That's odd. I'm seeing a continual MISS (not DYNAMIC) which shouldn't be happening, really, since I'

That's odd. I'm seeing a continual MISS (not DYNAMIC) which shouldn't be happening, really, since I'm hitting the same colo. One sec.

IIsaac McFadyen That's odd. I'm seeing a continual MISS (not DYNAMIC) which shouldn't be happeni...

Isaac McFadyenOP•8/29/23, 2:07 AM

Solved in DMs - the file was too large to cache on your plan.

ZZnuff With any of CF's products (except maybe a worker?) there is no way to rewrite a ...

Isaac McFadyenOP•8/29/23, 2:08 AM

You could with a Worker yes, but keep in mind POST and GET are different for a reason. GET can have bodies but isn't supposed to and some reverse proxies will strip it if they see it. GET can also be cached and POST shouldn't be (which matters for things like form submissions).

Isaac McFadyenOP•8/29/23, 2:09 AM

But if you understand the risks then yeah, a Worker could do it.

Daniel Sincere•8/29/23, 3:26 AM

if I create a Cloudflare tunnel using Terraform, how do I get an origin cert that I can upload to a Kubernetes cluster? When using

cloudflared

cloudflared

on the command line, the

create

create

command creates the .pem.pem

Daniel Sincere•8/29/23, 3:51 AM

Would be nice to have a 100% terraform solution. For now, I'm using cloudflared logincloudflared login to create a cert.

DDaniel Sincere if I create a Cloudflare tunnel using Terraform, how do I get an origin cert tha...

Kasumi•8/29/23, 4:17 AM

Just Google it or create a origin certificate in the SSL tab

Kasumi•8/29/23, 8:15 AM

How can I fix this. And yes it uses the CF origin certificate

TTraffy I want to verify that all non-cache traffic coming to my origin is via cloudflar...

Hello, I’m Allie!•8/29/23, 8:50 AM

Enable Access in Bypass, then Verify the JWT

Validate JWTs · Cloudflare Zero Trust docs

When Cloudflare sends a request to your origin, the request will include an application token as a Cf-Access-Jwt-Assertion request header and as a …

Hello, I’m Allie!•8/29/23, 8:51 AM

If you use CF Tunnels, it can do so for you automatically

TTraffy If I block external port 80 and install CF tunnel and connect it with internal p...

Hello, I’m Allie!•8/29/23, 10:02 AM

Yes, and yes. Note too that depending on how complex your nginxnginx config is, Tunnel might be able to replace it entirely.

TTraffy My nginx is super simple ``` server { listen 80; server_name domain.xyz www....

Hello, I’m Allie!•8/29/23, 10:14 AM

Would the backend accept only the

X-Forwarded-For

X-Forwarded-For

Hello, I’m Allie!•8/29/23, 10:14 AM

Looks like Tunnel doesn't add X-Real-IPX-Real-IP.

TTraffy Here's my updated config: ``` location / { proxy_pass http://localhost:3000...

Hello, I’m Allie!•8/29/23, 10:22 AM

Should work fine then. You should just be able to use a single Tunnel, without nginxnginx

TTraffy Awesome. So should I just add my backend in

Hello, I’m Allie!•8/29/23, 10:29 AM

Yes, then add the JWT to the Tunnel for it to be verified.

TTraffy One more thing. Lets say my origin server is in Germany then by using tunnel wil...

Hello, I’m Allie!•8/29/23, 10:36 AM

The Tunnel itself would connect to datacenters in and around Germany. From there, data could be routed from an Indian datacenter to the ones in Germany.

Kasumi•8/29/23, 12:29 PM

Ig caching just needs some time.

Kasumi•8/29/23, 12:38 PM

But I like this peak lol

Ppiper would be great if someone has a workaround or if they make it possible! i can th...

Kasumi•8/29/23, 12:40 PM

The most things you can route yourself together with nginx or HAProxy

Kasumi•8/29/23, 12:41 PM

You have a very high internal start port that nothing uses and every sub page or so that needs another port is getting its own port and via nginx everything is routed together to 443. (Thats how we do it)

Kasumi•8/29/23, 12:43 PM

hm then there are 2 or 3 other ports you can use for https and a few more for http

Kasumi•8/29/23, 12:43 PM

Kasumi•8/29/23, 12:50 PM

These are all Headers that CF uses

HTTP request headers · Cloudflare Fundamentals docs

Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below.

Kasumi•8/29/23, 12:50 PM

What does Other mean?

TTraffy Is there any header in CF cache html response by which I can know from which dat...

Chaika•8/29/23, 1:05 PM

By default, cache is per colo (cloudflare datacenter), and you could look at the end cf-ray header to see which one you are hitting. Some are multi-colo PoPs though with their own cache (i.e "ORD" is made up of several DCs with their own cache)

want to know if cache page server from nearest data center to website visitor or not.

It's the one they connect to yea

TTraffy In page rules and cache rules I have set cache TTL to 4 days but in response hea...

Chaika•8/29/23, 1:12 PM

You're talking about cache-control? I don't see it in that output there, but yea you can override Browser TTL as well as Edge Cache TTL if you want them to be the same/some other value. You don't need to use both Page Rules and Cache Rules though, I would just use Cache Rules

Ppiper i have an api that serves images on port 8443 that i recently changed today beca...

Chaika•8/29/23, 1:19 PM

hmm I see what you mean, that's really weird. If you origin rule rewrite to one of the network ports marked cache disabled, still no cache.
However, it looks like if you override to any other port (I tested with 8444), cache does work fine with origin rules. Probably some weird quirk

would be great if someone has a workaround or if they make it possible! i can think of many reasons it would be a huge benefit such as less scanners to deal with, no privileged port issues, no proxy setups + more flexibility is always helpful for dx :PrayToTheLordAmen:

If your setup is right it shouldn't really matter for security, only Allowlist Cloudflare (https://github.com/Paul-Reed/cloudflare-ufw), verify host header is right (if you're using something like nginx with server_name, it's doing this), and if you're really paranoid set up Auth. Origin Pulls. Cloudflare Tunnels are a great choice as well to just have a lot of the security done for you, and allow you to run mutiple services without something like nginx (even though nginx is really lite, I run it in front of all my web services even if there not sharing with anything)

TTraffy So I have disabled page rules and used only cache rules. After clearing cache st...

Chaika•8/29/23, 1:23 PM

Under Edge TTL is Browser TTL, which is the time you see in Cache-Control and what you want to change

Chaika•8/29/23, 1:23 PM

Edge TTL isn't being ignored, it's just Cloudflare's time for caching it internally

Chaika•8/29/23, 1:25 PM

There's no requirement for them to be the same, you could do 1 hour Browser Cache TTL and days long Edge TTL if you wanted so you could purge CF cache and browsers get the more updated asset faster, without your origin getting extra uncached hits

That's odd. I'm seeing a continual MISS (not DYNAMIC) which shouldn't be happening, really, since I'

Similar Threads