[Support] aeleos - cloudflared tunnels

[jhartley]

@aeleos any advice here would be appreciated.

[ConnerVT]

It is difficult to see exactly how you have things configured.  You definitely have an issue with addressing your CLoudflare SSL certificate.  This is how I'm configured:

 

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - hostname: next.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

    - hostname: overseerr.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

 

I have several more subdomains, all as this.  Two are not even on the same machine as NPM/Cloudflared.  The tunnel works fine, and NPM forwards as expected.

[jhartley]

3 hours ago, ConnerVT said:

It is difficult to see exactly how you have things configured.  You definitely have an issue with addressing your CLoudflare SSL certificate.  This is how I'm configured:

 

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - hostname: next.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

    - hostname: overseerr.DOMAIN.COM
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: DOMAIN.COM

 

I have several more subdomains, all as this.  Two are not even on the same machine as NPM/Cloudflared.  The tunnel works fine, and NPM forwards as expected.

 

So you add an individual entry for each service. Can you not just do a wild card that catches all subdomains?

[ConnerVT]

I fought with this setup for some time back nearly a year ago.  Tried many different configurations, this one works and is secure.  I'm sure there are other configs that work.

[jhartley]

7 hours ago, ConnerVT said:

I fought with this setup for some time back nearly a year ago.  Tried many different configurations, this one works and is secure.  I'm sure there are other configs that work.

 

I am using NPM. For some reason when I point my config file at NPM https end point and then add my host to NPM, it wont find my host. When I point my config to the NPM http end point it will find my host.

 

 

Solved: For anyone else experiencing the same issue, to fix this do the following:

1. set your NPM host to http

2. Get the origin server key and cert being used by your tunnel and create separate files for each (name.key, name.pem)

3. Go the the SSL tab in NPM and create a new custom certificate using the .key and .pem files created

4. do to SSL tab for the host and add that certificate

Edited May 17 by jhartley

[jakeortman]

This is probably something really dumb, but I can't seem to get it figured out.

 

First off, recently, I changed my NPM ports so they're using standard HTTP (80) and HTTPS (443) ports after changing the default admin ports in Unraid. I'm doing this so I can serve content locally on my network with the same domain name as I do remotely (say, photos.domain.net). That way I can access the server directly when I'm outside the network, run it through cloudflare outside the network, where it uses Google Workspace as an access method.

 

This all worked until recently, but would randomly crash, and I wanted my wife to still have a way to easily access the photos and recipe site I had setup. So that's why I changed the port. But cloudflared is still being weird. I'm getting a lot of these type of messages in the logs and the sites aren't accessible outside the network. 

 

2023-08-26T04:18:25Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" connIndex=3 dest=https://recipes.mydomain.net/favicon.ico event=0 ip=198.41.192.77 type=http
2023-08-26T04:18:27Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" cfRay=7fc94557be3915ca-SJC event=1 originService=https://192.168.1.20
2023-08-26T04:18:27Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.1.20 because it doesn't contain any IP SANs" connIndex=3 dest=https://recipes.mydomain.net/service-worker.js event=0 ip=198.41.192.77 type=http

 

[ConnerVT]

After changing your ports did you update your config.yml file as well?

[jakeortman]

On 8/28/2023 at 6:05 AM, ConnerVT said:

After changing your ports did you update your config.yml file as well?

Yup, I did, sorry I forgot to mention that.

 

tunnel: bd6221asdfasfsadf
credentials-file: /home/nonroot/.cloudflared/blahblahblahblah.json

ingress:
  - service: https://192.168.1.20:443
    originRequest:
      originServerName: my.subdomain.com
      noTLSVerify: true

 

According to the dashboard at https://one.dash.cloudflare.com/, the tunnel is healthy, so I'm starting to think this is a NGINX Proxy Manager issue at this point.

Edited August 30 by jakeortman

[ConnerVT]

First, you may wish to create a new tunnel.  You posted your UUID tunnel ID above.

 

I have config.yml file set up a bit differently.  I'm using jlesage/nginx-proxy-manager docker container, and how I have it configured uses TSL (no "noTSLVerify" needed).

 

# forward all traffic to Reverse Proxy w/ SSL
ingress:
  - hostname: next.domain.com
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: domain.com

  - hostname: overseerr.domain.com
    service: https://172.17.0.14:4443
    originRequest:
      originServerName: domain.com

 

I like doing it this way, with an entry for each service explicitly controlled locally in my config.yml file.  For I have some entries in my NPM which I don't wish to expose outside my LAN.

[jakeortman]

13 hours ago, ConnerVT said:

First, you may wish to create a new tunnel.  You posted your UUID tunnel ID above.

Who's an idiot?

👈 This guy right here....😒

 

Guess what I'm doing tonight now? LOL

 

Yeah, I'm probably going to split things up into multiple line-items. My NPM has been weird and funky for a while now, I finally had to hard-code it to a version that worked properly a few months back as an update killed it. I'm using the same NPM as you are. I'll likely just blitz both and re-setup everything from scratch.