Can access Digital Ocean droplet from IP but not Tunnel (Docker agent)

dylanmyersuk · August 15, 2023, 1:31am

Hi lovely Cloudflare Community!

I have set up a droplet on DO with two images:

Actual Budget with command docker run --pull=always --restart=unless-stopped -d -p 5006:5006 -v YOUR/PATH/TO/DATA:/data --name my_actual_budget actualbudget/actual-server:latest
cloudflared with command docker run -d cloudflare/cloudflared:latest tunnel --no-autoupdate run --token [...]

There is no firewall set up for the droplet.

The aim is to expose Actual Budget to my subdomain, and I believe Cloudflare Tunnels is the best way to do so.

I’m able to access Actual Budget in my browser using the droplet’s public IP address with port 5006. I also get data back when running curl http://<public-ip>:5006, same for the private IP.

I’ve configured Tunnel, setting up the Docker container with the token and a public hostname with the subdomain and the service set to http://localhost:5006 (I have also tried public IP, private IP, and 0.0.0.0) It shows as “healthy” on the dashboard.

However, requests always time out, the website shows error 502 “bad gateway”. The cloudflared logs show:

2023-08-15T01:12:40Z INF Updated to new configuration config="{\"ingress\":[{\"hostname\":\"MYSUBDOMAIN.DOMAIN.me\",\"originRequest\":{},\"service\":\"http://localhost:5006\"},{\"service\":\"http_status:404\"}],\"warp-routing\":{\"enabled\":false}}" version=10
2023-08-15T01:12:42Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:5006: connect: connection refused" cfRay=7f6d922139f723ec-LHR event=1 ingressRule=0 originService=http:/localhost:5006
2023-08-15T01:12:42Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:5006: connect: connection refused" connIndex=0 dest=https:/MYSUBDOMAIN.DOMAIN.me/favicon.ico event=0 ip=198.41.192.107 type=http

(I removed //s to prevent breaking comments)

Is there something I’m missing here? I appreciate your eyes on this in advance <3

oneandonlyjason · August 15, 2023, 2:29am

This could have to do with the way docker handles internal traffic. Localhost will probably target the internal Internet Port of the Cloudflared docker Container. You could try to use the IP Adress of your docker Container. Or you could install Cloudflared Directly on the OS without the docker Container

dylanmyersuk · August 15, 2023, 8:07pm

Jason! You absolute legend! You led me down the right path.

To fix this issue, I created a Docker network:

$ docker network create cloudflaredNet

I then added both the cloudflared container and the container I wanted to expose to the network:

$ docker network connect cloudflaredNet <cloudflared-docker-container-name>
$ docker network connect cloudflaredNet <container-to-expose>

I then grabbed the internal IP for the container I wanted to expose:

$ docker network inspect cloudflaredNet

[
    {
        "Name": "cloudflaredNet",
        // ...
        "Containers": {
           // ... cloudflared container here
            "some-long-hash": {
                "Name": "container-to-expose",
                "EndpointID": "...",
                "MacAddress": "...",
                "IPv4Address": "172.1.0.2/16", // <---- this IP
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

I used that IP as the service in the tunnel and it worked!

Thanks for guiding me in the right direction. I also used this Stack Overflow answer from MxWild.

oneandonlyjason · August 15, 2023, 9:05pm

Glad you could Figure it out

system · August 18, 2023, 9:05pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.