Create a socks tunnel from "server" to "client"

I got a database server with it’s own certificate(s), so I cannot use cloudflare tunnel directly, since it will fetch the traffic and sign it with the cloudflare SSL certificates itself.

So I tried to tunnel it using your SOCKS option

Server side configuration:

    - hostname: kube-database-cluster01-server00.[redacted].eu
      service: https://database-cluster01-server00-service.production.svc.cluster.local:8080
        caPool: /etc/cloudflared/database-ca/database-ca.pem
        proxyType: socks

Client side:

cloudflared access tcp --hostname kube-database-cluster01-server00.[redacted].eu --url --loglevel=debug

with the idea that :8080 acts as the SOCKS proxy (like it does with kubectl)

Now when trying to access something:8080 with the proxy

Server logs are:

2023-06-21T13:22:14Z DBG GET https:// kube-database-cluster01-server00.[redacted].eu/ HTTP/1.1
2023-06-21T13:22:14Z DBG 302 Found cfRay=[redacted]-AMS connIndex=3 content-length=0 event=1

Client logs:

2023-06-21T13:22:14Z DBG Websocket response: “HTTP/1.1 302 Found\r\nAlt-Svc: h3=":443"; ma=86400\r\nCf-Cache-Status: DYNAMIC\r\nCf-Ray: [redacted]-AMS\r\nConnection: keep-alive\r\nContent-Type: application/json; charset=utf-8\r\nDate: Wed, 21 Jun 2023 13:22:14 GMT\r\nLocation: /studio/index.html\r\nNel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}\r\nRaven-Server-Version:\r\nReport-To: {"endpoints":[redacted],"group":"cf-nel","max_age":604800}\r\nServer: cloudflare\r\nUpgrade: websocket\r\nContent-Length: 0\r\n\r\n”
2023-06-21T13:22:14Z ERR failed to connect to origin error=“websocket: bad handshake” originURL=https:// kube-database-cluster01-server00.[redacted].eu

It is seeing the right page (the main page should redirect to Location: /studio/index.html) however I’m getting bad handshake…

Am I doing things completely wrong? Is it even possible what I’m trying to do?

A day later and I got it working,

ingress should be:

    - hostname: kube-database-cluster01-server00.[redacted].eu
      service: tcp://database-cluster01-server00-service.production.svc.cluster.local:8080
        noTLSverify: true
        proxyType: socks

Now you can proxy it like this:

cloudflared access tcp --tunnel-host kube-database-cluster01-server00.[redacted].eu --url
ncat -l localhost 8081 -k --sh-exec "ncat --proxy --proxy-type socks5 database-cluster01-server00-service.production.svc.cluster.local 443"

Now you can tunnel traffic between two servers. P.s. kubectl to local port using ncat also works better (exec and logs are working correctly)