Setting Up Cloudflare Enterprise

twest

Hey all! When setting up Cloudflare Enterprise, did you run into any issues with Enhance config? Keep getting this error:

Misdirected Request
The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.

On cPanel it just requires adding a alias domain with same hosting root directory as the site and it's all good, I did same on Enhance, but get the error.

Zoinkies

Hey, we have CFE, and we’ve had a lot of issues with it. Enhance needs certain ports CF doesn’t support, and internal requests fail when CF is proxying any requests internally.

We ended up scrapping CFE, our account executive got us on a call with an engineer and they couldn’t even get it working properly with CF limitations. Not an Enhance issue, but a CF support issue.

Zoinkies

Zoinkies Rules do not fix the issues, as the way CF handles requests breaks enhance’s communication with servers via Enhance CP I.e load and memory metrics. Backups also broke for us, and we wasn’t able to with CF directly get it to work without issue.

Zoinkies

Zoinkies CFE support cPanel directly and you can use cPanels ports as expected. Enhance is too modern and isn’t on CF radar yet.

twest

Zoinkies I'm not trying to use for the panel/servers, just for a website.

I think the problem has been narrowed down to an issue with the way Enhance handles aliases, it creates them as separate standalone domains with their own unique DNS and SSL. The SSL seems to be the important part because Enhance creates separate SSL certs for the website domain and the alias for the CF Enterprise passthrough, which creates the 521 misdirect.

The fix should be in getting the Enterprise hostname used for the passthrough to be able to get inserted in the same SSL cert as the website. That's what cPanel does, combines the alias hostname with the website hostnames into a single self-signed cert. I'm talking with Adam in support to see if we can figure out a workaround.

Thanks for chiming in though, appreciate the extra ideas 🙂

Rich

Where I have the infrastructure on it's own domain away from CF, I have a big website under CF Pro and it has over a dozen subdomains within it's DNS. If it's CF for just the website then I've not seen any issues.

One thing I did do to make enhance and CF play nice with SSL generation was change all the alias to subdomains within enhance for these sites, Point the public_dir back to / of the primary domain, set the primary certificate as CloudFlare's issued one within enhance. All subdomains get LE Issued certs thanks to enhance. So TLS chain is supported from browser to origin. This is using the CF API Link within enhance.

No issues so far, but ask me again around 14th Feb if enhance re-issued the certs for all the subdomains ok 🙂

twest

Rich CF works fine for me elsewhere, it's just getting the DNS passthrough from the CF account which then goes through the separate Enterprise CF account to then resolve to the site correctly.

I generated a new self signed SSL with all the hostnames (www.website.com, website.com, enterprise-passthrough-domain.com) and installed that for both the website and the alias, and now waiting to test if that fixed the 421 misdirect. It's currently throwing a 'cname cross user banned' Cloudflare error which I think I just need the Enterprise account holder to fix by reverifying hostnames on their side... Crossing my fingers this does the trick, or else my next step will be customizing the Enhance vhost files to see what the difference is vs cpanel.