We are running a kubernetes cluster for prod traffic with customers around the country. Our current setup is nginx load balancer + lets encrypt + external dns. We are switching DNS over to cloudflare for the WAF and ddos protection. Our two options are two use nginx and block all traffic not from cloudflare ips, or to close the nginx to external traffic and route it all through a cloudflare tunnel. What would the recommendation be here? We are very security conscious as we have sensitive data, but would prefer not to compromise on latency/throughput.
#When to use cloudflare tunnel + nginx or just nginx + cloudflare dns
lost wharf
mint dome
Tunnels have multiple advantages over direct. Usually I'd recommend running them on machines on a different network so traffic still passes your firewalls but they are more secure than just opening ports to cf
Perf is the same and in some cases I've seen improved latency under tunnels
In my experience the overhead is minimal and well worth the benefit in terms of security and complexity reduction
lost wharf
Awesome thanks! Any advice on how best to connect it to an nginx load balancer? I have the load balancer setup and routing, and want to maintain it through the tunnel
mint dome
Just point the tunnel origin to the LB ip
dusty sun
One thing to keep in mind is the hostnames / host header for routing.
lost wharf
Yeah -- how would I ensure that they're maintained?
lost wharf
gotcha -- and in this case should I just not use any tls? Or still use tls from internal (nginx) to cloudflared? If I still use it should i do certs through cloudflared? Thanks
mint dome
Depends, if its on the same machine no, if its across a a network probably but you can just use self signed certd