Configuring Cloudflare for a Cluster
Cloudflare provides broad capabilities for protecting traffic and distributing load for user services. This example describes how to configure free tunneling and traffic proxying through Cloudflare servers, using Cloudflare certificates for HTTPS. The limitations of the free option are described here.
Starting Conditions
In this example, we configure the Cloudflare entry point type for a fault-tolerant cluster, mycluster, with three system nodes and the domain mycluster.myproject.com. The virtual address used in the example is 10.114.16.123.
Step 1. Transfer domain management to Cloudflare
Transfer management of the myproject.com domain to Cloudflare by changing the NS records in the settings of the DNS provider where the myproject.com domain was purchased (for details, see how to transfer management).
Step 2. Create a Cloudflare tunnel
In the Zero Trust section, select Networks/Connectors. Start the tunnel creation wizard and select Cloudflared (outbound-only connection).
Set the tunnel name. In our example, this is mycluster.
In the Install and run a connector section, select Debian. The Cloudflare web interface will show instructions for installing the Cloudflared application on the server where the tunnel is expected to connect.
You do not need to run any commands on the server. From these instructions, you only need to copy the token string and paste it into the secret Cloudflare Service Token field in the SHIPOPS web interface. For example, in the command below, the required string is represented by * characters:
cloudflared tunnel run --token **************************************
Step 3. Add a published application route
Configure Add a published application route for the mycluster tunnel.
This example uses mycluster.myproject.com, so select the myproject.com domain, specify the mycluster subdomain, then select HTTP and set the virtual IP address from the example: 10.114.16.123.
After that, the tunnel will be created but not yet activated. A special Tunnel record with the tunnel name mycluster should appear in the Cloudflare DNS records for myproject.com.
Step 4. Enable HTTPS for the cluster domain
Configure HTTPS for mycluster.myproject.com. In the SSL/TLS Overview section, enable the Flexible configuration, which allows HTTP to be used on the target server. This means that the SHIPOPS certificate will not be used on the system nodes of the mycluster cluster. This is one of the simplest configuration options.
Also, in the Edge Certificates section, enable the Always Use HTTPS option so that all HTTP requests are automatically redirected to HTTPS.
Only after this should you start installing the mycluster cluster or change the entry point of an existing cluster to Cloudflare.