Cloudflare with http3

Questions / Help
1

I’m trying to use http3 for my fly.io app This is my current setup and it was working before I set the cloud flare

primary_region = "nrt"

[build]
  dockerfile = "Dockerfile"

[[services]]
  internal_port = 3443
  protocol = "tcp"
  force_https = true
  processes = ["app"]
  [[services.ports]]
    handlers = ["tls"]
    port = 443
    tls_options = { "alpn" = ["h2"] }
  [[services.tcp_checks]]
    interval = "10s"
    timeout = "2s"

[[services]]
  internal_port = 3000
  protocol = "tcp"
  force_https = true
  processes = ["app"]
  [[services.ports]]
    handlers = ["tls"]
    port = 8080
    tls_options = { "alpn" = ["http/1.1"] }
  [[services.tcp_checks]]
    interval = "10s"
    timeout = "2s"

[[vm]]
  memory = "512mb"
  cpu_kind = "shared"
  cpus = 1

I set the a record and aaaa record, http3 quic enabled in Cloudflare. But I get this error from my backend. " This site can’t provide a secure connection mywebsite.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don’t support a common SSL protocol version or cipher suite. "
(My cloudflare option is not full(strict) mode btw.)
How can I fix this issue?

2

Hi,

Adding Cloudflare into the mix can add complications because Fly’s not expecting that. It’s sitting in front, as a proxy (I assume you are using an orange-cloud record anyway, as you mention wanting its http3).

If using A/AAAA doesn’t work … one thing you could try is instead using a CNAME to appname.fly.dev. That used to be supported. It was a trick I used a while back to get Cloudflare → Fly to work. Can’t hurt to try if what you currently have is not working. Can always swap the records back if not. There will be a bit of downtime due to the DNS caching but Cloudflare has a pretty low TTL.

1 Like
3

what’s the minimum TLS version configured on Cloudflare, maybe there’s a mismatch.

1 Like
4

Hi Greg! I tried with CNAME but not working :sob:

5

I made it to 1.2 but still not working :sob:

6

Hmm …

If you’ve tried the various SSL strict/full/flexible options to eliminate that as the cause and the TLS version …

Are you using a shared IPv4 address for your Fly app?

Only if so, you will also need to create an SSL cert at Fly’s end (despite technically not using it, if you go via → Cloudflare for TLS).

That cert is how Fly knows how to route the incoming request. Since if app A, B and C all share an IP like 1.2.3.4, they wouldn’t know which app should handle a request for your custom-domain.com. The cert links a custom domain to an app. Scroll a bit down here for more:

1 Like
7

Hi Greg! Thanks for your comment!
I tried with flexible options but still not working :sob:
And I’m not using shared IPv4. I’m using paid plan for IPv4 and have RSA, ECDSA certificates for my domain. :sob:

1 Like
8

Ah :thinking:

I would try turning off Cloudflare (click cloud to toggle it to grey) to be double sure that it works without it. That will check your Fly cert etc is ok.

Then turn it on, and check again.

I found this random mention of that error in their docs but not sure it’s applicable to this set up. Perhaps their community forum has some suggestions? People probably get it with other cloud/PaaS.

9

WOW Greg! you saved my life agian!! :star_struck: Thank you sooo much!
I read that Cloudflare Dos and enabled total TLS and it’s working!! Thanks!!

1 Like
10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.