority is compromised.
[Thread, post or comment was deleted by the moderator]
I think I misunderstood what exactly you wanted. I don't think you're getting remote GPU passthrough to virtual machines over ROCE without an absolute fuckton of custom work. The only people who can probably do this are Google or Microsoft. And they probably just use proprietary Nvidia implementations.
I am several months into the self-hosting journey and I feel I have outgrown my Pi 4 B 8GB. I'm only running around 3 dozen containerized services and it seems to struggle to keep up. But I'm not sure of the best bang for my buck. I'd like good, long-term performance, but I don't really have a grand lying around for a Lenovo...
You are not being overly cautious. You should absolutely practice isolation. The LastPass hack happened because one of their engineers had a vulnerable Plex server hosted from his work machine. Honestly, next iteration of my home network is going to probably have 4 segments. Home/Users, IOT, Lab, and Work.
In the LastPass case, I believe it was a native Plex install with a remote code execution vulnerability. But still, even in a Linux container environment, I would not trust them for security isolation. Ultimately, they all share the same kernel. One misconfiguration on the container or an errant privilege escalation exploit and you’re in.
I’ve been trying to figure this out off and on for months without any luck. This is my first homelab setup in a while. I have Proxmox running a few VMs, one is Truenas with some drives in direct passthrough. I also have a Proxmox container running Docker which is running a few things, Traefik being one of them....
I have a feeling routing SMB traffic through Traefik is going to be a performance and latency nightmare. Is your TrueNAS VM’s network interface bridged to your home network? If so, use a static IP and just have clients connect directly. If not, your best bet is likely iptables NAT to forward a port from your Proxmox servers IP to the TrueNAS VM.
Annoying yes, but I’d argue that’s likely the simplest and most performant approach. At best (IPTables NAT), you’d be adding in an extra network hop to your SMB connections which would effect latency, and SMB is fairly latency sensitive especially for small files. And at worst (Traefik), you’d adding in a user-space layer 7 application that needs to forward every bit of traffic going over your SMB connection.
Traefik conditional certificate for same URL
Hey all!...
[Thread, post or comment was deleted by the moderator]
Wisest Upgrade from Raspberry Pi ( artemis.camp )
I am several months into the self-hosting journey and I feel I have outgrown my Pi 4 B 8GB. I'm only running around 3 dozen containerized services and it seems to struggle to keep up. But I'm not sure of the best bang for my buck. I'd like good, long-term performance, but I don't really have a grand lying around for a Lenovo...
Security of Ubuntu Server with Work Data and Jellyfin/*Arr/Torrent Dockers
Hi everyone....
Traefik setup for Truenas smb?
I’ve been trying to figure this out off and on for months without any luck. This is my first homelab setup in a while. I have Proxmox running a few VMs, one is Truenas with some drives in direct passthrough. I also have a Proxmox container running Docker which is running a few things, Traefik being one of them....