aeleos Posted June 2, 2021 Share Posted June 2, 2021 Overview: Support for Cloudflare Tunnels using the cloudflared docker image Application: Cloudflared- https://github.com/cloudflare/cloudflared Docker Hub: https://hub.docker.com/r/cloudflare/cloudflared/ GitHub: https://github.com/aeleos/cloudflared Documentation: https://github.com/aeleos/cloudflared 2 Quote Link to comment
mrunsuitable Posted June 6, 2021 Share Posted June 6, 2021 When I run the initial tunnel list command I get - Error locating origin cert: Client didn't specify origincert path when running from terminal - is there an initial setup step I missed? 1 Quote Link to comment
Kira Posted June 6, 2021 Share Posted June 6, 2021 Need some help to setup with SWAG In SWAG I setup subdomains to wildcard as I have multiple subdomains. So when I setup cname "xxx.com" > xxx.cfargotunnel.com, I encounter "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for *.xxx.com, not xxx.com" cfRay=65afac1cfd390acc-NRT originService=https://192.168.xxx.xxx:443" If I removed the wildcard from SWAG subdomain options then I encounter another a new error. 2021-06-06T06:34:03Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.xxx.xxx:443: connect: connection refused" cfRay=65af9cda18a9205f-NRT originService=https://192.168.xxx.xxx:443 https://192.168.xxx.xxx:443 is my SWAG docker IP Quote Link to comment
mrunsuitable Posted June 6, 2021 Share Posted June 6, 2021 1 hour ago, Kira said: Need some help to setup with SWAG In SWAG I setup subdomains to wildcard as I have multiple subdomains. So when I setup cname "xxx.com" > xxx.cfargotunnel.com, I encounter "ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for *.xxx.com, not xxx.com" cfRay=65afac1cfd390acc-NRT originService=https://192.168.xxx.xxx:443" If I removed the wildcard from SWAG subdomain options then I encounter another a new error. 2021-06-06T06:34:03Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.xxx.xxx:443: connect: connection refused" cfRay=65af9cda18a9205f-NRT originService=https://192.168.xxx.xxx:443 https://192.168.xxx.xxx:443 is my SWAG docker IP I get the same response when using NGINX Proxy Manager with an origin cert from clopudflare. Both all 3 containers are on my customproxy network and connections were previously working. Quote Link to comment
takkkkkkk Posted June 7, 2021 Share Posted June 7, 2021 Anyone else getting error like the one below? It seems like it's working fine, but just get the error: 2021-06-07T09:03:11Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=XXXX-LAX originService=https://IP:PORT Quote Link to comment
kjames2001 Posted June 7, 2021 Share Posted June 7, 2021 (edited) 2 hours ago, takkkkkkk said: Anyone else getting error like the one below? It seems like it's working fine, but just get the error: 2021-06-07T09:03:11Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=XXXX-LAX originService=https://IP:PORT same here, deleted the tunnel. Edited June 7, 2021 by kjames2001 Quote Link to comment
snowy00 Posted June 7, 2021 Share Posted June 7, 2021 (edited) Hello, I get the error below 2021-06-07T17:15:06Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match ******.**" cfRay=hfsfhkfhkfh-FRA originService=https://192.168.178.42:4443 When I use this config and disable TSLVerify it works. tunnel: <my_UUID> credentials-file: /home/nonroot/.cloudflared/<my_UUID>.json ingress: - service: https://192.168.1.100:1443 originRequest: noTLSVerify: true On the GitHub post is mentioned to use: host.my.domain, where host is a subdomain you have valid DNS records for. But what does that mean? Have some one an example for me, because I am not so familiär with DNS records. Edited June 7, 2021 by snowy00 3 1 Quote Link to comment
kjames2001 Posted June 7, 2021 Share Posted June 7, 2021 (edited) 4 hours ago, snowy00 said: Hello, I get the error below 2021-06-07T17:15:06Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match ******.**" cfRay=hfsfhkfhkfh-FRA originService=https://192.168.178.42:4443 When I use this config and disable TSLVerify it works. tunnel: <my_UUID> credentials-file: /home/nonroot/.cloudflared/<my_UUID>.json ingress: - service: https://192.168.1.100:1443 originRequest: noTLSVerify: true On the GitHub post is mentioned to use: host.my.domain, where host is a subdomain you have valid DNS records for. But what does that mean? Have some one an example for me, because I am not so familiär with DNS records. thanks for the tip, tried it and works. however, i somehow fixed this issue later by using ingress: - service: https://192.168.1.47:18443 originRequest: originServerName: sonarr.yourdomain.com ie. using "sonarr.yourdomain.com" instead of "yourdomain.com" Edited June 7, 2021 by kjames2001 Quote Link to comment
takkkkkkk Posted June 7, 2021 Share Posted June 7, 2021 6 hours ago, kjames2001 said: same here, deleted the tunnel. did you recreate it? or decided not to use it? Quote Link to comment
snowy00 Posted June 8, 2021 Share Posted June 8, 2021 (edited) 12 hours ago, kjames2001 said: thanks for the tip, tried it and works. however, i somehow fixed this issue later by using ingress: - service: https://192.168.1.47:18443 originRequest: originServerName: sonarr.yourdomain.com ie. using "sonarr.yourdomain.com" instead of "yourdomain.com" Could you please share your configuration on cloudflare: As I understand it should be like: CNAME yourdomain.com UUID.cfargotunnel.com CNAME sonarr yourdomain.com The configuration above works now for me! Edited June 8, 2021 by snowy00 Quote Link to comment
braydination Posted June 8, 2021 Share Posted June 8, 2021 I'm pulling my hair out here. I get the same error as others have mentioned. error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match hostname.com" After trying the noTLSVerify option, I can connect to my subdomains now, but the logs are still littered with errors including: error="unexpected origin response: 400 Bad Request" error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared Unable to establish connection with Cloudflare edge error="DialContext error: dial tcp 198.41.200.13:7844: operation was canceled Quote Link to comment
snowy00 Posted June 8, 2021 Share Posted June 8, 2021 I had the same issue, my failure was that I only created a dns record that not used. You have to use a proper dns record that also setup in your reverse proxy. As I mentioned in the former post, that work now for me because sonar is setup in my reverse proxy with a custom certificate from cloudflare. It doesn´t work with a dummy dns record as I configured first something like - tunnel.yourdomain.com CNAME yourdomain.com UUID.cfargotunnel.com CNAME sonarr yourdomain.com ingress: - service: https://192.168.1.47:18443 originRequest: originServerName: sonarr.yourdomain.com 1 Quote Link to comment
kjames2001 Posted June 9, 2021 Share Posted June 9, 2021 23 hours ago, snowy00 said: I had the same issue, my failure was that I only created a dns record that not used. You have to use a proper dns record that also setup in your reverse proxy. As I mentioned in the former post, that work now for me because sonar is setup in my reverse proxy with a custom certificate from cloudflare. It doesn´t work with a dummy dns record as I configured first something like - tunnel.yourdomain.com CNAME yourdomain.com UUID.cfargotunnel.com CNAME sonarr yourdomain.com ingress: - service: https://192.168.1.47:18443 originRequest: originServerName: sonarr.yourdomain.com Thanks for filling up the missing link! i just got it working without even knowing how it worked. lol Quote Link to comment
braydination Posted June 11, 2021 Share Posted June 11, 2021 On 6/9/2021 at 1:22 AM, snowy00 said: I had the same issue, my failure was that I only created a dns record that not used. You have to use a proper dns record that also setup in your reverse proxy. As I mentioned in the former post, that work now for me because sonar is setup in my reverse proxy with a custom certificate from cloudflare. It doesn´t work with a dummy dns record as I configured first something like - tunnel.yourdomain.com CNAME yourdomain.com UUID.cfargotunnel.com CNAME sonarr yourdomain.com ingress: - service: https://192.168.1.47:18443 originRequest: originServerName: sonarr.yourdomain.com Yeah I have tried this with various different subdomains that I had previously setup NGINX proxy manager. I tried on subdomains that had both LetsEncrypt and custom Cloudflare certificates, with no change either way. Quote Link to comment
Kira Posted June 19, 2021 Share Posted June 19, 2021 I got the Argo Tunnel working to SWAG but now I have a problem As we have removed the A record where it points to IP. One of my CNAME for vpn.yourdomain.com no longer works Need help Quote Link to comment
samba_69 Posted June 29, 2021 Share Posted June 29, 2021 On 6/8/2021 at 3:41 AM, kjames2001 said: however, i somehow fixed this issue later by using ingress: - service: https://192.168.1.47:18443 originRequest: originServerName: sonarr.yourdomain.com ie. using "sonarr.yourdomain.com" instead of "yourdomain.com" How do I use multiple domains? 1 Quote Link to comment
DieFalse Posted July 1, 2021 Share Posted July 1, 2021 On 6/28/2021 at 11:11 PM, samba_69 said: How do I use multiple domains? I have this question also. 1 Quote Link to comment
Kira Posted July 2, 2021 Share Posted July 2, 2021 On 6/29/2021 at 12:11 PM, samba_69 said: How do I use multiple domains? you can probably create another docker and just change the name of docker and app folder Quote Link to comment
DieFalse Posted July 2, 2021 Share Posted July 2, 2021 (edited) 4 hours ago, Kira said: you can probably create another docker and just change the name of docker and app folder That would not be feasible as the docker utilizes the host itself for the networking as there are no ports or adapters configured. The config should be adjustable for additional per the CloudFlareD Documentation, just havent tried it yet. I believe it would require a business or paid cloudflare plan though. The only way without a paid account I can see so far (or without multiple daemons) is to create a CNAME on the one domain that points to the other. The other alternative that appears to work is multiple containers with different names and appdata folders as Kira mentioned. - Given how lightweight the docker is, this seems to be the absolute best way. Edited July 2, 2021 by fmp4m Quote Link to comment
Kira Posted July 2, 2021 Share Posted July 2, 2021 (edited) 37 minutes ago, fmp4m said: That would not be feasible as the docker utilizes the host itself for the networking as there are no ports or adapters configured. The config should be adjustable for additional per the CloudFlareD Documentation, just havent tried it yet. I believe it would require a business or paid cloudflare plan though. The only way without a paid account I can see so far (or without multiple daemons) is to create a CNAME on the one domain that points to the other. argo tunnel is established via UUID and not IP or Ports so your 2nd docker config will have a different UUID hence it may work Edited July 2, 2021 by Kira 1 Quote Link to comment
SamuraiMarv Posted August 7, 2021 Share Posted August 7, 2021 This is my current solution, I'm running 4 separate dockers for my 4 main domains that I need the tunneled. Wish there was an easier solution that didn't require running multiple dockers. My steps for anyone thats curious is to follow the GitHub instructions, then once everything is done and working go into the docker and change the name. This allows you to run the GitHub instructions again to get a new link, without this it complains about a cert.pem file already being present. Quote Link to comment
SamuraiMarv Posted August 8, 2021 Share Posted August 8, 2021 20 hours ago, SamuraiMarv said: This is my current solution, I'm running 4 separate dockers for my 4 main domains that I need the tunneled. Wish there was an easier solution that didn't require running multiple dockers. My steps for anyone thats curious is to follow the GitHub instructions, then once everything is done and working go into the docker and change the name. This allows you to run the GitHub instructions again to get a new link, without this it complains about a cert.pem file already being present. For anyone in the same boat, I figured this out. You can do multiple domains with one tunnel and one docker. Follow the instructions to create your first tunnel, then use that UUID.cfargotunnel.com in all of your domains as the CNAME for the root. From there all you need to do is change your config file to match the example I put together below. tunnel: UUID credentials-file: /home/nonroot/.cloudflared/UUID.json ingress: - hostname: "*.your1stdomain.com" service: https://REVERSEPROXYIP:PORT originRequest: noTLSVerify: true - hostname: "*.your2nddomain.com" service: https://REVERSEPROXYIP:PORT originRequest: noTLSVerify: true - hostname: "*.your3rddomain.com" service: https://REVERSEPROXYIP:PORT originRequest: noTLSVerify: true #You can also do a catch all rule to send everything to NPM/nginx, I prefer the above though # - service: https://REVERSEPROXYIP:PORT #Last rule responds to any HTTP traffic with a 404 disable when getting new SSL Certs via NPM - service: http_status:404 #Enables this only for getting new SSL Certs via NPM # - service: http://REVERSEPROXYIP:PORT 1 Quote Link to comment
sylus Posted August 8, 2021 Share Posted August 8, 2021 It is working for me with several subdomains and only one docker. I followed the guide and only changed the hostname to one subdomain like plex.yourdomain.com. In my case it is then also working for all other subdomains. Quote Link to comment
Gilgamesh Posted August 8, 2021 Share Posted August 8, 2021 (edited) I'm hoping this is the right place to ask. I have a nextcloud instance set up and working, and I want to run it through Argo for enhanced security. At the moment, I usually leave the required dockers running (mariadb, nextcloud and swag) open my router's management page, pop open my ports, push/pull the files I need, then close those forwarding rules back down. Obviously a pain, but I don't like the idea of leaving 80 and 443 forwarded when not needed. I'd much prefer to leave it running all the time. When following the IBRACORP tutorial, I get to the tunnel creation step just fine, then everything goes sideways. I don't get a UUID in the response from CloudFlare: docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared tunnel create MYTUNNELNAME INFO[2021-08-08T23:18:20Z] Writing tunnel credentials to /home/nonroot/.cloudflared/.json. cloudflared chose this file based on where your origin certificate was found. INFO[2021-08-08T23:18:20Z] Keep this file secret. To revoke these credentials, delete the tunnel. INFO[2021-08-08T23:18:20Z] Created tunnel with id Then, I can't list or delete my tunnel, but I also cannot rerun the create command as a tunnel with that name already exists. Anyone have any ideas? Edited August 8, 2021 by Gilgamesh Quote Link to comment
jimbohead Posted August 10, 2021 Share Posted August 10, 2021 On 8/8/2021 at 4:49 PM, Gilgamesh said: I'm hoping this is the right place to ask. I have a nextcloud instance set up and working, and I want to run it through Argo for enhanced security. At the moment, I usually leave the required dockers running (mariadb, nextcloud and swag) open my router's management page, pop open my ports, push/pull the files I need, then close those forwarding rules back down. Obviously a pain, but I don't like the idea of leaving 80 and 443 forwarded when not needed. I'd much prefer to leave it running all the time. When following the IBRACORP tutorial, I get to the tunnel creation step just fine, then everything goes sideways. I don't get a UUID in the response from CloudFlare: docker run -it --rm -v /mnt/user/appdata/cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared tunnel create MYTUNNELNAME INFO[2021-08-08T23:18:20Z] Writing tunnel credentials to /home/nonroot/.cloudflared/.json. cloudflared chose this file based on where your origin certificate was found. INFO[2021-08-08T23:18:20Z] Keep this file secret. To revoke these credentials, delete the tunnel. INFO[2021-08-08T23:18:20Z] Created tunnel with id Then, I can't list or delete my tunnel, but I also cannot rerun the create command as a tunnel with that name already exists. Anyone have any ideas? Running into the exact same issue. Thought it was a syntax error on my end, but I've been reading that others are also not getting a UUID. When navigating to the appdata folder, I can't see any json files, but also can't figure out how to delete the original (2) tunnels I created. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.