Docker tunnel is up but getting error 502

avibarilan · May 3, 2022, 8:10am

Hi. sorry if this repeating post, couldn’t find an answer in existing ones.
i was able to create a fully “functioning” docker to facilitate my Cloudflare tunnel.
i followed several guides and was finally able to get the tunnel up.
when i try to browse to resource i configured in my config.yml file i get an error 502 page.
in the docker log i see an error:

2022-05-03T07:52:52Z ERR Failed to handle QUIC stream error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for 127.0.0.1, fe80::1, not 192.168.1.1” connIndex=2

my config file is as follows:
(changed the tunnel id and stuff for obvious reasons)

tunnel: 6b8cf9ca-XXXXX-XXXX-XXXXX
credentials-file: /home/nonroot/.cloudflared/6b8cf9ca-XXX-XXXX-XXXX1.json

ingress:

hostname: notimportant.wastelandsystems.com
service: https://192.168.1.1
noTLSVerify: true
service: http_status:404

what am i missing?

nuno.diegues · May 3, 2022, 8:54am

That seems to be correct.

Can you query the config endpoint of your cloudflared to make sure it is picking up that config as expected?
You can find the port in its output log. E.g.:

2022-05-03T08:53:45Z INF Starting metrics server on 127.0.0.1:40809/metrics

Then you can do:

curl localhost:40809/config

and show us the output

avibarilan · May 3, 2022, 9:18am

Sorry for being such a noob!
i’m fairly new to this world and i couldn’t understand what exactly do you need me to do.
can maybe elaborate a bit more?
i run my docker container on a synology nas if that helps

avibarilan · May 3, 2022, 9:27am

Sorry!
found it:

DS920-NAS:/$ curl localhost:38807/config
{“version”:0,“config”:{“ingress”:[{“hostname”:“udmp.wastelandsystems.com”,“path”:null,“service”:“https://192.168.1.1”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}},{“hostname”:"",“path”:null,“service”:“http_status:404”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}],“warp-routing”:{“enabled”:false},“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}}[email protected]:/$

avibarilan · May 3, 2022, 9:35am

Sorry.
found it:

DS920-NAS:/$ curl localhost:38807/config
{“version”:0,“config”:{“ingress”:[{“hostname”:“udmp.wastelandsystems.com”,“path”:null,“service”:“https://192.168.1.1”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}},{“hostname”:"",“path”:null,“service”:“http_status:404”,“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}],“warp-routing”:{“enabled”:false},“originRequest”:{“connectTimeout”:30,“tlsTimeout”:10,“tcpKeepAlive”:30,“noHappyEyeballs”:false,“keepAliveTimeout”:90,“keepAliveConnections”:100,“httpHostHeader”:"",“originServerName”:"",“caPool”:"",“noTLSVerify”:false,“disableChunkedEncoding”:false,“bastionMode”:false,“proxyAddress”:“127.0.0.1”,“proxyPort”:0,“proxyType”:"",“ipRules”:null}}}[email protected]:/$

nuno.diegues · May 3, 2022, 9:42am

That shows the problem: if you look into that output, noTLSVerify is set to false everywhere.

So while you showed a config on the initial post that seems correct, the reality is that what you are feeding to cloudflared does not match what you showed us.

KianNH · May 3, 2022, 10:47am

Move your configuration to /etc/cloudflared/config.yaml - having it in folders like ~/.cloudflared/ won’t play nicely with running cloudflared as a service or when using sudo.

Additionally, noTLSVerify should be indented under an originRequest key.

ingress:
  - hostname: example.org
    service: https://localhost:443
    originRequest:
      noTLSVerify: true

nuno.diegues · May 3, 2022, 11:02am

That’s the problem that I missed!

Also, that’s why we recommend using config managed via Cloudflare’s UI/API as per https://blog.cloudflare.com/ridiculously-easy-to-use-tunnels/ so that you don’t have to deal with YAML details and config files

avibarilan · May 3, 2022, 11:24am

OK guys
I see my issue here
it is indeed working now
cheers!

avibarilan · May 3, 2022, 12:05pm

the new tunnel method described in your link sound fantastic. but i cannot seem to find a deployment guide anywhere. do yuo have a link to guide?

KianNH · May 3, 2022, 12:07pm

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/#set-up-a-tunnel-remotely-dashboard-setup