How to block all connections other than Cloudflare on port 80 through tunnel?

Noting that with this config both the direct ip connection and the Cloudflare tunnel work

You need to change this listening port for the docker container. My guess is you have something like --port 80:80 and you need to change this to 127.0.0.1:80:80 or you can remove the port bind entirely as you are access from a container in the same network.
The reason is that docker manipulates iptables when creating a container so all of your UFW rules get bypassed (docs).

2 Likes

Both of the options make it so that both the Cloudflare tunnel doesn’t work and the direct IP connection doesn’t work. Cloudflare throws a 502 Bad Gateway.

  1. What does your docker networking look like?
  2. Are the two containers (cloudflared & your application) on the same docker network?

Here is an example compose file I whipped up that works fine.

version: '3.9'

services:
  cloudflared:
    image: cloudflare/cloudflared:2022.6.3
    command: tunnel run --token <Token>
  

  apache:
    image: httpd:2.4-alpine
    volumes:
      - ./index.html:/usr/local/apache2/htdocs/index.html:ro

Accessible at https://apache-example.cybertestdomain.uk/

Oh **** you’re right they’re on different docker networks. How would I revise this command to run on a specific docker network?


stak

Apologies for being the party pooper, but this really is not Cloudflare related any more and better discussed on a Docker forum.

This topic was automatically closed 11 hours after the last reply. New replies are no longer allowed.