Full HTTPS/TLS Setup for All Resources
When tunneling resources with Coolify through Cloudflare, Cloudflare typically handles HTTPS and TLS termination, while Coolify runs your resources over HTTP.
This setup works for most users, but some may face issues with URL mismatches, especially for apps that require HTTPS on Coolify to issue JWT tokens or handle callback URLs.
This guide solves that issue by configuring your resources to run fully on HTTPS, bypassing Cloudflare's HTTPS handling and ensuring your app functions correctly with secure connections.
Who this is for?
This guide is ideal for users who:
- Have followed our Tunnel All Resources Using Cloudflare Tunnel or Tunnel Specific Resources Using Cloudflare Tunnel guide.
- Need their resources deployed with Coolify to run on HTTPS for applications requiring HTTPS for JWT issuance, callback functions, or similar features.
Setup Requirements
To follow this guide, you'll need:
- A working Cloudflare tunnel setup as described in the previous guides.
- A domain configured in Cloudflare to handle HTTP traffic and redirect to HTTPS.
Before We Start
- If your Coolify instance is on the same tunnel as the domain you want to configure, make sure you can access the Coolify Dashboard using the server IP and port (e.g., 203.0.113.1:8000) before starting these steps.
- The default port is 8000, but if you’ve changed or disabled it, ensure you can access the Coolify Dashboard through the new port or that port 8000 is re-enabled on the server.
Example Data
The following data is used as an example in this guide. Please replace it with your actual data when following the steps:
- IPv4 Address of Origin Server: 203.0.113.1
- Domain Name: shadowarcanist.com
- Username: shadowarcanist
1. Setup Origin TLS Certificate
Communication between your server and Cloudflare is encrypted using a TLS certificate.
There are two ways to do this:
- Use a TLS certificate from Cloudflare
- Get your own TLS certificate from a trusted public Certificate Authority (this requires a DNS challenge)
Here's a concise comparison table between a Cloudflare Origin Certificate and a Public CA Certificate:
| Feature | Cloudflare Origin Certificate | Public CA Certificate |
|---|---|---|
| Trusted By | Cloudflare only | Browsers, OSs, Cloudflare |
| Use Case | Cloudflare ↔ Origin only | Any direct client |
| Direct Browser Access | Shows certificate errors if users bypass Cloudflare | ✅ Works normally |
| Requires CF Proxy | ✅ Yes | ❌ No |
| Works Without CF | ❌ No | ✅ Yes |
| Issuer | Cloudflare | Public CA (eg: Let's Encrypt) |
| Cost | Free | Free |
| DNS Challenge | ❌ No | ✅ Yes |
Tip
If you plan to have Cloudflare always in front of your application, use a Cloudflare Origin Certificate. Otherwise, use a Public CA Cert.
There are 2 ways to setup the Origin TLS Certificate so follow one of the methods from below:
A simple high-level overview diagram to give you a visual idea of how this works:
A. Create Cloudflare Origin Certificate
- In your Cloudflare dashboard, go to SSL/TLS.
- Select Origin Server.
- Select Origin Certificates
- Click the Create Certificate button.
- Choose RSA (2048) for the key type.
- Add the hostnames you want the certificate to cover.
- Set the certificate validity to 15 years.
- Click the Create button.
HEADS UP!
shadowarcanist.comwill cover only the main domain.*.shadowarcanist.comwill cover all subdomains.
On Cloudflare’s free plan, wildcard certificates cover just one level of subdomains
For example, it works for coolify.shadowarcanist.com but not www.coolify.shadowarcanist.com.
To cover multiple levels, you'll need to purchase the Advanced Certificate Manager ↗
- Choose PEM as the key format.
- Copy your Origin Certificate and save it somewhere safe
- Copy your Private Key and save it somewhere safe
- Click the Ok button.
Next, you'll add these to your server running Coolify and configure Coolify to use this certificate.
B. Add Certificate to Your Server
SSH into your server or use Coolify's terminal feature. For this guide, I’m using my external terminal:
Once logged in, navigate to the Coolify proxy directory:
$ cd /data/coolify/proxyCertificate locations slightly vary between Caddy and Traefik, so choose the one based on the proxy you are using from the section below.
Create the certs directory:
$ mkdir certsVerify it was created:
$ ls
> acme.json certs docker-compose.yml dynamicNow, navigate into the certs directory:
$ cd certsCreate the caddy/data/certs directory:
$ mkdir -p caddy/data/certsVerify it was created:
$ ls caddy/data
> certsNow, navigate into the certs directory:
$ cd caddy/data/certsCreate two new files for the certificate and private key:
$ touch shadowarcanist.cert shadowarcanist.keyVerify the files were created:
$ ls
> shadowarcanist.cert shadowarcanist.keyOpen the shadowarcanist.cert file and paste the certificate from the Cloudflare dashboard:
$ nano shadowarcanist.cert Save and exit after pasting the certificate.
Do the same for the shadowarcanist.key file and paste the private key:
$ nano shadowarcanist.key Save and exit.
Now the origin certificate is installed on your server.
C. Configure Coolify proxy to Use the Origin Certificate
- Go to the Server section in the sidebar.
- Select Proxy.
- Open the Dynamic Configuration page
- Click Add button
You will now be prompted to enter the Dynamic Configuration.
Dynamic configuration file slightly varies between Caddy and Traefik, so choose the one based on the proxy you are using from the section below.
- Choose a name for your configuration (must end with
.yaml). - Enter the following details in the configuration field:
tls:
certificates:
-
certFile: /traefik/certs/shadowarcanist.cert
keyFile: /traefik/certs/shadowarcanist.key- Save the configuration
Adding multiple certificates
If you want to add multiple certificates and keys, you can do it like this:
tls:
certificates:
-
certFile: /traefik/certs/shadowarcanist.cert
keyFile: /traefik/certs/shadowarcanist.key
-
certFile: /traefik/certs/name2.cert
keyFile: /traefik/certs/name2.key
-
certFile: /traefik/certs/name3.cert
keyFile: /traefik/certs/name3.key
- Choose a name for your configuration (must end with
.caddy). - Enter the following details in the configuration field:
*.shadowarcanist.com, shadowarcanist.com {
tls /data/certs/shadowarcanist.cert /data/certs/shadowarcanist.key
}Note
The wildcard *.shadowarcanist.com provides coverage for all subdomains, exclude it if you’re only securing a single domain (i.e, shadowarcanist.com).
- Save the configuration
Adding multiple certificates
If you want to add multiple certificates and keys, you can do it like this:
*.shadowarcanist.com, shadowarcanist.com {
tls /data/certs/shadowarcanist.cert /data/certs/shadowarcanist.key
}
*.name2.com, name2.com {
tls /data/certs/name2.cert /data/certs/name2.key
}
*.name3.com, name3.com {
tls /data/certs/name3.cert /data/certs/name3.key
}From now on, Coolify will use the origin certificate for requests matching the hostname.
A simple high-level overview diagram to give you a visual idea of how this works:
We already have guides to set up DNS challenge for TLS certificates, you can follow them here:
Come back to this guide after you finish setting up the DNS challenge using the guides above.
2. Setup TLS Encryption
To make Cloudflare use stricter encryption when connecting to your server, configure your TLS encryption in Cloudflare:
- Go to SSL/TLS in Cloudflare.
- Select Overview.
- Click Configure button
- Choose Full (Strict) as the encryption mode.
- Click Save button
3. Setup Always Use HTTPS
To make Cloudflare automatically redirect HTTP requests to HTTPS, configure your redirects in Cloudflare:
- In Cloudflare, go to SSL/TLS
- Select Edge Certificates.
- Enable Always Use HTTPS.
4. Configure Tunnel to Use HTTPS
- Click the three dots icon to open the settings menu.
- Click Edit route option
Next, update the service URL as follows:
Change the type from http://localhost:80 to https://localhost:443
5. Update URLs from HTTP to HTTPS
Now, update all URLs from HTTP to HTTPS in Coolify, including resources and the instance domain on the settings page.
Congratulations! All your resources are now running on HTTPS at all times.