[Support] aeleos - cloudflared tunnels


Recommended Posts

@portonailga  No need to apologise.  We are all on this jorney together and it often is one small setting(or a typo for me) to get things working.  It also took me a week or two of playing around with cloudflared to get everything working. 

As I mentioned earlier, you could try "proxy_ssl_verify off;" in the custom nginx configuration under Advanced to get the https PFSense to work.  I don't know Nginx that well, but like you, i started to use NPM because of GUI when I needed to transition out from Caddy V1.

The next tool you can try is using cloud flare teams to secure some of the more personal sites you might have.

 

@aeleos  Thank you for containerise cloudflared.  if it was't you and your documentation, I wouldn't be using any of the cloudflare product.

 

I did have cloudflare cert working with NPM in the begining, but I feel more comfortable with shorter certificate expiration date, certificates are specific to the subdomain and the fact that it is automatically renewed.

Traefik is next on my tool list to try.  When I had to transition out from Caddy V1, I couldn't find(or know how to use) a solution to do everything I had setup,  traefik seem too complex at the time and I didn't know where to start and now Ibracorp have a video on it,  I may just use it to replace both of my current instance of Caddy V2 and NPM. 

 

 

 

  • Thanks 1
Link to comment

You know what? I'm going to delete all certificates and re-create just the one with the directions you mention.

 

I know some people will go the "why fix it if it's not broken?" way, but if you ask me, this just became way more interesting, and if the chance of breaking it is the price I pay for trying to make it work as the developer intended, then totally worth it.

 

Be right back with my findings, and a whole lot of tears if I end up breaking it again, LOL.

 

I just wish my wife would understand why I find all this to be so much fun. She hates I spend so much time with these things. In any case, at least I'm not out there getting drunk and stuff, hehe.

 

Edit:

 

Done. Deleted tunnel and all certs from CF and NGINX and CloudflareD.

 

Redid the whole thing, tried with the root domain as the "originServerName", and still did not work.

 

I did as you mentioned, made sure that the domains added during the creation of the cert and key were "*.my-domain.com" and "my-domain.com".

 

Just in case, I will mention that the first tunnel I had was built with CFD version 2022.1.3, and I had then updated CFD to 20222.2.0, and I thought it could have something to do. However, the tunnel I created now, as well as everything else, was done with CFD version 2022.2.0.

 

I am creating the certs in CF itself. Maybe I just let it roll on letsencrypt instead and see if that flies?

 

I am certain the docker is not the issue, because the tunnel does connect with the root domain only:

2022-02-06T22:23:17Z INF Initiating graceful shutdown due to signal terminated ...
2022-02-06T22:23:18Z INF Unregistered tunnel connection connIndex=0
2022-02-06T22:23:18Z INF Unregistered tunnel connection connIndex=2
2022-02-06T22:23:18Z INF Unregistered tunnel connection connIndex=1
2022-02-06T22:23:18Z INF Unregistered tunnel connection connIndex=3
2022-02-06T22:23:18Z INF Tunnel server stopped
2022-02-06T22:23:18Z INF Metrics server stopped
2022-02-06T22:23:18Z INF Starting tunnel tunnelID=15845c66-xxxx-xxxx-xxxx-78ae98b9d221
2022-02-06T22:23:18Z INF Version 2022.2.0
2022-02-06T22:23:18Z INF GOOS: linux, GOVersion: go1.17.1, GoArch: amd64
2022-02-06T22:23:18Z INF Settings: map[cred-file:/home/nonroot/.cloudflared/15845c66-xxxx-xxxx-xxxx-78ae98b9d221.json credentials-file:/home/nonroot/.cloudflared/15845c66-xxxx-xxxx-xxxx-78ae98b9d221.json no-autoupdate:true]
2022-02-06T22:23:18Z INF Generated Connector ID: f8c97b1a-xxxx-xxxx-xxxx-ae5147d96e4d
2022-02-06T22:23:18Z INF Initial protocol http2
2022-02-06T22:23:18Z INF Starting metrics server on 127.0.0.1:37649/metrics
2022-02-06T22:23:19Z INF Connection 6caebdb3-xxxx-xxxx-xxxx-f38ea84af3f4 registered connIndex=0 location=TPA
2022-02-06T22:23:20Z INF Connection 62b00a7d-xxxx-xxxx-xxxx-8c97ec6687ee registered connIndex=1 location=IAD
2022-02-06T22:23:21Z INF Connection bbc5159f-xxxx-xxxx-xxxx-2a239e298fc1 registered connIndex=2 location=MIA
2022-02-06T22:23:22Z INF Connection 52291544-xxxx-xxxx-xxxx-89990dbd215b registered connIndex=3 location=IAD

So either it's the certificates created by CF, or NPM is doing something wrong with those certs, which is why you say it works fine on SWAG and Traefik.

 

Unfortunately (kind of) I also have to pay attention now to my wife, kids and dogs, so I'll have to drop it for the day. But rest assured, if you want/need me to test any of your work with NPM, I'll be more than happy to be your guinea pig.

 

Thank you all again guys, you're great.

Link to comment
27 minutes ago, LeoRX said:

@portonailga  No need to apologise.  We are all on this jorney together and it often is one small setting(or a typo for me) to get things working.  It also took me a week or two of playing around with cloudflared to get everything working. 

As I mentioned earlier, you could try "proxy_ssl_verify off;" in the custom nginx configuration under Advanced to get the https PFSense to work.  I don't know Nginx that well, but like you, i started to use NPM because of GUI when I needed to transition out from Caddy V1.

The next tool you can try is using cloud flare teams to secure some of the more personal sites you might have.

 

@aeleos  Thank you for containerise cloudflared.  if it was't you and your documentation, I wouldn't be using any of the cloudflare product.

 

I did have cloudflare cert working with NPM in the begining, but I feel more comfortable with shorter certificate expiration date, certificates are specific to the subdomain and the fact that it is automatically renewed.

Traefik is next on my tool list to try.  When I had to transition out from Caddy V1, I couldn't find(or know how to use) a solution to do everything I had setup,  traefik seem too complex at the time and I didn't know where to start and now Ibracorp have a video on it,  I may just use it to replace both of my current instance of Caddy V2 and NPM. 

 

 

 

I agree, a single comma can mess up everything, but that's exactly what I find to be so much fun. God decided to give me a brain without an off switch (and people say He's got no sense of humor), so I'm always looking for more and more stuff to implement in my server, because I KNOW I will hit a brick wall at some point, and then it's off to researching again.

 

Regardless of that, I am very grateful for all the help you guys are providing, and hope I can pay you, as well as others down the road, in kind.

 

As I mentioned, I have to basically run over to my family now, so I don't have much more time to spend on any of this now, but I will certainly try the "proxy_ssl_verify off" option tomorrow morning before I start to work. As for Caddy, this is the first time I hear about it, but I see no reason why I shouldn't give it a whirl. I will also be trying SWAG (which is what I had when I was going the "duckdns" way), since I never really understood it, I basically just followed one of @SpaceInvaderOne videos (he makes it so easy it made me a bit lazy) and everything worked from the get-go, so I never looked back.

 

Sadly for you, you're going to be hearing a whole lot more from me moving forward, haha!

 

Have a great evening everyone (or morning, depending on where you're at), and please feel free to count on me for anything to test, even if it includes breaking my home-lab.

Link to comment

@portonalga Hmm that is strange, I would expect that certificate to work. Other options include trying to use a cloudflare certificate rather than letsencrypt but that takes a fair bit of manual work. Also, its possible to locate the logs of where the actual 502 error is coming from. In NPM you should be able to find a folder for each service where the logs are kept, and any 502 errors should show there. That might help to tell you where the actual error is generating from and why. 

 

As much fun as it is to get everything working the right way, I wouldn't get to hung up on it. Sometimes in the end its better to have it working, although doing things like this are a big part of the learning process. I would recommend IBRACORPs video on SWAG if you plan on using it.

 

However if you are dead set on doing it the right way Traefik (Ibracorp also has a great video) is much more of a purpose built tool for this. SWAG and NPM are very much applications built around other applications to create a manageable reverse proxy setup. It also makes debugging much more manageable as it actually shows you the traffic path, where errors are happening, etc. Debugging with NPM is almost impossible, SWAG is somewhat manageable but not ideal.

Link to comment

@LeoRX I'm glad I was able to help out with the instructions. There is something very elegant about the tunnel setup so I was happy to be able to get the information out to more people.

 

Traefik felt the exact same way to me. Ibracorps video does a great job to break it down and see how to use it. Its a little bit of a jump from SWAG and NPM but sometimes better tools have a bigger learning curve.

Link to comment
  • 3 weeks later...

I've been working through this setup and watching the IBRACORP video however, when I check the logs on cloudflared I get the following error:

 

error parsing tunnel ID: [My UUID] is neither the ID nor the name of any of your tunnels

 

I found one reference to this on a Home Assistant forum but couldn't figure out how to fix it from there since I'm working in a different environment entirely

Link to comment

I run swag, and I was able to get this to work.

However after about 2hours i got a lot of the same errors as many other in this thread.

 

DATE: ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=yxyxyxyxyyxyxyxy -LHR originService=https://IP:PORT
DATE: ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=yxyxyxyxyyxyxyxy -LHR originService=https://IP:PORT
DATE: ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=yxyxyxyxyyxyxyxy -LHR originService=https://IP:PORT

 

So i removed the container and redid everything...

Same error again, no change...

I then moved my app data folder and removed swag container and did a clean install of swag and cloudflared and got it working,
I moved my app data folder back and added my custom settings to swag container,
and it worked great for another 40min~1hour20min+ then poff same error again... 
The service may be down or it may not be responding to traffic from cloudflared...

Would be awesome to have cloudflared working flawless 100% of the time with Swag.

Currently I have cloudflared stopped.

 

I think this container is awesome and,

I'll gladly help out as much as I can to get this to work, just let me know what you need me to do.

Link to comment
  • 2 weeks later...
On 2/28/2022 at 2:56 PM, Profezor said:

Getting permission errors so I recreated the Cloudflare docker.

 

Now the folder is empty.

 

What now? How do I get the files back and my tunnel working without starting from scratch?

What permission errors are you getting? Where? Is it CloudflareD, or your Proxy manager?

 

I find that starting from scratch once you know the solution works best down the road to avoid messing something up (which I do regularly) that could break it all later.

  • Like 1
Link to comment

Trying to setup NPM and Cloudflared.

 

My tunnel seems to be up and running.

My error message is -

 

2022-03-11T21:27:23Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is not valid for any names, but wanted to match catfamily.se" cfRay=6ea75fb0ef8e31d9-LAX originService=https://192.168.0.XXX:18443
 

Is this a Cloudflare issue or what need I do to fix it? Thanks

Link to comment
On 3/10/2022 at 2:43 PM, portonalga said:

What permission errors are you getting? Where? Is it CloudflareD, or your Proxy manager?

 

I find that starting from scratch once you know the solution works best down the road to avoid messing something up (which I do regularly) that could break it all later.

Started from scratch again. Cleared my cache drive. Now I have the files and folder. Still not working yet, if u see my msg below, but at least I am closer.

Link to comment

@Profezor can you provide any more info on what proxy manager you are passing the cloudflare traffic to and how its configured? That is likely the source of the issue, the error message indicates that cloudflared doesn't like the certificate your proxy manager is providing. Can you also post a redacted version of your cloudflared config?

Link to comment
On 2/26/2022 at 2:43 AM, Zidichy said:

I run swag, and I was able to get this to work.

However after about 2hours i got a lot of the same errors as many other in this thread.

 

DATE: ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=yxyxyxyxyyxyxyxy -LHR originService=https://IP:PORT
DATE: ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=yxyxyxyxyyxyxyxy -LHR originService=https://IP:PORT
DATE: ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: EOF" cfRay=yxyxyxyxyyxyxyxy -LHR originService=https://IP:PORT

 

So i removed the container and redid everything...

Same error again, no change...

I then moved my app data folder and removed swag container and did a clean install of swag and cloudflared and got it working,
I moved my app data folder back and added my custom settings to swag container,
and it worked great for another 40min~1hour20min+ then poff same error again... 
The service may be down or it may not be responding to traffic from cloudflared...

Would be awesome to have cloudflared working flawless 100% of the time with Swag.

Currently I have cloudflared stopped.

 

I think this container is awesome and,

I'll gladly help out as much as I can to get this to work, just let me know what you need me to do.

 

Are you actually having any issues, or are you just seeing those errors appear in the logs? If the issue is that your cloudflared container is stopping, you will want to add "--restart unless-stopped" to your extra parameters in the advanced view. Additionally you might want to try an older version of cloudflared like 2021.8.2 or a newer one like 2022.3.1, although the container way update itself anyway.

Edited by aeleos
Link to comment
On 2/25/2022 at 7:34 PM, seecs2011 said:

I've been working through this setup and watching the IBRACORP video however, when I check the logs on cloudflared I get the following error:

 

error parsing tunnel ID: [My UUID] is neither the ID nor the name of any of your tunnels

 

I found one reference to this on a Home Assistant forum but couldn't figure out how to fix it from there since I'm working in a different environment entirely

 

You likely have your UUID for the tunnel slightly miswritten or misconfigured, maybe a leading or trailing space.

Link to comment
12 hours ago, aeleos said:

 

Are you actually having any issues, or are you just seeing those errors appear in the logs? If the issue is that your cloudflared container is stopping, you will want to add "--restart unless-stopped" to your extra parameters in the advanced view. Additionally you might want to try an older version of cloudflared like 2021.8.2 or a newer one like 2022.3.1, although the container way update itself anyway.

 

Yes I actually have these issues, I wouldn't post here and ask for help if I didn't.

The container is working, but it's spitting out errors.

The parameter command is already set in the container.

I have tried the recommended version and newer versions same issue, works for awhile then starts spitting out errors.

Then when I go to my domain I get 503 bad gatway.

Link to comment
21 hours ago, aeleos said:

@Profezor can you provide any more info on what proxy manager you are passing the cloudflare traffic to and how its configured? That is likely the source of the issue, the error message indicates that cloudflared doesn't like the certificate your proxy manager is providing. Can you also post a redacted version of your cloudflared config?

Somehow it worked its way out. Back working again. SO happy. Thanks for you patience.

Link to comment
On 3/21/2022 at 1:03 AM, Masterwishx said:

if argo tunnel is cost money ? i readed in cloudflare that argo tunnel is free but traffic in tunnel is cost money ?

 

You will need to register for an account and add a credit card to sign up for the free tier (I'm not 100% sure on this but this is what I had to do.) but there is no cost for bandwidth cost. The terms of service only allow for regular website traffic (not video streaming like plex), so you aren't supposed to use a lot of bandwidth. If you do, it will likely trigger something in their system and you make get taken off the free plan. 

  • Like 1
Link to comment
On 3/23/2022 at 7:29 PM, aeleos said:

add a credit card to sign up for the free tier

 

i already have an accound and also buyed second domain from cloudflare and having team enabled but using a free plan.

if i remember correct they say its free unless you have not exceed some XXGB traffic in month or something like this , i wll try to find this info , but you saying liek for home user we have not exeed the bandwidth ?!?...

Link to comment
On 3/25/2022 at 2:07 AM, Masterwishx said:

 

i already have an accound and also buyed second domain from cloudflare and having team enabled but using a free plan.

if i remember correct they say its free unless you have not exceed some XXGB traffic in month or something like this , i wll try to find this info , but you saying liek for home user we have not exeed the bandwidth ?!?...

 

My understanding based on the TOS is that there is no XXGB traffic limit listed, and that as long as you comply with the restrictions around what traffic you serve you are good to go. In reality, you can likely get away with some amount of video streaming and traffic isn't closely monitored. However if you run a video streaming service on your free tier of tunnels you will likely hit some sort of internal limit (50+ GB per month) and get your account terminated, or moved to higher tier plan with a cost per gb. 

 

You may be conflicting smart route traffic and regular tunnel traffic? For the smart routing, there is a free tier limit and you will get charged for additional traffic. However this is something you have to enable manually. Feel free to correct me if I am wrong but this is my understanding.

  • Thanks 1
Link to comment
13 hours ago, aeleos said:

Feel free to correct me if I am wrong but this is my understanding.

 

Thanks a lot, I only try to understand about it. You have experience in this. 

Maybe you are right that I mistake with smart tunnel, from what I remember they wrote this tunnel for try only and not be used with real apps. So I will check it again and will post here... 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.