Difficulty with cloudflare tunnel configure

Hey,

We want to use cloudflare tunnel to protect all outbound traffic from our server and proxy our server ip so it wont be exposed. this server used for ecommerce website.

we configured the tunnel step by step via your docs and chise that option:

If you are connecting a network

Add the IP/CIDR you would like to be routed through the tunnel.

$ cloudflared tunnel route ip add <IP/CIDR> <UUID or NAME>
You can confirm that the route has been successfully established by running:

$ cloudflared tunnel route ip show

so all outbound traffic from server no matter what and which ports as to goi through the tunnel and be secured and not expose any details on my origin server.

this is our configuration file:

/etc/cloudflared/config.yml
tunnel: <UUID>
credentials-file: /home/master/.cloudflared/<UUID>.json
warp-routing:
  enabled: true

although the tunnel running ok and there are no errors and on cloudflare dashboard I see that the tunnel is actived actually our ip is shown on http and ssh requests of example.

And in addition we made this test from docs:
https://developers.cloudflare.com/cloudflare-one/faq/cloudflare-tunnels-faq/

question 4 “How can origin servers be secured when using Tunnel?”

and it looks like Still, the server is allowing access to ports 80, 443 through any external source.

Can you please help me understand what we have missed.

we also checked that routed set fine

[ssh username]:.cloudflared$ cloudflared tunnel route ip show
NETWORK          COMMENT TUNNEL ID                            TUNNEL NAME   CREATED              DELETED 
<server_ip>/32     <UUID>                                                      <tunnelname>    2021-11-12T11:46:10Z - 

That’s not a feature available for Cloudflare Tunnels.

That is a feature Cloudflare Tunnel supports.

This is for accessing an internal resource using the Cloudflare warp client.

Yes, but it’s only accessible via the Warp client unless you’ve opened it in another manner to access.

Cloudflare tunnel doesn’t prevent access via other sources, it provides in this configuration a mechanism to connect to the IP/CIDR range when connected via the Warp client using the RFC1918 address space (typically). If it was previously accessible via a FW NAT (for example) you’d want to remove that acc3ess mechanism and just use the Warp client to connect.

2 Likes

Thanks for your reply now I understood that I didn’t set the tunnel according to what I am looking for.

The thing is that I have ecommerce store hosted in my vps and I want tunnel to secure the origin.

So after your reply I understood I need to set through this method:

If you are connecting an application

url: http://localhost:8000
tunnel: <Tunnel-UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json
If you are connecting an application

$ cloudflared tunnel route dns <UUID or NAME> <hostname>

so this is what i changed the config.yml file to:

url: http://localhost:80
tunnel: <Tunnel-UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json

url: http://localhost:443
tunnel: <Tunnel-UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json

url: http://localhost:8000
tunnel: <UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json

But when I try to run it via

$ cloudflared tunnel --config path/config.yaml run

I get:

Incorrect Usage: flag provided but not defined: <my path>/.cloudflared/config.yaml

I cant understand what I am doing wrong and will be happy to get help with that.

Hi there - My name is Abe and I’m the PM for Tunnel. It looks like two arguments may be missing from your run command:

  1. Path to the config.yml file
  2. Name or ID of Tunnel to run

With that, your run command should look more like this:

  • cloudflared tunnel --config ./config-abenet.yml run abenet

Where ./ directly maps to the file path of your config and where the name or UUID of your tunnel is supplied after the run command.

3 Likes