I need help understanding encrypted trafic between my services

[mathisgauthey]

Hi everyone. I have a working setup using npm as a reverse proxy, but I would like to extend my understanding of what I am doing. I hope someone will be able to explain it to me.
Basically, I would like to know where my connections are unencrypted, and where they are encrypted.

Definitions

• Cloudflare Tunnel acts as a way to :
  • Add authentication to my server's apps.
  • Prevent me from opening ports on my server.
• Cloudflared is the name of the app on my server that communicate with Cloudflare Tunnel.

Setup explained

User => Cloudflare DNS => Cloudflare Tunnel => Cloudflared container in my server => Nginx Proxy Manager container in my server => My containerized apps

Basically, the trafic is working this way :

• Domain name in OVH that use Cloudflare DNS.
• Two DNS entries in Cloudflare :
  • domain.tld => Tunnel ID
  • *.domain.tld => Tunnel ID
• In turn, I have setup my Cloudflare tunnel to point to my server's Nginx Proxy Manager container.
  • *.domain.tld => http://npm-app:80
  • domain.tld => http://npm-app:80
• Finally, Nginx Proxy Manager is configured to point to my containerized apps using proxy host :
  • sub.domain.tld => http://random_app:port

Let's note that I have configured SSL for domain.tld and *.domain.tld in npm using Cloudflare API keys.
And that Cloudflare is configured in Strict mode. (Traffic encrypted from browser to cloudflare and from cloudflare to origin server I suppose ?).

My interrogations are :

• Is the traffic between Cloudflare Tunnel and Nginx Proxy Manager encrypted ? I am using port 80, but as the SSL cert are defined on npm and used by proxy hosts, how does that work ?
• Why is it not working when I'm trying to use https://npm-app:443 between Cloudflared and NPM ?
• Is the trafic between Nginx Proxy Manager and my containerized apps encrypted ?
• Is this whole thing safe, what are the flaws of such a setup ?

Thanks in advance !

Related questions and posts

• cloudflare tunnel (https routing)+ npm + https application (all of them in docker) #3971
• https://gist.github.com/prateekrajgautam/75afbaa9bcda8eb1dfb6b5ceecd25e8c
• https://blog.rgoyal.net/posts/cloudflare-tunnels-with-npm
• https://www.reddit.com/r/unRAID/comments/16a9iqd/how_do_i_use_npm_with_cloudflare_tunnels/

[mathisgauthey]

I got a really complete answer by FoxxMD (FoxxMD on Github) which I'll forward here to help others in need :

---

I can't comment on anything specific about NPM since I don't use it but I can respond to a few points in your setup questions, generally, I think:

Is the traffic between Cloudflare Tunnel and Nginx Proxy Manager encrypted ?

No. Encryption ends at the tunnel, before cloudflared (the tunnel application) forwards it to NPM

I am using port 80, but as the SSL cert are defined on npm and used by proxy hosts, how does that work ? ....

This is unnecessary. NPM does not need (or use) certs to handle the traffic coming from cloudflared. The traffic is unencrypted at this point. [2]

The point of encryption/https/ssl for web traffic is to transport that data between the requester's machine and your target network/endpoint in a way that cannot be modified or snooped on by a third party.

When using plain ol' port forwarding (not cloudflare tunnels) that burden of providing proof that the endpoint (your machine's IP) is the owner of example.com (and the encryption key) is on you. You use NPM/letsencrypt/acme to provide that proof and generate certs on your machine that the requester can inspect to verify that chain.

When using cloudflare tunnels, cloudflare is now the owner of that burden of proof. They generate edge certs that the requester verifies for proof. The requester sends their traffic to a Cloudflare IP which then forwards the traffic to the associated cloudflared program which unencrypts it and then forwards it to where ever you configured it. You aren't necessary in that chain of burden. You've already "done that" by configuring CF with the tunnel/token/etc to get the traffic from their edge servers in the first place.

Is the traffic between Nginx Proxy Manager and my containerized apps encrypted ?

No. But this would still be the case even if you weren't using cloudflared.

The whole point of a reverse proxy is that you have an application (nginx/npm) that handles all (encrypted) traffic in the "front" that then forwards that traffic to the correct location using rules. The forwarded traffic, as well as anything it receives back from the location before sending it back to the original requester is not encrypted. [1]

Is this whole thing safe, what are the flaws of such a setup ?

It's only as safe as the weakest point of your internal network.

Generally, popular reverse proxy apps like nginx/traefik/caddy are battle-tested and mature software. There are so many eyes on these apps that bugs and vulnerabilities are usually discovered and fixed fast. nginx has been around for 20 years. It's unlikely an attack would be able to exploit the proxy app, specifically.

Encrypted traffic on your network is only an issue if the network isn't secure to begin with. You're more likely to run into security issues with the individual containerized apps you are forwarding traffic to, since they may be less hardended.

Finally, a note on NPM/nginx/traefik forwarding for a domain. You don't actually need to own the domain (or certs!) for these apps to still reverse proxy for them. nginx is perfectly happy to route traffic for example.com if the request header contains Host: example.com (or equivalent header). If you tried to do this with normal port forwarding using your own dns server you'd probably get big scary warnings in your browser about mismatched/missing certs, but nginx would still happily do it. This works for CF tunnels, though, because the response traffic first goes back through CF tunnel and to their edge server where the cert says it should be coming from. So everything is ok in that scenario.

[1] Not encrypted unless you forward it as such! some apps can handle encryption themselves. They usually have instructions for setting up certs etc.. and explicitly tell you that you can use port 443 etc...in that case you could have NPM forward to the app as https traffic. You'd still need to set up certs individually on each app that supports this though.

[2] Here's a chart showing the differences in cert usage between plain ol' port forwarding and CF tunnels when using NPM