[Support] aeleos - cloudflared tunnels

[jhartley]

@aeleos any advice here would be appreciated.

[ConnerVT]

It is difficult to see exactly how you have things configured.  You definitely have an issue with addressing your CLoudflare SSL certificate.  This is how I'm configured:

 

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - hostname: next.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

    - hostname: overseerr.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

 

I have several more subdomains, all as this.  Two are not even on the same machine as NPM/Cloudflared.  The tunnel works fine, and NPM forwards as expected.

[jhartley]

3 hours ago, ConnerVT said:

It is difficult to see exactly how you have things configured.  You definitely have an issue with addressing your CLoudflare SSL certificate.  This is how I'm configured:

 

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - hostname: next.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

    - hostname: overseerr.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

 

I have several more subdomains, all as this.  Two are not even on the same machine as NPM/Cloudflared.  The tunnel works fine, and NPM forwards as expected.

 

So you add an individual entry for each service. Can you not just do a wild card that catches all subdomains?

[ConnerVT]

I fought with this setup for some time back nearly a year ago.  Tried many different configurations, this one works and is secure.  I'm sure there are other configs that work.

[jhartley]

7 hours ago, ConnerVT said:

I fought with this setup for some time back nearly a year ago.  Tried many different configurations, this one works and is secure.  I'm sure there are other configs that work.

 

I am using NPM. For some reason when I point my config file at NPM https end point and then add my host to NPM, it wont find my host. When I point my config to the NPM http end point it will find my host.

 

 

Solved: For anyone else experiencing the same issue, to fix this do the following:

1. set your NPM host to http

2. Get the origin server key and cert being used by your tunnel and create separate files for each (name.key, name.pem)

3. Go the the SSL tab in NPM and create a new custom certificate using the .key and .pem files created

4. do to SSL tab for the host and add that certificate

Edited May 17, 2023 by jhartley

[jakeortman]

This is probably something really dumb, but I can't seem to get it figured out.

 

First off, recently, I changed my NPM ports so they're using standard HTTP (80) and HTTPS (443) ports after changing the default admin ports in Unraid. I'm doing this so I can serve content locally on my network with the same domain name as I do remotely (say, photos.domain.net). That way I can access the server directly when I'm outside the network, run it through cloudflare outside the network, where it uses Google Workspace as an access method.

 

This all worked until recently, but would randomly crash, and I wanted my wife to still have a way to easily access the photos and recipe site I had setup. So that's why I changed the port. But cloudflared is still being weird. I'm getting a lot of these type of messages in the logs and the sites aren't accessible outside the network. 

 

2023-08-26T04:18:25Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" connIndex=3 dest=https://recipes.mydomain.net/favicon.ico event=0 ip=198.41.192.77 type=http
2023-08-26T04:18:27Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" cfRay=7fc94557be3915ca-SJC event=1 originService=https://192.168.1.20
2023-08-26T04:18:27Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" connIndex=3 dest=https://recipes.mydomain.net/service-worker.js event=0 ip=198.41.192.77 type=http

 

[ConnerVT]

After changing your ports did you update your config.yml file as well?

[jakeortman]

On 8/28/2023 at 6:05 AM, ConnerVT said:

After changing your ports did you update your config.yml file as well?

Yup, I did, sorry I forgot to mention that.

 

tunnel: bd6221asdfasfsadf
credentials-file: /home/nonroot/.cloudflared/blahblahblahblah.json

ingress:
  - service: https://192.168.1.20:443
    originRequest:
      originServerName: my.subdomain.com
      noTLSVerify: true

 

According to the dashboard at https://one.dash.cloudflare.com/, the tunnel is healthy, so I'm starting to think this is a NGINX Proxy Manager issue at this point.

Edited August 30, 2023 by jakeortman

[ConnerVT]

First, you may wish to create a new tunnel.  You posted your UUID tunnel ID above.

 

I have config.yml file set up a bit differently.  I'm using jlesage/nginx-proxy-manager docker container, and how I have it configured uses TSL (no "noTSLVerify" needed).

 

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - hostname: next.domain.com
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: domain.com

  - hostname: overseerr.domain.com
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: domain.com

 

I like doing it this way, with an entry for each service explicitly controlled locally in my config.yml file.  For I have some entries in my NPM which I don't wish to expose outside my LAN.

[jakeortman]

13 hours ago, ConnerVT said:

First, you may wish to create a new tunnel.  You posted your UUID tunnel ID above.

Who's an idiot?

👈 This guy right here....😒

 

Guess what I'm doing tonight now? LOL

 

Yeah, I'm probably going to split things up into multiple line-items. My NPM has been weird and funky for a while now, I finally had to hard-code it to a version that worked properly a few months back as an update killed it. I'm using the same NPM as you are. I'll likely just blitz both and re-setup everything from scratch.

[Gragorg]

I am currently using cloudflare dynamic dns and NPM.  I would like to switch to tunnels and close ports for NPM.  My question is I am currently hosting a minecraft server on this setup.  Is there any issue with running a minecraft server through the tunnel?  Would I just have to point my MX and SRV record to the tunnels instead of the dynamic dns?

Edited November 14, 2023 by Gragorg

[JonathanM]

8 minutes ago, Gragorg said:

Is there any issue with running a minecraft server through the tunnel?

Check the terms of service with cloudflare. There is something tickling my memory about approved and non approved traffic through their tunnels.

[ConnerVT]

Also believe for Cloudflare Tunnel you need a true domain (not dynamic).  And there are only certain types of data which can be sent through tunnels - http, ssh, rdp, and a couple(?) more.

[unham]

I am having an issue when using the docker to connect to Cloudflare Tunnels GUI.

 

I have tried the docker by Cornflake as well and receive the same error message.

 

 

I have the correct line in the 'Post Arguments' section and correct token set that I acquired from Cloudflare.

 

tunnel --no-autoupdate run --token xxxx

 

Error message in the logs:

 

2023-12-08T01:03:34Z INF Starting tunnel tunnelID=XXXX
2023-12-08T01:03:34Z INF Version 2023.10.0
2023-12-08T01:03:34Z INF GOOS: linux, GOVersion: go1.20.6, GoArch: amd64
2023-12-08T01:03:34Z INF Settings: map[no-autoupdate:true token:*****]
2023-12-08T01:03:34Z INF Generated Connector ID: XXXX
2023-12-08T01:03:34Z ERR Failed to fetch features, default to disable error="lookup cfd-features.argotunnel.com on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address"
2023-12-08T01:03:34Z ERR update check failed error="Get \"https://update.argotunnel.com?arch=amd64&clientVersion=2023.10.0&os=linux\": dial tcp: lookup update.argotunnel.com on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address"
2023-12-08T01:03:34Z WRN Unable to lookup protocol percentage.
2023-12-08T01:03:34Z INF Initial protocol quic
2023-12-08T01:03:34Z INF ICMP proxy will use 172.18.0.3 as source for IPv4
2023-12-08T01:03:34Z INF ICMP proxy will use :: as source for IPv6
2023-12-08T01:03:34Z ERR Error opening metrics server listener error="lookup localhost on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address"
Error opening metrics server listener: lookup localhost on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address

 

[rama3124]

I've been running this container to run my cloudflared tunnels for the past year. Is there any advantage to migrating to GUI tunnels and using the Unraid-Cloudflared-Tunnel container instead? I notice that the aeleos container hasn't been updated in a while