I am experimenting a bit with Cloudflare Tunnel.
Furthermore, I wonder for example if I have a situation as below:
- dedicated server with the installed web server (Nginx, 443 ssl http2) and working 10, 20, 50+ domains
- all domains are behind and using Cloudflare service
- all domains on Full (Strict) SSL each using Cloudflare Origin CA Certificate and Authenticated Origin Pulls
- running a
cloudflaredas a service (on startup/boot)
- added the route for IPv4 and IPv6 subnet (
cloudflared tunnel route ip show)
- added a
CNAMErecord(s) to each of the domains
- all working fine for now “as-is”
May I ask what are some best practices in terms of running a cloudflared tunnel with multiple services / hostnames / domains as above stated (listed) conditions?
Should I run only one or “multiple instances”?, just in case if some connection fails - I even saw in the terminal that it retries immediately to some other closest available.
Or is it good way to split per some “category” or “priority” of domains, or like services as SSH to be a separate “ssh tunnel” one from the “websites tunnel” (even the different parameters could be added to each, but also in the same config/tunnel)?
I am not sure, but it would be a real mess in the config.yml file at least as it seems to me …
Nevertheless, when running
cloudflared tunnel ingress validate, I got returned (eddited config.yml with nano editor - should I use some other?):
error parsing YAML in config file at /root/.cloudflared/config.yml: yaml: line 7: mapping values are not allowed in this context
tunnel: <UUID> credentials-file: /root/.cloudflared/<UUD>.json ingress: - hostname: wordpress.domainB.com service: https://localhost:443 originRequest: connectTimeout: 30s noTLSVerify: true - hostname: test.domainA.com service: https://localhost:443 originRequest: connectTimeout: 30s noTLSVerify: true - service: http_status:404
It does not throw that warning/error if I move the part from below:
originRequest: connectTimeout: 30s noTLSVerify: true
And put it right after credentials-file, therefore remove for each service to get the final looking as below:
tunnel: <UUID> credentials-file: /root/.cloudflared/<UUID>.json originRequest: connectTimeout: 30s noTLSVerify: true ingress: - hostname: wordpress.domainB.com service: https://localhost:443 - hostname: test.domainA.com service: https://localhost:443 - service: http_status:404
Validating rules from /root/.cloudflared/config.yml OK
In above tunnel I could also combine and add the ssh like - which works:
- hostname: "ssh.mydomain.com" service: ssh://localhost:22
But again, aren’t that all gonna be too much of the stuff onto the only one
Despite the fact of the documentation for IPv4
iptables of OS-Level-Firewall, may I ask if it is also a good way lock and secure IPv6 (
ip6tables too) so far?
Some helpful information I have found, but still better to ask here: