Cannot access Portainer instance via Cloudflare Tunnel getting 502 error

Hey @uttarms, I am sorry to write back a bit late, however that’s weird to me :thinking:

Can we reproduce the steps and check the config.yml for cloudflared?

What I’ve done in the meantime and it’s still working via cloudflared tunnel over Docker and accessible to public via portainer.example.dev.

  • I installed Docker on my Raspberry Pi 4 which is connected to my local home network.
  • Added my user to docker group
  • Just in case, I’ve configured my custom RPi hostname and added my ISP IP address as rpi.example.com into the hosts file
  • Created Portainer volume docker volume create portainer_data
  • Run the docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
  • Logged-in and created admin user via RPi Web browser via https://localhost:9443 (HTTP only working)
  • Downloaded and installed armhf.debRelease 2022.10.1 · cloudflare/cloudflared · GitHub
  • Then authenticated as cloudflared tunnel login in my Web browser for my domain
  • Created cloudflared tunnel as cloudflared tunnel create portainer
  • Inside /root/.cloudflared/config.yml, created and saved config.yml which contains basic:
tunnel: CLOUDFLARED-TUNNEL-ID
credentials-file: /root/.cloudflared/COUDFLARED-TUNNEL-ID.json

ingress:
 - hostname: portainer.example.dev
   service: https://localhost:9443
   originRequest:
     connectTimeout: 30s
     noTLSVerify: true
 - service: http_status:404
  • Started traffic routing as cloudflared tunnel route dns portainer portainer.example.com
  • Run the tunnel as cloudflared tunnel run portainer

NOTE: For example.dev and portainer.example.dev in my case, I use Full (Strict) SSL at SSL/TLS tab.
Despite the portainer.example.dev, for the example.dev (naked domain) I am using “Cloudflare Origin CA Certificate” and “Authenticated Origin Pulls” → doesn’t matter, but just to mention.
Local RPi doesn’t have SSL certificate, running only on HTTP.
However, in my config file it has https://localhost:9443.
Therefore, the noTLSVerify parameter set to true.
And default service http_status:404 at the end.
CNAME tunnel hostname is proxied :orange:.

Working for me, CNAME was created via cli:

On my local desktop PC via local ISP:

Portainer interface visible and running on the localhost on my RPi4 via RDP on my Windows OS and also in my Web browser via portainer.example.dev. In the background can be seen the Terminal running on my RPi4 too.

On my mobile phone via mobile data (4G LTE network):

Questions:
I wonder if we’ve missed some step in your case :thinking:
Otherwise, maybe the ISP is blocking something, like port on the device (router), etc.?

Helpful resources which I’ve checked and followed and achieved the same:

2 Likes