Cloudflared: Ingress Tunnels Do Not Work

I’m frustrated with the 2021 versions of Cloudflared. Ingress rules do not seem to work as the documentation attempts to outline.

I have 2 websites running: one is running off my .com, the other is a subdomain of that.

hostname.com is bound to 127.0.0.1:443
dreamland.hostname.com is bound to 127.0.0.1:8443

Here is my Ingress configuration.

ingress:
  - hostname: dreamland.hostname.com
    service: https://127.0.0.1:8443
    originRequest:
      originServerName: "dreamland.hostname.com"
      caPool: "C:/Users/User1/.cloudflared/TrustedCACerts_PEM.pem"
  - service: https://127.0.0.1:443
    originRequest:
      originServerName: "hostname.com"
      caPool: "C:/Users/User1/.cloudflared/TrustedCACerts_PEM.pem"

Only requests to hostname.com go through.
Dreamland.hostname.com simply returns: DNS_PROBE_FINISHED_NXDOMAIN

Ideally, I’d like to be able to bind each IIS website as follows:
hostname.com to 127.0.0.1:443
dreamland.hostname.com to 127.0.0.1:443 (same port)

After trying multiple configurations and bindings, not even this setup seems to work.

What am I doing wrong? Is there any way Cloudflare can add better use cases and examples to the Ingress section?

image

This means there’s no DNS record for that subdomain. It should be a CNAME that points to the Cloudflare tunnel.

Why doesn’t Cloudflared do this automatically?

What is the value of “target”?

CNAME    dreamland    ca7e5e45-abe9-4743-9b4d-a02635306099.cfargotunnel.com

This simply routes to hostname.com, which is the incorrect route.

If I need to add a “Host” header so IIS sends the traffic to the correct destination, then is there an example usage of httpHostHeader in a YAML?

I meant your CNAME should look just like the dreamland one, using the same Target (tunnel IT.cfargotunnel.com)

That routes it to your tunnel. The ingress rules handle the rest.

From my Tunnel guide

My understanding at the time, unless it’s changed since:

As per documentation https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns, you can create the CNAME DNS record via command line. This will only work for the Cloudflare site zone that you authenticated the initial cloudflared login setup for in Step 1. Other Cloudflare site zones you intend to add to the Argo Tunnel will have to have their CNAME DNS records added either manually or via Cloudflare DNS API.

This is probably the key to the confusion/problem. Let me elaborate a bit further.

You can route as many DNS records and/or Load Balancer origins you want to a given tunnel. This means you can have mydomain.com CNAME pointing to the tunnel, as well as subdomain.mydomain.com CNAME pointing to the same tunnel.

Then, you can use ingress rules in your cloudflared config to tell it how to proxy those various hostnames to different services (or the same service, whatever you want).

Putting this all together:

ingress:
  - hostname: dreamland.hostname.com
    service: https://127.0.0.1:443
    originRequest:
      originServerName: "dreamland.hostname.com"
      caPool: "C:/Users/User1/.cloudflared/TrustedCACerts_PEM.pem"
  - hostname: hostname.com
    service: https://127.0.0.1:443
    originRequest:
      originServerName: "hostname.com"
      caPool: "C:/Users/User1/.cloudflared/TrustedCACerts_PEM.pem"
  - service: http_status:404

Plus:

2 Likes

Good time to ask @nuno.diegues for clarification then :slight_smile:

If cloudflared login was initially authenticated against hostname.com then we can create DNS via:

cloudflared tunnel route dns TUNNEL_UUID hostname.com

but can we do that for dreamland.hostname.com

cloudflared tunnel route dns TUNNEL_UUID dreamland.domain.com

My understanding and early experience was that we can’t as cloudflared was authenticated against hostname.com ? and that for dreamland.hostname.com it’s a manual CNAME setup to uuid.cfargotunnel.com? Edit: hmm just tried and it works - the CNAME DNS entry is created!

I believe I found the source of my issue, and I don’t think it had anything to do with Cloudflared. My bad!

The Flask/Python handler mapping, which is only meant for hostname.com, had to be removed from dreamland.hostname.com’s “Handler Mappings” IIS config.

My guess is that the Flask handler was capturing the GET / request for all sites.

Since wfastcgi has its own variables that determine which “physical path” to serve from, those variables point to the hostname.com physical path.

This gave the appearance that the tunnel was routing to the main hostname.com, rather than dreamland.

1 Like

The cloudflared tunnel login does ask for a zone. That zone will be tied in the cert.pem that you get. In practice, that will only matter for cloudflared tunnel route dns/lb commands, such that you can only use cloudflared to route to the zone that you chose in the login.

However, nothing prevents you from going to the UI dashboard (or use Cloudflare API) and manually configure a DNS record or LB, from any zone in the same account, and point it to the Tunnel.

The Tunnel belongs to the account, not any specific zone.

1 Like

Cheers indeed, that’s why mine worked as same *.hostname in cert.pem. Would it be possible to authenticate a cloudflared login to multiple zones so that the cert.pem would have SANs entry for all selected zones so that cloudflared tunnel route dns/lb would work with multiple zones?

Unfortunately there’s no way to currently achieve that with a single login/cert.

My recommendation would be to:

  • perform 1 login for each zone you want to route to using cloudflared commands
  • for each one, move the cert to a new file that is named (e.g. cert-myzone-a.pem) in a way you can remember it
  • whenever you use cloudflared route lb/dns commands, you need to pass then --origincert <path>.pem to point to the intended zone cert
1 Like

Thanks. That’s what I am doing making a copy of the cert.pem so it’s at a location that won’t be overridden so I can reference back to them more easily.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.