Cloudflare + Proxmox Server inside VM got HTTP 522 and 502

What is the name of the domain?

example.com

What is the error number?

522

What is the issue you’re encountering

A newly created Mastodon Server utilized with Cloudflare hit some HTTP errors, but I think the server is the problem.

What steps have you taken to resolve the issue?

I will assumed that the correct private IP address to my Server is the same as the Proxmox Virtual Machine itself, which was given by my DHCP router: 192.168.1.237. 

In Cloudflare's Dashboard, the DNS Records are as follow (Public IP Address is proxy, while Private IP is the DNS):
Type A, Domain, 119xxx, Proxied, Auto TTL
Type A, Domain, 192.168.1.237, DNS only, Auto TTL

The SSL/TLS is in Full Strict. Edge Certificates always used HTTPS.

I gave the origin certificates into the nginx's letsencrypt directory. I made sure the 2 server_name were example.com and www.example.com. I turn on CF's "Authenticated Origin Pulls". 

I never create a free Let’s Encrypt SSL Certificates, but I did mkdir a path to it /etc/letsencrypt/live/example.com/ and just put origin certificates there. 

I had temporary pause the Cloudflare's DNS Record's proxy to my public IP address, and the error was indeed 502. 

In the Zero Trust's Network, the Tunnel displayed Healthy status, the routes is `192.168.1.0/24`; target is `192.168.1.237`. Using `nslookup`, I see the server got proxy reversed with 2 Cloudflare Ipv4 & 6.

My Router got Port Forwarding (+ Firewall) with the destination Device to my VM; the 237 IP Address; 443, 7844 Ports; TCP/UDP.

PS: I gave most of my post inline code block because I keep getting the Sorry, you can’t more than 4 links in your posts.

PS PS: Why isn’t there any icons when I post a thread, but only in reply, like this one? Also, why didn’t the saved thread draft save what were written it?

Since you’re running tunnel, you don’t need to open any ports nor do port forwarding at your router or local machine, or via Nginx.

If that’s the case, you’ve got two options:

  1. Make sure you’ve enabled noTLSVerify option for your public hostname on your configured cloudflared tunne and that your Website is bound to port 443 and “working” even with invalid SSL certificate over HTTPS at your local machine (not the best case)

  1. Generate and install Cloudflare Origin CA certificate onto your Nginx web server on the local machine → Origin CA certificates · Cloudflare SSL/TLS docs (recommended to solve your issues with errors you’re experiencing and to have end-to-end encryption)

Nevertheless, go here https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/configuration. Select Custom and not automatic. Reference, Introducing Automatic SSL/TLS: securing and simplifying origin connectivity. Double-check your SSL/TLS setting to make sure it’s set to Full (Strict).

@fritex

Since you’re running tunnel, you don’t need to open any ports nor do port forwarding at your router or local machine, or via Nginx.

I see. I removed the router’s port forwarding, but can I just leave my Server 80 & 443 ports opened?

  1. Make sure you’ve enabled noTLSVerify option for your public hostname on your configured cloudflared tunne and that your Website is bound to port 443 and “working” even with invalid SSL certificate over HTTPS at your local machine (not the best case)

I enabled the No TLS Verify, but another thing I’m not sure is the Tunnel’s public hostname’s “Service”. Is it suppose to be “127.0.0.1” (based on your image), “192.168.1.237:443”, or “localhost:443” (the latter was based on a guide I followed)?

  1. Generate and install Cloudflare Origin CA certificate onto your Nginx web server on the local machine → Origin CA certificates · Cloudflare SSL/TLS docs (recommended to solve your issues with errors you’re experiencing and to have end-to-end encryption)

Nevertheless, go here https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/configuration. Select Custom and not automatic. Reference, Introducing Automatic SSL/TLS: securing and simplifying origin connectivity. Double-check your SSL/TLS setting to make sure it’s set to Full (Strict).

Already done, but no luck.

If needed, yes, but since running a tunnel, not needed to expose it over those ports to the public Internet when someone searches or hit your IP address directly.

I use 192.168.xxx.xxx when I bound my service(s) over localhost and expose them using cloudflared tunnel.
However, I put 127.0.0.1 just as a placeholder (which might also work). Sorry if caused a confussion.

I remember I’ve had to check with my Promox VM setup the SSL thing which was not working and causing such error.
Please, see below article (link) which I’ve followed and fixed my connection error with Proxmox over a tunnel.
The VM itself didn’t have any SSL certificate at all, then I had to copy them to the other location (Copy to file Proxmox File System) and restart the Proxmox, used the instructions here:

Other related article which I’ve checked back then for my Proxmox Backup server as well:

In my case, when I was testing this, running on Hetzner Cloud, no SSL, not even the Cloudflare Origin CA Certificate. Only Cloudflare tunnel installed on both Cloud instances, with noTLSVerify enbled for both public hostname(s) (proxmox ve and proxmox backup server), therefrom only followed from above since SSL certificate wasn’t “in-place” and after copy-pasting it where it should be, upon restart it worked.

@fritex

If needed, yes, but since running a tunnel, not needed to expose it over those ports to the public Internet when someone searches or hit your IP address directly.

So, I guess nginx’s configuration on 80 & 443 is redundant?

I use 192.168.xxx.xxx when I bound my service(s) over localhost and expose them using cloudflared tunnel.

Speaking of which, was my nginx configuration on server_name earlier correct?

(A)

server_name example.com www.example.com;

Because I could misread the guide for the “localhost” as a literal exact word

(B)

server_name example.com localhost;

, instead of A & C below

(C)

server_name example.com 192.168.xx;

Or maybe all these nginx things are pointless because of CF’s Tunnel?

Sorry, I’m new to all of these server stuffs.

However, I put 127.0.0.1 just as a placeholder (which might also work). Sorry if caused a confussion.

No worry.

The VM itself didn’t have any SSL certificate at all.
Other related article which I’ve checked back then for my Proxmox Backup server

I don’t think I’d encountered any Failed to start VNC server ...has expired error, because I never attempt to add CF in Proxmox directly.

Also, I never know Proxmox got a backup server. Hopefully, this isn’t the cause of my 502 error.

Keep it running and bound to local IP or * or 0.0.0.0.
But no need to open up ports, e.g. you can close port 80 and 443 using ufw while the cloudflared tunnel is running. Or if you’re having a service provider which offers you some firewall, as like Contabo, or Hetzner, you can keep only custom SSH port open if so, no need to keep port 80 and 443 open (neither for Cloudflare IPs since you’re running a tunnel connection already).
It’s just a protection measurement to lock your server.

At Cloudflare dashboard, you setup WAF, IP Access Rules and more, so you could filter quite a lot of unwanted traffic.

What I’ve done was I put my proxmox.example.com and proxmoxbak.example.com behind Access (Zero Trust).
When anyone tries to access those hostnames - the dashboards to manage my Proxmox, it’s presented with an Cloudflare Zero Trust page to identify (only specific email addresses are allowed, or in some other cases, depending on the Identity Provider such as Microsoft Azure, etc. you are only able authenticate further).

You can either put Proxmox behind a Zero Trust Access, therefrom only you can enter it after authenticated (e.g. with PIN code) - since Proxmox login would be, without any security WAF rule or Access (Zero Trust) exposed and available to anyone, therefrom anyone could probe your login credentials.

More about it to try out:

It’s an advantage, a big one to have such setup.

@fritex

It’s an advantage, a big one to have such setup.

I will give it a read later, but first, I want to resolve the main error.

I may post another reply here if I made some progress. Nonetheless, thank for the support, fritex.

1 Like

@fritex

Hi fritex. Since my server is in my Proxmox’s VM, it is not like those in the cloud which automatically got an public IP address. I’m not sure if my DNS records is correct anymore.

Type A, Domain, 119xxx, Proxied, Auto TTL

Is giving the “Proxied” my public IP address where my Proxmox machine is located correct?

Type A, Domain, 192.168.1.237, DNS only, Auto TTL

Is giving the “DNS only” my VM’s Private Address “237” correct?

Either your router DHCP IP addres.
Otherwise, as you’ve added local IP address it won’t work that way.
I’d suggest better to use cloudflared tunnel and bound your service to localhost (192.168.1.237) and port (8006 or some other over which it works) in such scenario.

Yes, but simply it won’t work like that, neither for you, neither for anyone else.
It’s a local IP, and anyone at home can get this.

This topic was automatically closed after 15 days. New replies are no longer allowed.