If you mean accessing them from within your LAN while your internet is down then no it won’t work.
What you should be doing is either split horizon DNS (LAN resolves local IPs, public resolves public IPs) or use different DNS hostnames internally, for example media.local.yourdomain.com
You then set up a reverse proxy in your LAN and point everything to that, use a let’s encrypt wildcard cert using the DNS challenge method so you can get *.yourdomain.com protected with a single cert. Since you use cloudflare you can use the cloudflare API plugin with certbot, it’ll automate everything for the DNS challenge and no need to keep opening ports or configuring http/https challenges every couple of months.
Last I checked, a wild card cert for *.yourdomain.com is NOT valid for test.local.yourdomain.com, but IS valid for test.yourdomain.com. Wildcard certs are not recursive as far as I know.
I‘m not totally sure what you are trying to accomplish.
To access your lan services over https you need a certificate, a dns and a reverse proxy (at least thats how I do it).
I know cluudflare does reverse proxy stuff but I‘m not too deep into that.
So if you mean you expose your services to cloudflare and access them from the web. Yes, they’re gonna be down. If you have a nother way of accessing them on lan (e.g. ip:port) then you should be able to at least reach them but https is not going to work.
For that you can use a local certificate. It’s a bit of work but if you have a domain and nginx proxy manager, you‘ll be good. Let me know if you need help
I have a reverse proxy(traefik) on my LAN to handle sub domain service routing. I want https but don’t want to have to install certs on all the clients using the services. I want the s but don’t want my services to be unavailable if my Internet goes down.
If your only goal is working https then as the other comment correctly suggests you can do DNS-01 authentication with Let’s Encrypt + Certbot + Some brand of dyndns
However the other comment is incorrect in stating that you need to expose a HTTP server. This method means you don’t need to expose anything. For instance if you do it with HA:
https://github.com/home-assistant/addons/blob/master/letsencrypt/DOCS.md
Certbot uses the API of your DDNS provider to authenticate the cert request by adding a txt record and then pulls the cert. No proxies no exposed servers and no fuss. Point the A record at your Rfc1918 IP.
You can then configure your DNS to keep serving cached responses. I think though that ssl will still be broken while your connection is down but you will be able to access your services.
You only need a letsencrypt cert on the reverse proxy, the services themselves don’t need them.
I don’t know if cloudflare can do this, but I have a different DDNS + Let’s Encrypt setup and I configure my router to set the same local domain as the public domain (in openwrt it’s
local server+local domainalthough I’m not aware of the distinction between the two). So when requests are sent over LAN (or over a VPN) the router points me to the LAN device directly, rather than needing to go through external DNS. HTTPS still works since to the client it’s the same domain as the certificate is linked to.Hope that makes sense as I haven’t fully got my head around it. I just know it works (indeed I just disabled my internet to test, and the services are still accessible over HTTPS).
Then no, you won’t be able to access your service via https when your internet is down because it’s terminated at cloudlare’s server. You can still access your service directly without https, or with https but with a self-signed certificate.
