Use Cloudflare's Universal SSL for quick & dirty API integrations

Use Cloudflare's Universal SSL for quick & dirty integrations

JR Morgan

2 minute read

Why?

If you’re leveraging a development appliance or platform (e.g. ServiceNow Developer Instances, OpenShift Online, etc.) you may not have access (or the time required) to distribute internal/self-signed CA certs and ensure outside systems trust your internet-facing services. This is especially true in lab situations. A concrete example:

  • I’m evaluating Ansible Tower & its API needs to be accesed by a ServiceNow Developer instance provided & hosted by ServiceNow, presumably from AWS
  • I’ve established appropriate port forwarding rules to allow external access to the VM hosting Tower (in my home lab)
  • I’m already leveraging Cloudflare DNS to dynamically update an A Record (“DNS Only” as DDNS updates are incompatible with records set for “DNS and HTTP proxy (CDN)")
  • I’m already leveraging Universal SSL for my primary website

How

  1. Create a new CNAME record in Cloudflare’s “DNS” Management console
  2. Ensure the CNAME record is configured for “DNS and HTTP proxy (CDN)” - An alias will ensure DDNS record(s) continue to receive updates in the event of home IP changes, while the CNAME will enable Universal SSL
  3. From Cloudflare’s “Crypto” Management coonsole, ensure “Universal SSL” is enabled for your domain
  4. From the same console, ensure “SSL” is set to Flexible or Full, but not Full (Strict) unless you’re leveraging Origin Certificates that have been distributed/installed to your managed services
  5. From Cloudflare’s “Firewall” Management console, click the “Web Application Firewall” button. Ensure “Web Application Firewall” is Off - This setting may be optional, but I encountered Error 1010 issues when left enabled and testing outbound REST API requests from ServiceNow to Ansible Tower
  6. Test your API/service endpoint access using the new CNAME - You can access your CNAME locally if your router supports NAT loopback/reflection/hairpinning - You could also test using something like Online Curl

If everything is properly configured you should be able to curl any given endpoint with a valid Universal SSL certificate provided by Cloudflare.

Now What?

Now that your local service or API endpoints can be accessed securely with a valid SSL cert, why not try integrating a couple of products, like ServiceNow and Ansible Tower?

Feature image by RobH GFDL, CC-BY-SA-3.0 or CC BY 2.5, from Wikimedia Commons

comments powered by Disqus