We are using a ddos protection service from the very beginning, and their staff says it is important that out software never ever expose the origin IP in any way.
Besides turning off emails entirely, are there any settings that we put in
app.yml that will help with this globally?
For instance, one of the things that make me confused is, at a time when Discourse will issue an SSL certificate with Let’s Encrypt, will Discourse expose the origin IP, or will it make Let’s Encrypt validate by URL, not by IP?
Let’s Encrypt may not enroll correctly at all if the server isn’t directly accessible. If Cloudflare’s orange cloud is turned on for example this can screw up the challenge.
Which service is it?
You can’t use let’s encrypt. They will need to supply certs on their reverse proxy.
They should provide an email server that will remove your ip from the email headers, but really, leaking your ip isn’t a problem if you firewall access to your server and allow access only from their server.
Not sure why I can’t?
They have an option where they don’t decrypt secure traffic, i.e. it they “transparently” proxy it without decrypting. So I was thinking, what if I manually get a certificate and install it as guided in this topic, and the configure ddos-guard to just transparently proxy all https traffic.
FWIW, you can get an ssl cert for nginx using dns validation. The Process is a bit involved and requires you to use nginx reverse proxy outside docker container.