[Support] aeleos - cloudflared tunnels


Recommended Posts

Overview: Support for Cloudflare Tunnels using the cloudflared docker image 

Application: Cloudflared- https://github.com/cloudflare/cloudflared

Docker Hub: https://hub.docker.com/r/cloudflare/cloudflared/

GitHub: https://github.com/aeleos/cloudflared

Documentation: https://github.com/aeleos/cloudflared

  • Like 1
Link to comment

Need some help to setup with SWAG

 

In SWAG I setup subdomains to wildcard as I have multiple subdomains.

 

So when I setup cname "xxx.com" > xxx.cfargotunnel.com, I encounter "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for *.xxx.com, not xxx.com" cfRay=65afac1cfd390acc-NRT originService=https://192.168.xxx.xxx:443"

 

If I removed the wildcard from SWAG subdomain options then I encounter another a new error. 2021-06-06T06:34:03Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.xxx.xxx:443: connect: connection refused" cfRay=65af9cda18a9205f-NRT originService=https://192.168.xxx.xxx:443

 

https://192.168.xxx.xxx:443 is my SWAG docker IP

Link to comment
1 hour ago, Kira said:

Need some help to setup with SWAG

 

In SWAG I setup subdomains to wildcard as I have multiple subdomains.

 

So when I setup cname "xxx.com" > xxx.cfargotunnel.com, I encounter "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for *.xxx.com, not xxx.com" cfRay=65afac1cfd390acc-NRT originService=https://192.168.xxx.xxx:443"

 

If I removed the wildcard from SWAG subdomain options then I encounter another a new error. 2021-06-06T06:34:03Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.xxx.xxx:443: connect: connection refused" cfRay=65af9cda18a9205f-NRT originService=https://192.168.xxx.xxx:443

 

https://192.168.xxx.xxx:443 is my SWAG docker IP

I get the same response when using NGINX Proxy Manager with an origin cert from clopudflare.

Both all 3 containers are on my customproxy network and connections were previously working.

Link to comment

Anyone else getting error like the one below? It seems like it's working fine, but just get the error:

 

2021-06-07T09:03:11Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=XXXX-LAX originService=https://IP:PORT

 

Link to comment
Posted (edited)
2 hours ago, takkkkkkk said:

Anyone else getting error like the one below? It seems like it's working fine, but just get the error:

 






2021-06-07T09:03:11Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=XXXX-LAX originService=https://IP:PORT

 

same here, deleted the tunnel.

Edited by kjames2001
Link to comment
Posted (edited)

Hello,

 

I get the error below

 

2021-06-07T17:15:06Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match ******.**" cfRay=hfsfhkfhkfh-FRA originService=https://192.168.178.42:4443

 

When I use this config and disable TSLVerify it works.

 

tunnel: <my_UUID>
credentials-file: /home/nonroot/.cloudflared/<my_UUID>.json

ingress:
  - service: https://192.168.1.100:1443
    originRequest:
       noTLSVerify: true

 

 

On the GitHub post is mentioned to use:   host.my.domain, where host is a subdomain you have valid DNS records for. But what does that mean? Have some one an example for me, because I am not so familiär with DNS records. 

 

 

 

 

 

Edited by snowy00
  • Like 1
  • Thanks 1
Link to comment
Posted (edited)
4 hours ago, snowy00 said:

Hello,

 

I get the error below

 



2021-06-07T17:15:06Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match ******.**" cfRay=hfsfhkfhkfh-FRA originService=https://192.168.178.42:4443

 

When I use this config and disable TSLVerify it works.

 



tunnel: <my_UUID>
credentials-file: /home/nonroot/.cloudflared/<my_UUID>.json

ingress:
  - service: https://192.168.1.100:1443
    originRequest:
       noTLSVerify: true

 

 

On the GitHub post is mentioned to use:   host.my.domain, where host is a subdomain you have valid DNS records for. But what does that mean? Have some one an example for me, because I am not so familiär with DNS records. 

 

 

 

 

 

 

thanks for the tip, tried it and works.

 

however, i somehow fixed this issue later by using 

ingress:
  - service: https://192.168.1.47:18443
    originRequest:
      originServerName: sonarr.yourdomain.com

ie. using "sonarr.yourdomain.com" instead of "yourdomain.com"

Edited by kjames2001
Link to comment
Posted (edited)
12 hours ago, kjames2001 said:

 

thanks for the tip, tried it and works.

 

however, i somehow fixed this issue later by using 



ingress:
  - service: https://192.168.1.47:18443
    originRequest:
      originServerName: sonarr.yourdomain.com

ie. using "sonarr.yourdomain.com" instead of "yourdomain.com"

 

Could you please share your configuration on cloudflare:

 

As I understand it should be like:

 

CNAME  yourdomain.com  UUID.cfargotunnel.com

CNAME  sonarr                 yourdomain.com 

 

The configuration above works now for me! 

Edited by snowy00
Link to comment

I'm pulling my hair out here. I get the same error as others have mentioned.

 

error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match hostname.com"

 

After trying the noTLSVerify option, I can connect to my subdomains now, but the logs are still littered with errors including:

 

error="unexpected origin response: 400 Bad Request"

error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared

Unable to establish connection with Cloudflare edge error="DialContext error: dial tcp 198.41.200.13:7844: operation was canceled

 

Link to comment

I had the same issue, my failure was that I only created a dns record that not used. You have to use a proper dns record that also setup in your reverse proxy.

 

As I mentioned in the former post, that work now for me because sonar is setup in my reverse proxy with a custom certificate from cloudflare.

It doesn´t work with a dummy dns record as I configured first something like - tunnel.yourdomain.com

 

CNAME  yourdomain.com  UUID.cfargotunnel.com

CNAME  sonarr                 yourdomain.com 

 

ingress:
  - service: https://192.168.1.47:18443
    originRequest:
      originServerName: sonarr.yourdomain.com

 

  • Like 1
Link to comment
23 hours ago, snowy00 said:

I had the same issue, my failure was that I only created a dns record that not used. You have to use a proper dns record that also setup in your reverse proxy.

 

As I mentioned in the former post, that work now for me because sonar is setup in my reverse proxy with a custom certificate from cloudflare.

It doesn´t work with a dummy dns record as I configured first something like - tunnel.yourdomain.com

 

CNAME  yourdomain.com  UUID.cfargotunnel.com

CNAME  sonarr                 yourdomain.com 

 


ingress:
  - service: https://192.168.1.47:18443
    originRequest:
      originServerName: sonarr.yourdomain.com

 

Thanks for filling up the missing link! i just got it working without even knowing how it worked. lol

Link to comment
On 6/9/2021 at 1:22 AM, snowy00 said:

I had the same issue, my failure was that I only created a dns record that not used. You have to use a proper dns record that also setup in your reverse proxy.

 

As I mentioned in the former post, that work now for me because sonar is setup in my reverse proxy with a custom certificate from cloudflare.

It doesn´t work with a dummy dns record as I configured first something like - tunnel.yourdomain.com

 

CNAME  yourdomain.com  UUID.cfargotunnel.com

CNAME  sonarr                 yourdomain.com 

 


ingress:
  - service: https://192.168.1.47:18443
    originRequest:
      originServerName: sonarr.yourdomain.com

 

Yeah I have tried this with various different subdomains that I had previously setup NGINX proxy manager.
I tried on subdomains that had both LetsEncrypt and custom Cloudflare certificates, with no change either way.

Link to comment
  • 2 weeks later...

I got the Argo Tunnel working to SWAG but now I have a problem 

 

As we have removed the A record where it points to IP. One of my CNAME for vpn.yourdomain.com no longer works

 

Need help

Link to comment
  • 2 weeks later...
On 6/8/2021 at 3:41 AM, kjames2001 said:

however, i somehow fixed this issue later by using 


ingress:
  - service: https://192.168.1.47:18443
    originRequest:
      originServerName: sonarr.yourdomain.com

ie. using "sonarr.yourdomain.com" instead of "yourdomain.com"

 

How do I use multiple domains?

Link to comment
Posted (edited)
4 hours ago, Kira said:

 

you can probably create another docker and just change the name of docker and app folder

 

That would not be feasible as the docker utilizes the host itself for the networking as there are no ports or adapters configured.   The config should be adjustable for additional per the CloudFlareD Documentation, just havent tried it yet.  I believe it would require a business or paid cloudflare plan though.

 

The only way without a paid account I can see so far (or without multiple daemons) is to create a CNAME on the one domain that points to the other.

 

The other alternative that appears to work is multiple containers with different names and appdata folders as Kira mentioned. - Given how lightweight the docker is, this seems to be the absolute best way.

Edited by fmp4m
Link to comment
Posted (edited)
37 minutes ago, fmp4m said:

 

That would not be feasible as the docker utilizes the host itself for the networking as there are no ports or adapters configured.   The config should be adjustable for additional per the CloudFlareD Documentation, just havent tried it yet.  

 

I believe it would require a business or paid cloudflare plan though.

 

The only way without a paid account I can see so far (or without multiple daemons) is to create a CNAME on the one domain that points to the other.

 

argo tunnel is established via UUID and not IP or Ports

 

so your 2nd docker config will have a different UUID hence it may work

 

 

Edited by Kira
  • Like 1
Link to comment
  • 1 month later...

This is my current solution, I'm running 4 separate dockers for my 4 main domains that I need the tunneled. Wish there was an easier solution that didn't require running multiple dockers. My steps for anyone thats curious is to follow the GitHub instructions, then once everything is done and working go into the docker and change the name. This allows you to run the GitHub instructions again to get a new link, without this it complains about a cert.pem file already being present. 

Link to comment
20 hours ago, SamuraiMarv said:

This is my current solution, I'm running 4 separate dockers for my 4 main domains that I need the tunneled. Wish there was an easier solution that didn't require running multiple dockers. My steps for anyone thats curious is to follow the GitHub instructions, then once everything is done and working go into the docker and change the name. This allows you to run the GitHub instructions again to get a new link, without this it complains about a cert.pem file already being present. 

 

For anyone in the same boat, I figured this out. You can do multiple domains with one tunnel and one docker. Follow the instructions to create your first tunnel, then use that UUID.cfargotunnel.com in all of your domains as the CNAME for the root. From there all you need to do is change your config file to match the example I put together below.

 

tunnel: UUID
credentials-file: /home/nonroot/.cloudflared/UUID.json

ingress:
  - hostname: "*.your1stdomain.com"
    service: https://REVERSEPROXYIP:PORT
    originRequest:
        noTLSVerify: true
  - hostname: "*.your2nddomain.com"
    service: https://REVERSEPROXYIP:PORT
    originRequest:
        noTLSVerify: true
  - hostname: "*.your3rddomain.com"
    service: https://REVERSEPROXYIP:PORT
    originRequest:
        noTLSVerify: true
        
#You can also do a catch all rule to send everything to NPM/nginx, I prefer the above though
# - service: https://REVERSEPROXYIP:PORT

 

#Last rule responds to any HTTP traffic with a 404 disable when getting new SSL Certs via NPM
  - service: http_status:404
  
#Enables this only for getting new SSL Certs via NPM
#  - service: http://REVERSEPROXYIP:PORT
      


 

Link to comment

It is working for me with several subdomains and only one docker.

I followed the guide and only changed the hostname to one subdomain like plex.yourdomain.com. In my case it is then also working for all other subdomains.

Link to comment

I'm hoping this is the right place to ask.

 

I have a nextcloud instance set up and working, and I want to run it through Argo for enhanced security. At the moment, I usually leave the required dockers running (mariadb, nextcloud and swag) open my router's management page, pop open my ports, push/pull the files I need, then close those forwarding rules back down. Obviously a pain, but I don't like the idea of leaving 80 and 443 forwarded when not needed.

 

I'd much prefer to leave it running all the time.

 

When following the IBRACORP tutorial, I get to the tunnel creation step just fine, then everything goes sideways. I don't get a UUID in the response from CloudFlare:

docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared tunnel create MYTUNNELNAME
INFO[2021-08-08T23:18:20Z] Writing tunnel credentials to /home/nonroot/.cloudflared/.json. cloudflared chose this file based on where your origin certificate was found.
INFO[2021-08-08T23:18:20Z] Keep this file secret. To revoke these credentials, delete the tunnel.
INFO[2021-08-08T23:18:20Z] Created tunnel  with id

 

Then, I can't list or delete my tunnel, but I also cannot rerun the create command as a tunnel with that name already exists.

 

Anyone have any ideas?

Edited by Gilgamesh
Link to comment
On 8/8/2021 at 4:49 PM, Gilgamesh said:

I'm hoping this is the right place to ask.

 

I have a nextcloud instance set up and working, and I want to run it through Argo for enhanced security. At the moment, I usually leave the required dockers running (mariadb, nextcloud and swag) open my router's management page, pop open my ports, push/pull the files I need, then close those forwarding rules back down. Obviously a pain, but I don't like the idea of leaving 80 and 443 forwarded when not needed.

 

I'd much prefer to leave it running all the time.

 

When following the IBRACORP tutorial, I get to the tunnel creation step just fine, then everything goes sideways. I don't get a UUID in the response from CloudFlare:


docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared tunnel create MYTUNNELNAME
INFO[2021-08-08T23:18:20Z] Writing tunnel credentials to /home/nonroot/.cloudflared/.json. cloudflared chose this file based on where your origin certificate was found.
INFO[2021-08-08T23:18:20Z] Keep this file secret. To revoke these credentials, delete the tunnel.
INFO[2021-08-08T23:18:20Z] Created tunnel  with id

 

Then, I can't list or delete my tunnel, but I also cannot rerun the create command as a tunnel with that name already exists.

 

Anyone have any ideas?

Running into the exact same issue. Thought it was a syntax error on my end, but I've been reading that others are also not getting a UUID. When navigating to the appdata folder, I can't see any json files, but also can't figure out how to delete the original (2) tunnels I created. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.