October 8, 20214 yr @Sycotix thanks for the great tutorial here. I followed the instructions as you provided but ran into some problem and wondering if you or anyone else would have any suggestions. PROBLEM I am getting the Cloudflare error page when I browse to my subdomain with error 521 (webserver is down). The web server I want to host on NPM is up and running and I can reach it on the LAN by going to its local IP address. I further did a packet capture on the switch port connecting the NPM server and what I see is that the communication is breaking down at the initial TCP handshake. The Cloudflare server sends a TCP SYN to NPM but NPM responds with a RST. I verified the port forwarding is working correctly and we see destination port tcp/18443. If I browse to the NPM local IP on port 8080 I do get the congratulations page. SETUP I'm using a Cloud Origin CA cert on Cloudflare. I have port forwards on my router for 443 & 80 to go to 18443 & 1880, respectively. My Cloudflare DNS records are setup so that I have an A record for my root domain set to my public IP address and a CNAME for my subdomain. On NPM I added the Origin cert and setup the host with the following settings: Details scheme: http Forward: local IP of server forward port: 5055 cache assets: enabled block common exploits: enabled websocket support: enabled SSL force SSL: enabled HTTP/2 support: enabled If any other details are needed then please let me know. Any help or advice is much appreciated. Cheers!
October 8, 20214 yr Author 13 minutes ago, noobguy said: @Sycotix thanks for the great tutorial here. I followed the instructions as you provided but ran into some problem and wondering if you or anyone else would have any suggestions. PROBLEM I am getting the Cloudflare error page when I browse to my subdomain with error 521 (webserver is down). The web server I want to host on NPM is up and running and I can reach it on the LAN by going to its local IP address. I further did a packet capture on the switch port connecting the NPM server and what I see is that the communication is breaking down at the initial TCP handshake. The Cloudflare server sends a TCP SYN to NPM but NPM responds with a RST. I verified the port forwarding is working correctly and we see destination port tcp/18443. If I browse to the NPM local IP on port 8080 I do get the congratulations page. SETUP I'm using a Cloud Origin CA cert on Cloudflare. I have port forwards on my router for 443 & 80 to go to 18443 & 1880, respectively. My Cloudflare DNS records are setup so that I have an A record for my root domain set to my public IP address and a CNAME for my subdomain. On NPM I added the Origin cert and setup the host with the following settings: Details scheme: http Forward: local IP of server forward port: 5055 cache assets: enabled block common exploits: enabled websocket support: enabled SSL force SSL: enabled HTTP/2 support: enabled If any other details are needed then please let me know. Any help or advice is much appreciated. Cheers! Well written mate! So, if you go to you public IP and port will it let you reach the app?
October 8, 20214 yr 28 minutes ago, Sycotix said: Well written mate! So, if you go to you public IP and port will it let you reach the app? Thanks!! It is the same issue. If I open up my firewall to all IP's (instead of just CF ones) and hit my Public IP I can't reach it. Packet captures on LAN confirm source IP is from my phone instead of CF and destination port is tcp/18443 is reaching NPM but still is responding with RST's. Edited October 8, 20214 yr by noobguy
October 9, 20214 yr Seems I have the same issue as well. Additionally, when using flexible mode in Cloudflare, the unraid web gui loads when accessing example.domain.com even if this is set up to point to another docker in Nginx Proxy Manager.
December 7, 20214 yr I also have the exact same issue. I think we're all fundamentally missing something. Perhaps something with the port fowards?
December 7, 20214 yr Author If it works on Flexible and not on strict it could be your SSL certs. We highly recommend you run the tunnel to avoid poet forwarding entirely. Be sure to check our docs at: https://docs.ibracorp.io
December 8, 20214 yr I never really solved this but I did test this out using another (edit: NPM image) from CA and it worked with no other change on my side. I'm happy to test anything to get this docker image working. Just let me know. Edited December 8, 20214 yr by noobguy
April 25, 20224 yr I'm also having the same issue. Browser is throwing 521 error when on anything but flexible with 2 different NPM images Edit: Figured this out. For some reason the ONLY thing that would get this to work for me was disabling "Force SSL" in each host proxy. Cloudflare is still set to Full (Strict) and everything is now working. Really strange as HSPS is also enabled in Cloudflare, and disabling Force SSL obviously grays out those options in NGINX... but she works lol Edited May 1, 20224 yr by Avsynthe
December 1, 20223 yr On 4/25/2022 at 1:29 AM, Avsynthe said: I'm also having the same issue. Browser is throwing 521 error when on anything but flexible with 2 different NPM images Edit: Figured this out. For some reason the ONLY thing that would get this to work for me was disabling "Force SSL" in each host proxy. Cloudflare is still set to Full (Strict) and everything is now working. Really strange as HSPS is also enabled in Cloudflare, and disabling Force SSL obviously grays out those options in NGINX... but she works lol Don't know how you figured this out... but I tried the same after banging my head against a wall all day and it fixed it. Thanks for sharing! Edited December 1, 20223 yr by Breadford
May 15, 20242 yr Sorry for the necromancy, but I am having a issue with SSL and using Cloudflare Tunnel. I created a tunnel on cloudflare: I have it point to my dockers Nginx HTTPS port '18443': The tunnel connection reports healthy: I created a Client Certificate on Cloudflare and added that in the Nginx Proxy Manager: I created a Proxy Host using the certificate: I have the public hostname directing to my target docker container on port '8086': However, when I attempt to access my docker from my public hostname I get a 502 error: Anyone have any ideas/advice? Edited May 15, 20242 yr by Paldren
July 28, 20241 yr I just tried setting this up as well. Got the same error as Paldren above. Any help would be greatly appreciated! Edited July 28, 20241 yr by shunter
February 24, 20251 yr Hi Paldren! Your post is a bit older, but since I'm currently struggling to set up NPM and Cloudflare the way I want, I also came across the topic of "Cloudflare Tunnels". Right now, it's the only working configuration that allows me to make individual Docker services publicly accessible via my own domain and SSL without exposing my public IPv4 address. I'm actually working on solving everything through Tailscale, but I'm currently stuck with that. With the help of Cloudflare Tunnel and additional authentication, everything is working for now, and I think this setup is at least somewhat "secure." In your first screenshot, I noticed that under "Public Hostname" in the CF Tunnel settings, you entered the HTTPS port of your NPM. However, you should enter the port of the service you want to access via the CF Tunnel - for example, port 8096 for Jellyfin. Besides that, you don't actually need NPM at all when using CF Tunnel. Please correct me if I'm talking nonsense—I'm still a beginner when it comes to networking. Best regards, Tom
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.