Hello!
I was unable to get my website to work with a Fly SSL certificate while the CloudFlare proxy was enabled. I tried as many combinations of settings as I could find, but none worked. It seems that Fly SSL is not capable of supporting CDN like Cloudflare.
I figured out how to use the CloudFlare proxy in front of the Fly server anyways. My end goal was to:
- Force
httpswith a valid SSL certificate - Allow Cloudflare to proxy the site so you can setup DDOS protection, caching, and redirect rules.
How to Use Fly SSL
I found the only way for Fly SSL certs to work was to disable Cloudflare features:
- Disable proxies on all A and AAAA and CNAME records that link to your Fly app in [DNS > Records].
- Disable universal SSL in [SSL/TLS > Edge Certificates].
This gave me a working website with SSL provided by flyctl certs and http->https redirection provided by the Fly server via [http_service] force_https = true.
However, I still needed a way to redirect from *.com to www.*.com for my application to work as expected. And Cloudflare can’t perform redirects unless you enable their proxy! So I figured, maybe I can use a SSL certificate generated by Cloudflare instead of Fly.
How to Use Cloudflare SSL
- Use
flyctl certs removeto delete any certificates listed byflyctl certs list. - Select
Full (Strict)in [SSL/TLS > Overview > Configure > Custom SSL/TLS].
- Enable universal SSL in [SSL/TLS > Edge Certificates].
- Enable proxies on all AAAA and CNAME records that link to your Fly app in [DNS > Records].
- Delete any A records in [DNS > Records]; the Cloudflare proxy will provide IPv4 addresses for DNS internally; Fly shared IPs mess up Cloudflare (see Cloudflare 525 error randomly occurs - #45 by morse).
This gets the website live, and working with HTTPS as before. Except now, we can take advantage of our cloudflare proxy! In my case, I made some redirect rules in [Rules > Overview > + Create Rule > Redirect Rule]:
| Rule name | If incoming requests match… | Request URL | Target URL | Status code | Place at |
|---|---|---|---|---|---|
| http:https | Wildcard Pattern | http://* |
https://${1} |
301 | First |
| @:www | Wildcard Pattern | https://example.com* |
https://www.example.com${1} |
301 | Last |
Now the website works according to my needs.
In conclusion, I think it’s best to not use flyctl certs with Cloudflare, if you want to take advantage of Cloudflare’s proxy features. Have Cloudflare manage your SSL certs instead.
Edit: Fixes to avoid error 525 when accessing content through Cloudflare (See Cloudflare 525 error randomly occurs).