Cloudflared with Unix socket via docker-compose in Docker

Is there documentation for the official cloudflare/cloudflared image on Docker Hub? I can’t find a link to the Dockerfile or any docs detailing the environment variables available in the containerized version. For now, I’m trying to adapt this example from Ingress Rules:

# Example of a request over a Unix socket:  
- hostname: staging.example.com    
  service: unix:/home/production/echo.sock

I get this error:

ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp: lookup unix on 127.0.0.11:53: server misbehaving" cfRay=xxxxxxxxxxxxxxxxx-LAX originService=http://unix:/home/production/nginx.http.sock

The service is running and works via reverse-proxy. Cloudflared works when pointed at my port 80 services not running socketed. Not sure if I have a syntax error, wrong command, wrong variable name, or something else.

Here’s my Docker Compose:

docker-compose.yml
version: '3.3'
services:

  cloudflared:
    image: cloudflare/cloudflared:2021.11.0-amd64
    networks:
      - whatever
    container_name: cloudflared-$HOST_3
    user: root
    command: tunnel
    environment: 
        - TUNNEL_HOSTNAME=${THE_HOSTNAME}
        - TUNNEL_URL=unix://home/production/nginx.http.sock
        - TUNNEL_TRANSPORT_PROTOCOL=auto
    volumes:
        - ${PWD}/cloudflare:/root/.cloudflared # bind mount with cert.pem in it

networks:
  whatever:
    external: true

Another thread mentioned the transport protocol. I’m not sure which it’s supposed to be on, but I tried all of them (quic, auto, etc.).

Open to ideas.

Hello.

The Dockerfile is here: cloudflared/Dockerfile at master · cloudflare/cloudflared · GitHub

Your syntax for reaching out to a Unix socket is correct in the example.
Can you test reachability to your service from within the pod itself (e.g. with netcat) via the same Unix socket?

Okay, because I’m launching the containerd container in a separate docker-compose from the service container, it is not automatically linking to the container with the service, even though they are on the same docker network. In the error message in the OP, it’s failing on the 127. network, but the specified network has a 172. IP range.

What I still can’t figure out is how to tell the containerd container to use the unix socket in the service container. If I use something like this in docker-compose, it gets the right container/service:

        - TUNNEL_URL=CONTAINER-NAME//unix:/home/production/echo.sock

Then the error changes to:

traffic from cloudflared: dial tcp 172.23.0.3:80: connect: connection refused" ... originService=http://CONTAINER-NAME//unix:/home/production/echo.sock

That IP is the correct one for the service, but it looks to me like it no longer looks for the socket, and the container rejects it because port 80 isn’t open on the container.