Docker tunnel is up but getting error 502

Hi. sorry if this repeating post, couldn’t find an answer in existing ones.
i was able to create a fully “functioning” docker to facilitate my Cloudflare tunnel.
i followed several guides and was finally able to get the tunnel up.
when i try to browse to resource i configured in my config.yml file i get an error 502 page.
in the docker log i see an error:

2022-05-03T07:52:52Z ERR Failed to handle QUIC stream error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for 127.0.0.1, fe80::1, not 192.168.1.1” connIndex=2

my config file is as follows:
(changed the tunnel id and stuff for obvious reasons)

tunnel: 6b8cf9ca-XXXXX-XXXX-XXXXX
credentials-file: /home/nonroot/.cloudflared/6b8cf9ca-XXX-XXXX-XXXX1.json

ingress:

what am i missing?

That seems to be correct.

Can you query the config endpoint of your cloudflared to make sure it is picking up that config as expected?
You can find the port in its output log. E.g.:

2022-05-03T08:53:45Z INF Starting metrics server on 127.0.0.1:40809/metrics

Then you can do:

curl localhost:40809/config

and show us the output

Sorry for being such a noob!
i’m fairly new to this world and i couldn’t understand what exactly do you need me to do.
can maybe elaborate a bit more?
i run my docker container on a synology nas if that helps

Sorry!
found it:

DS920-NAS:/$ curl localhost:38807/config
{“version”:0,“config”:{“ingress”:[{“hostname”:“udmp.wastelandsystems.com”,“path”:null,“service”:“https://192.168.1.1”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}},{“hostname”:"",“path”:null,“service”:“http_status:404”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}],“warp-routing”:{“enabled”:false},“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}}[email protected]:/$

Sorry.
found it:

DS920-NAS:/$ curl localhost:38807/config
{“version”:0,“config”:{“ingress”:[{“hostname”:“udmp.wastelandsystems.com”,“path”:null,“service”:“https://192.168.1.1”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}},{“hostname”:"",“path”:null,“service”:“http_status:404”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}],“warp-routing”:{“enabled”:false},“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}}[email protected]:/$

That shows the problem: if you look into that output, noTLSVerify is set to false everywhere.

So while you showed a config on the initial post that seems correct, the reality is that what you are feeding to cloudflared does not match what you showed us.

1 Like

Move your configuration to /etc/cloudflared/config.yaml - having it in folders like ~/.cloudflared/ won’t play nicely with running cloudflared as a service or when using sudo.

Additionally, noTLSVerify should be indented under an originRequest key.

ingress:
  - hostname: example.org
    service: https://localhost:443
    originRequest:
      noTLSVerify: true
1 Like

That’s the problem that I missed!

Also, that’s why we recommend using config managed via Cloudflare’s UI/API as per https://blog.cloudflare.com/ridiculously-easy-to-use-tunnels/ so that you don’t have to deal with YAML details and config files

2 Likes

OK guys
I see my issue here
it is indeed working now
cheers!

the new tunnel method described in your link sound fantastic. but i cannot seem to find a deployment guide anywhere. do yuo have a link to guide?

1 Like

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/#set-up-a-tunnel-remotely-dashboard-setup

1 Like