Cloudflared tunnel to NGINX Reverse Proxy Fails

What is the name of the domain?

nc.bdgie.tech

What is the error number?

502 Bad Gateway

What is the issue you’re encountering

Bad gateway enforcing TLS Verification

What steps have you taken to resolve the issue?

I have Cloudflared tunnel working. DNS points to tunnel, tunnel points to Cloudflared container on my DMZ, which proxies to another machine hosting my website via NGINX reverse proxy through a hosts file record. It works, but only when I have No TLS Verify enabled in Cloudflared. I have the Cloudflare Origin cert and key installed on both the NGINX proxy and the web server. I added the root cert to the .pem file for good measure. When I disable the NoTLS Verify, I get a bad gateway.

I want end to end encryption.

openssl s_client -connect nc.bdgie.tech:443 -servername nc.bdgie.tech:443 from the proxy machine looks OK to me

Here is my reverse proxy config…

server {
#listen 127.0.0.1:443 ssl;
listen 443 ssl;
server_name nc.bdgie.tech;

# SSL Certificate (Cloudflare Origin Certificate)
ssl_certificate /etc/nginx/ssl/cloudflare-origin.pem;
ssl_certificate_key /etc/nginx/ssl/cloudflare-origin.key;

# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";

# Proxy to Nextcloud
location / {
    proxy_pass https://nc.bdgie.tech:443;  # Nextcloud service
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/nginx/ssl/cloudflare-origin.pem;
    proxy_ssl_server_name on;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_ssl_name nc.bdgie.tech;

    # Large file upload support
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    proxy_ssl_session_reuse off;
}

}

To add to the UX here. I have spent days troubleshooting this.

I have been reading online and working with ChatGPT, pouring over SSL and error logs.

I can’t understand why the tooling/automation doesn’t cover installation of origin certs.

NGINX as a reverse proxy is common enough of a setup.

All I see is people online also beating thier head against the wall.

What do the cloudflared logs indicate? Have you confirmed you can connect to the origin server from that container on the specified port?

root@cloudflared:~# sudo tail -f /var/log/nginx/error.log
2024/11/21 01:54:08 [debug] 377#377: *7545 SSL_do_handshake: -1
2024/11/21 01:54:08 [debug] 377#377: *7545 SSL_get_error: 1
2024/11/21 01:54:08 [info] 377#377: *7545 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443
2024/11/21 01:54:08 [debug] 377#377: *7545 close http connection: 4
2024/11/21 01:54:08 [debug] 377#377: *7545 event timer del: 4: 323996746
2024/11/21 01:54:08 [debug] 377#377: *7545 reusable connection: 0
2024/11/21 01:54:08 [debug] 377#377: *7545 free: 00006365F5612EA0, unused: 127
2024/11/21 01:54:08 [debug] 377#377: timer delta: 3
2024/11/21 01:54:08 [debug] 377#377: worker cycle
2024/11/21 01:54:08 [debug] 377#377: epoll timer: -1
2024/11/21 01:54:52 [debug] 377#377: epoll: fd:5 ev:0001 d:00006365F55A0BD0
2024/11/21 01:54:52 [debug] 377#377: accept on 0.0.0.0:443, ready: 0
2024/11/21 01:54:52 [debug] 377#377: posix_memalign: 00006365F5612EA0:512 @16
2024/11/21 01:54:52 [debug] 377#377: *7546 accept: 127.0.0.1:42304 fd:4
2024/11/21 01:54:52 [debug] 377#377: *7546 event timer add: 4: 60000:324041005
2024/11/21 01:54:52 [debug] 377#377: *7546 reusable connection: 1
2024/11/21 01:54:52 [debug] 377#377: *7546 epoll add event: fd:4 op:1 ev:80002001
2024/11/21 01:54:52 [debug] 377#377: timer delta: 44256
2024/11/21 01:54:52 [debug] 377#377: worker cycle
2024/11/21 01:54:52 [debug] 377#377: epoll timer: 60000
2024/11/21 01:54:52 [debug] 377#377: epoll: fd:4 ev:0001 d:00006365F55A1620
2024/11/21 01:54:52 [debug] 377#377: *7546 http check ssl handshake
2024/11/21 01:54:52 [debug] 377#377: *7546 http recv(): 1
2024/11/21 01:54:52 [debug] 377#377: *7546 https ssl handshake: 0x16
2024/11/21 01:54:52 [debug] 377#377: *7546 tcp_nodelay
2024/11/21 01:54:52 [debug] 377#377: *7546 reusable connection: 0
2024/11/21 01:54:52 [debug] 377#377: *7546 SSL server name: “localhost”
2024/11/21 01:54:52 [debug] 377#377: *7546 SSL_do_handshake: -1
2024/11/21 01:54:52 [debug] 377#377: *7546 SSL_get_error: 1
2024/11/21 01:54:52 [info] 377#377: *7546 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443
2024/11/21 01:54:52 [debug] 377#377: *7546 close http connection: 4
2024/11/21 01:54:52 [debug] 377#377: *7546 event timer del: 4: 324041005
2024/11/21 01:54:52 [debug] 377#377: *7546 reusable connection: 0
2024/11/21 01:54:52 [debug] 377#377: *7546 free: 00006365F5612EA0, unused: 127
2024/11/21 01:54:52 [debug] 377#377: timer delta: 1
2024/11/21 01:54:52 [debug] 377#377: worker cycle
2024/11/21 01:54:52 [debug] 377#377: epoll timer: -1

Here is the Apache2 config of the web server CT

<VirtualHost *:80>
    ServerName nc.bdgie.tech
    ServerAlias www.nc.bdgie.tech

    Redirect permanent / https://nc.bdgie.tech/
</VirtualHost>

<VirtualHost *:443>
    ServerName nc.bdgie.tech
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/cloudflare-origin.pem
    SSLCertificateKeyFile /etc/apache2/ssl/cloudflare-origin.key

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/nextcloud/

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<Directory /var/www/nextcloud/>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

I can ping. TSL has some issues though. Perhaps the NGINX proxy needs to ignore TLS validation?

root@cloudflared:~# curl "nc.bdgie.tech"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://nc.bdgie.tech/">here</a>.</p>
</body></html>
root@cloudflared:~# curl "https://nc.bdgie.tech"
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@cloudflared:~# curl -k "https://nc.bdgie.tech"

image1184×558 103 KB

Hasn’t helped

Actually. It seems like the issue is Cloudflared hitting localhost NGINX…

Screenshot 2024-11-21 at 15.09.012512×134 66.8 KB

So the cert is failing because origin cert doesn’t cover localhost. Maybe I’ll use the FQDN and alter the hosts file on the NGINX proxy to another subdomain (since the cert is a wildcard).

Was a good idea (I think) but that results in this…
(Cloudflared CT not observing my hosts file)

Screenshot 2024-11-21 at 15.16.251596×728 56.7 KB

Add to this I don’t think my hosts file is working, or it’s cached. What a nightmare. Invalidating all my testing.

I did it!

Hosts file was a good idea and so was using a different subdomain (one not in my Cloudflare DNS). I just pointed it to localhost, instead of 127.0.0.1 so I’m guessing hosts file is only good for 1 hop.

Unbelievable.

DNS https://nc.bdgie.tech > Tunnel > ncorigin.bdgie.tech > hosts file > 127.0.0.1 (NGINX reverse proxy) > https://nc.bdgie.tech > hosts file > web server IP.

NGINX has origin cert, web server has genuine Lets encrypt cert.

That was way too hard.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.