jhartley Posted May 16, 2023 Share Posted May 16, 2023 @aeleos any advice here would be appreciated. Quote Link to comment
ConnerVT Posted May 16, 2023 Share Posted May 16, 2023 It is difficult to see exactly how you have things configured. You definitely have an issue with addressing your CLoudflare SSL certificate. This is how I'm configured: # forward all traffic to Reverse Proxy w/ SSL ingress: - hostname: next.DOMAIN.COM service: https://172.17.0.14:4443 originRequest: originServerName: DOMAIN.COM - hostname: overseerr.DOMAIN.COM service: https://172.17.0.14:4443 originRequest: originServerName: DOMAIN.COM I have several more subdomains, all as this. Two are not even on the same machine as NPM/Cloudflared. The tunnel works fine, and NPM forwards as expected. Quote Link to comment
jhartley Posted May 17, 2023 Share Posted May 17, 2023 3 hours ago, ConnerVT said: It is difficult to see exactly how you have things configured. You definitely have an issue with addressing your CLoudflare SSL certificate. This is how I'm configured: # forward all traffic to Reverse Proxy w/ SSL ingress: - hostname: next.DOMAIN.COM service: https://172.17.0.14:4443 originRequest: originServerName: DOMAIN.COM - hostname: overseerr.DOMAIN.COM service: https://172.17.0.14:4443 originRequest: originServerName: DOMAIN.COM I have several more subdomains, all as this. Two are not even on the same machine as NPM/Cloudflared. The tunnel works fine, and NPM forwards as expected. So you add an individual entry for each service. Can you not just do a wild card that catches all subdomains? Quote Link to comment
ConnerVT Posted May 17, 2023 Share Posted May 17, 2023 I fought with this setup for some time back nearly a year ago. Tried many different configurations, this one works and is secure. I'm sure there are other configs that work. Quote Link to comment
jhartley Posted May 17, 2023 Share Posted May 17, 2023 (edited) 7 hours ago, ConnerVT said: I fought with this setup for some time back nearly a year ago. Tried many different configurations, this one works and is secure. I'm sure there are other configs that work. I am using NPM. For some reason when I point my config file at NPM https end point and then add my host to NPM, it wont find my host. When I point my config to the NPM http end point it will find my host. Solved: For anyone else experiencing the same issue, to fix this do the following: 1. set your NPM host to http 2. Get the origin server key and cert being used by your tunnel and create separate files for each (name.key, name.pem) 3. Go the the SSL tab in NPM and create a new custom certificate using the .key and .pem files created 4. do to SSL tab for the host and add that certificate Edited May 17, 2023 by jhartley Quote Link to comment
jakeortman Posted August 26, 2023 Share Posted August 26, 2023 This is probably something really dumb, but I can't seem to get it figured out. First off, recently, I changed my NPM ports so they're using standard HTTP (80) and HTTPS (443) ports after changing the default admin ports in Unraid. I'm doing this so I can serve content locally on my network with the same domain name as I do remotely (say, photos.domain.net). That way I can access the server directly when I'm outside the network, run it through cloudflare outside the network, where it uses Google Workspace as an access method. This all worked until recently, but would randomly crash, and I wanted my wife to still have a way to easily access the photos and recipe site I had setup. So that's why I changed the port. But cloudflared is still being weird. I'm getting a lot of these type of messages in the logs and the sites aren't accessible outside the network. 2023-08-26T04:18:25Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" connIndex=3 dest=https://recipes.mydomain.net/favicon.ico event=0 ip=198.41.192.77 type=http 2023-08-26T04:18:27Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" cfRay=7fc94557be3915ca-SJC event=1 originService=https://192.168.1.20 2023-08-26T04:18:27Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" connIndex=3 dest=https://recipes.mydomain.net/service-worker.js event=0 ip=198.41.192.77 type=http Quote Link to comment
ConnerVT Posted August 28, 2023 Share Posted August 28, 2023 After changing your ports did you update your config.yml file as well? Quote Link to comment
jakeortman Posted August 29, 2023 Share Posted August 29, 2023 (edited) On 8/28/2023 at 6:05 AM, ConnerVT said: After changing your ports did you update your config.yml file as well? Yup, I did, sorry I forgot to mention that. tunnel: bd6221asdfasfsadf credentials-file: /home/nonroot/.cloudflared/blahblahblahblah.json ingress: - service: https://192.168.1.20:443 originRequest: originServerName: my.subdomain.com noTLSVerify: true According to the dashboard at https://one.dash.cloudflare.com/, the tunnel is healthy, so I'm starting to think this is a NGINX Proxy Manager issue at this point. Edited August 30, 2023 by jakeortman Quote Link to comment
ConnerVT Posted August 29, 2023 Share Posted August 29, 2023 First, you may wish to create a new tunnel. You posted your UUID tunnel ID above. I have config.yml file set up a bit differently. I'm using jlesage/nginx-proxy-manager docker container, and how I have it configured uses TSL (no "noTSLVerify" needed). # forward all traffic to Reverse Proxy w/ SSL ingress: - hostname: next.domain.com service: https://172.17.0.14:4443 originRequest: originServerName: domain.com - hostname: overseerr.domain.com service: https://172.17.0.14:4443 originRequest: originServerName: domain.com I like doing it this way, with an entry for each service explicitly controlled locally in my config.yml file. For I have some entries in my NPM which I don't wish to expose outside my LAN. Quote Link to comment
jakeortman Posted August 30, 2023 Share Posted August 30, 2023 13 hours ago, ConnerVT said: First, you may wish to create a new tunnel. You posted your UUID tunnel ID above. Who's an idiot? 👈 This guy right here....😒 Guess what I'm doing tonight now? LOL Yeah, I'm probably going to split things up into multiple line-items. My NPM has been weird and funky for a while now, I finally had to hard-code it to a version that worked properly a few months back as an update killed it. I'm using the same NPM as you are. I'll likely just blitz both and re-setup everything from scratch. Quote Link to comment
Gragorg Posted November 14, 2023 Share Posted November 14, 2023 (edited) I am currently using cloudflare dynamic dns and NPM. I would like to switch to tunnels and close ports for NPM. My question is I am currently hosting a minecraft server on this setup. Is there any issue with running a minecraft server through the tunnel? Would I just have to point my MX and SRV record to the tunnels instead of the dynamic dns? Edited November 14, 2023 by Gragorg Quote Link to comment
JonathanM Posted November 14, 2023 Share Posted November 14, 2023 8 minutes ago, Gragorg said: Is there any issue with running a minecraft server through the tunnel? Check the terms of service with cloudflare. There is something tickling my memory about approved and non approved traffic through their tunnels. 1 Quote Link to comment
ConnerVT Posted November 14, 2023 Share Posted November 14, 2023 Also believe for Cloudflare Tunnel you need a true domain (not dynamic). And there are only certain types of data which can be sent through tunnels - http, ssh, rdp, and a couple(?) more. Quote Link to comment
unham Posted December 8, 2023 Share Posted December 8, 2023 I am having an issue when using the docker to connect to Cloudflare Tunnels GUI. I have tried the docker by Cornflake as well and receive the same error message. I have the correct line in the 'Post Arguments' section and correct token set that I acquired from Cloudflare. tunnel --no-autoupdate run --token xxxx Error message in the logs: 2023-12-08T01:03:34Z INF Starting tunnel tunnelID=XXXX 2023-12-08T01:03:34Z INF Version 2023.10.0 2023-12-08T01:03:34Z INF GOOS: linux, GOVersion: go1.20.6, GoArch: amd64 2023-12-08T01:03:34Z INF Settings: map[no-autoupdate:true token:*****] 2023-12-08T01:03:34Z INF Generated Connector ID: XXXX 2023-12-08T01:03:34Z ERR Failed to fetch features, default to disable error="lookup cfd-features.argotunnel.com on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address" 2023-12-08T01:03:34Z ERR update check failed error="Get \"https://update.argotunnel.com?arch=amd64&clientVersion=2023.10.0&os=linux\": dial tcp: lookup update.argotunnel.com on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address" 2023-12-08T01:03:34Z WRN Unable to lookup protocol percentage. 2023-12-08T01:03:34Z INF Initial protocol quic 2023-12-08T01:03:34Z INF ICMP proxy will use 172.18.0.3 as source for IPv4 2023-12-08T01:03:34Z INF ICMP proxy will use :: as source for IPv6 2023-12-08T01:03:34Z ERR Error opening metrics server listener error="lookup localhost on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address" Error opening metrics server listener: lookup localhost on [::1]:53: dial udp [::1]:53: connect: cannot assign requested address Quote Link to comment
rama3124 Posted February 13 Share Posted February 13 I've been running this container to run my cloudflared tunnels for the past year. Is there any advantage to migrating to GUI tunnels and using the Unraid-Cloudflared-Tunnel container instead? I notice that the aeleos container hasn't been updated in a while Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.