Moving to Cloudflare proxy

Dashrender

So I'm looking for a sanity check here.

Current setup
(External access)
CF DNS points Webmail.domain.com to my IP - which forwards via the firewall to an HAProxy - which then forwards to Exchange.

(Internal access)
Local DNS points directly to Exchange

Exchange and HAProxy have the same GoDaddy cert on them, expiring soon. This cert handles both TLS for webmail traffic and for SMTP traffic.

Proposed new solution
Remove HAProxy
Change the firewall to direct traffic directly to Exchange, but only allow traffic from CloudFlare (not entirely sure how to get the IPs for this lockdown)
Change CF DNS to allow CF to Proxy
Install CF Origin cert on Exchange (this is good for Webmail traffic, but not for SMTP traffic - unless CF is proxying SMTP as well?)
Use NSLOOKUP to find CF assigned IP Proxy for webmail.domain.com
Change local DNS to point webmail to previously found IP

So the question is - Can I use the CF Origin cert for SMTP traffic? And if not - how do I solve this? install LE and use that? Then the question is, how do I assign each cert to the correct function in Exchange?

Edit - nope, CF doesn't proxy SMTP - (from their page)

scottalanmiller

@Dashrender said in Moving to Cloudflare proxy:

Change the firewall to direct traffic directly to Exchange, but only allow traffic from CloudFlare (not entirely sure how to get the IPs for this lockdown)

https://www.cloudflare.com/ips/

Dashrender

@scottalanmiller said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

Change the firewall to direct traffic directly to Exchange, but only allow traffic from CloudFlare (not entirely sure how to get the IPs for this lockdown)

https://www.cloudflare.com/ips/

Awesome - thanks..

scottalanmiller

@Dashrender said in Moving to Cloudflare proxy:

Use NSLOOKUP to find CF assigned IP Proxy for webmail.domain.com
Change local DNS to point webmail to previously found IP

Ideally you don't want a local override, but to use a DNS entry that is external only. Off the top of my head, what if you gave a public hostname to the service, and an internal CNAME to point to that so that internal users do the same thing, but they are really hitting CF's round robin service just the same?

Dashrender

@scottalanmiller said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

Use NSLOOKUP to find CF assigned IP Proxy for webmail.domain.com
Change local DNS to point webmail to previously found IP

Ideally you don't want a local override, but to use a DNS entry that is external only. Off the top of my head, what if you gave a public hostname to the service, and an internal CNAME to point to that so that internal users do the same thing, but they are really hitting CF's round robin service just the same?

I don't follow.

I want users to use webmail.domain.com no matter where they are located. Please use that as a starting point and be specific on your thoughts.
Thanks

Dashrender

But that still doesn't solve the SMTP issue - which if can't be solved, kills this whole discussion.

JaredBusch

@Dashrender said in Moving to Cloudflare proxy:

@scottalanmiller said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

Use NSLOOKUP to find CF assigned IP Proxy for webmail.domain.com
Change local DNS to point webmail to previously found IP

Ideally you don't want a local override, but to use a DNS entry that is external only. Off the top of my head, what if you gave a public hostname to the service, and an internal CNAME to point to that so that internal users do the same thing, but they are really hitting CF's round robin service just the same?

I don't follow.

I want users to use webmail.domain.com no matter where they are located. Please use that as a starting point and be specific on your thoughts.
Thanks

I believe this is where he was going.

setup webmail.domain.com on CF as you have.
setup wtf.domain.com on CF as a cname pointing to webmail.domain.com

setup a webmail.domain.com on your local DNS pointing to wtf.domain.com

But the problem is that as long as you use domain.com you need to point the internal DNS to a Cloudflare IP because of the entire split-dns disaster.

So I would also like @scottalanmiller to clarify.

JaredBusch

@Dashrender said in Moving to Cloudflare proxy:

But that still doesn't solve the SMTP issue - which if can't be solved, kills this whole discussion.

One thing at a time. Conflating issues is a horrible common scenario from you.

While this is needed to get the entire package, don't short circuit the process.

Dashrender

@JaredBusch said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

But that still doesn't solve the SMTP issue - which if can't be solved, kills this whole discussion.

One thing at a time. Conflating issues is a horrible common scenario from you.

While this is needed to get the entire package, don't short circuit the process.

Fine - new post coming.

scottalanmiller

https://memegenerator.net/img/instances/64920054/fine.jpg

JaredBusch

@scottalanmiller still waiting on you to clarify what you meant.

scottalanmiller

@JaredBusch said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

@scottalanmiller said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

Use NSLOOKUP to find CF assigned IP Proxy for webmail.domain.com
Change local DNS to point webmail to previously found IP

Ideally you don't want a local override, but to use a DNS entry that is external only. Off the top of my head, what if you gave a public hostname to the service, and an internal CNAME to point to that so that internal users do the same thing, but they are really hitting CF's round robin service just the same?

I don't follow.

I want users to use webmail.domain.com no matter where they are located. Please use that as a starting point and be specific on your thoughts.
Thanks

I believe this is where he was going.

setup webmail.domain.com on CF as you have.
setup wtf.domain.com on CF as a cname pointing to webmail.domain.com

setup a webmail.domain.com on your local DNS pointing to wtf.domain.com

But the problem is that as long as you use domain.com you need to point the internal DNS to a Cloudflare IP because of the entire split-dns disaster.

So I would also like @scottalanmiller to clarify.

Like that, but more like...

webmail.domain.com on CF A Record
webmail.wtfdomain.com on LAN DNS CNAME pointing to webmail.domain.com
webmail.wtfdomain.com on Public DNS CNAME pointing to webmail.domain.com

JaredBusch

@scottalanmiller said in Moving to Cloudflare proxy:

@JaredBusch said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

@scottalanmiller said in Moving to Cloudflare proxy:

@Dashrender said in Moving to Cloudflare proxy:

Use NSLOOKUP to find CF assigned IP Proxy for webmail.domain.com
Change local DNS to point webmail to previously found IP

Ideally you don't want a local override, but to use a DNS entry that is external only. Off the top of my head, what if you gave a public hostname to the service, and an internal CNAME to point to that so that internal users do the same thing, but they are really hitting CF's round robin service just the same?

I don't follow.

I want users to use webmail.domain.com no matter where they are located. Please use that as a starting point and be specific on your thoughts.
Thanks

I believe this is where he was going.

setup webmail.domain.com on CF as you have.
setup wtf.domain.com on CF as a cname pointing to webmail.domain.com

setup a webmail.domain.com on your local DNS pointing to wtf.domain.com

But the problem is that as long as you use domain.com you need to point the internal DNS to a Cloudflare IP because of the entire split-dns disaster.

So I would also like @scottalanmiller to clarify.

Like that, but more like...

webmail.domain.com on CF A Record
webmail.wtfdomain.com on LAN DNS CNAME pointing to webmail.domain.com
webmail.wtfdomain.com on Public DNS CNAME pointing to webmail.domain.com

Ok, a second domain. That I expect to work liek this.

Dashrender

Seriously you want me to buy another domain to fix this?

I'm frazzled this morning - so I might be missing something.

JaredBusch

@Dashrender said in Moving to Cloudflare proxy:

Seriously you want me to buy another domain to fix this?

I'm frazzled this morning - so I might be missing something.

I would just use an A record on your local DNS pointing to WTF ever Cloudflare resolves your FQDN to.

But paying more attention to what @scottalanmiller said, he has that backwards on the second domain.

CF: A Record: webmail.domain.com pointing to your public IP, orange cloud on.
CF: CNAME: webmail.wtfdomain.com pointing to webmail.domain.com
Local DNS: CNAME: webmail.domain.com pointing to webmail.wtfdomain.com

scottalanmiller

@Dashrender said in Moving to Cloudflare proxy:

Seriously you want me to buy another domain to fix this?

Yes, because someone screwed up with the original domain, so yes, you need to either fix that or do something to work around it. Mistakes have costs, this is a pretty trivial one.