Can't access web gui through cloudflare tunnel

saidou.niang · February 19, 2023, 5:27pm

Hi,

I have a server running on Oracle Cloud.
I run several services through docker. As reverse proxy I use Traefik2.
I can access the web gui of a service when I set an A-record to my server (with port 443 open), but when I try to connect it through a Cloudflare tunnel, it isn’t accessible. (error: Bad gateway Error - code 502)

These are my settings:

Cloudflare Tunnel’s dashboard shows my tunnel as “Healthy” and “Connected”.

Oracle virtual network: 10.0.0.0/24

Oracle server ip: 10.0.0.15

As you can see I tried several settings/combinations, but can’t find the issue.
The last one is on my home server, where eveything works flawlessly with just these settings.

If anyone could direct me in the right way?

Thanks a lot,

Saidou

Cyb3r-Jak3 · February 19, 2023, 6:14pm

Can you check your cloudflared logs? Usually there are hints as to why cloudflared was unable to connect to the origin service.

saidou.niang · February 19, 2023, 6:44pm

I can see these errors see in the log:

2023-02-19 19:29:39 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.

2023-02-19T18:29:47Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 10.0.0.15:9088: connect: no route to host" cfRay=12d34eebc03b9a5-BRU ingressRule=0 originService=http://10.0.0.15:9088
2023-02-19T18:29:47Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 10.0.0.15:9088: connect: no route to host" connIndex=3 dest=https://vault.example.com/ ip=123.45.678.910 type=http

Cyb3r-Jak3 · February 19, 2023, 6:54pm

This error means that cloudflared was unable to reach the host on the port. Does it work from the machine if you use the command line?

saidou.niang · February 19, 2023, 10:34pm

Thank you for your reply.
Yes it worked from the command line.
For the individual sub domain to work I had to open the firewall for that specific port.
However on my home server, it also works when settings the catch rule only, without having to setup the individual public hostnames for every sub domain.

In the CF dns-section I have a CNAME (e.g. tunnel.domain.com) which points to my CF-tunnel. (e.g. 12345-2345-3443.cfargotunnel.com)
My sub domains (e.g. tunnel-test.domain.com) for the service on my home server then points to 'tunnel.domain.com'.
That works perfectly, so all the rest can be managed by Traefik.

On the Oracle Cloud CF-tunnel, when adding the individual subdomain in the public host name section, it bypasses Traefik.