Then I’m confused why you need to block port 80? If you are using docker → docker communication, then the port isn’t open unless you use bind the port in the docker config.
From my understanding, if Cloudflare is only allowed to connect to the origin host (https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/), despite the Tunnel, you can allow requests passing only on HTTP port 80 (block HTTPS 443, or some other like 2083, 2096 etc. …) using a Firewall Rule as follows from below:
NOTE: You’d have to switch to expression builder and write that down into the input field and then save.
A list of campatible ports and the ones which are open, therefore which can be used with Cloudflare can be found on the below article:
May I ask, are you using an insecure setup and no HTTPS at all?, therefore SSL option is set to the “Flexible SSL” at Cloudflare dashboard for your domain?
Sounds like he is doing this, if not direct IP access will not work.
The issue is that people are able to connect to my website directly through its external IP, this bypasses any firewalls in place on Cloudflare as they are not proxying through Cloudflare. As for your question, yes, I am using an insecure setup with no HTTPs at all, and my SSL option is set to Flexible.
Assume that you have already done this, consider executing another command to allow localhost talk to localhost port 80:
ufw allow from 127.0.0.1 proto tcp to 127.0.0.1 port 80
This fixed the tunnel, the tunnel now works - However direct IP connection also still works.
Did you run
ufw deny in http too?
Yes, “Skipping adding existing rule, Skipping adding existing rule (v6)”
Thank you for feedback.
Oh, well, that’s not so great, if so as far as Flexible SSL is really not recommended to use as there could be multiple issues caused by using it as follows at the below article like Mixed Content or Redirect Loops, etc.:
SSL mode doesn’t really make a big difference if the user is using Cloudflare Tunnel for all websites. But yes, according to best practices, go for Full (strict).
Everything on the machine is proxied through Cloudflare, but for peace of mind I’ll secure the origin server. This does not however fix the issue I’m having, please answer my original post.
Frankly speaking once you configured UFW properly to block incoming port 80 requests from outside and only allow localhost to talk to localhost, I don’t really see a problem here.
I might miss something, so someone else might be able to spot the problem.
My UFW status;
To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp DENY Anywhere 443/tcp DENY Anywhere 80 DENY Anywhere 127.0.0.1 80/tcp ALLOW 127.0.0.1 4200 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) DENY Anywhere (v6) 443/tcp (v6) DENY Anywhere (v6) 80 (v6) DENY Anywhere (v6) 4200 (v6) ALLOW Anywhere (v6) 80/tcp DENY OUT Anywhere 80 DENY OUT Anywhere 80/tcp (v6) DENY OUT Anywhere (v6) 80 (v6) DENY OUT Anywhere (v6)
Is there anything that you see wrong?
Noting that with this config both the direct ip connection and the Cloudflare tunnel work
You need to change this listening port for the docker container. My guess is you have something like
--port 80:80 and you need to change this to
127.0.0.1:80:80 or you can remove the port bind entirely as you are access from a container in the same network.
The reason is that docker manipulates iptables when creating a container so all of your UFW rules get bypassed (docs).
Both of the options make it so that both the Cloudflare tunnel doesn’t work and the direct IP connection doesn’t work. Cloudflare throws a 502 Bad Gateway.
- What does your docker networking look like?
- Are the two containers (cloudflared & your application) on the same docker network?
Here is an example compose file I whipped up that works fine.
version: '3.9' services: cloudflared: image: cloudflare/cloudflared:2022.6.3 command: tunnel run --token <Token> apache: image: httpd:2.4-alpine volumes: - ./index.html:/usr/local/apache2/htdocs/index.html:ro
Accessible at https://apache-example.cybertestdomain.uk/
Oh **** you’re right they’re on different docker networks. How would I revise this command to run on a specific docker network?
Apologies for being the party pooper, but this really is not Cloudflare related any more and better discussed on a Docker forum.
This topic was automatically closed 11 hours after the last reply. New replies are no longer allowed.