Multiple services on multiple subdomains through 1 tunnel

Zero Trust Cloudflare Tunnel
1

What is the name of the domain?

Don’t wanna reveal

What is the issue you’re encountering

I do not wanna create a new public hostname for every service I wanna test.

What steps have you taken to resolve the issue?

I tried to make a public hostname with a wildcard, like *.example.com, which works for http, but not for https because I want to use caddy and it tries to get a certificate for *.example.com instead of the subdomain I actually tried to access, which obviously doesn’t work. I just want to have a tunnel that redirects all traffic with any subdomain to one place, with the origin server name and host http header being the subdomain actually being searched instead of a wildcard subdomain.

2

I am always wondering why people want to setup “catch-all” non-existing requests for not used sub-domains and redirect to some other path? :thinking:
If not in use, don’t even try to catch it, but maybe I am missing out a point here, over again.

Either use cloudflared test tunnels which are available, otherwise setup and separate your services on the origin per sub-domain, or serve from different ports over the same sub-domain, therefrom add to a single tunnel - no need for multiple tunnels, especially if served from the same origin. Keep in mind, web traffic should have the ports which are compatible and supported with Cloudflare proxy :orange:

Otherwise, Arbitrary TCP:

Using Origin and Configuration Rules you could configure this.

3

@electric10steve I have a similar issue. Let me explain my use case and see if you can help me configure my tunnel accordingly or tell me that this is a bad idea!.

I’m running a kubernetes cluster on prem and want to expose a few services on the internet using HTTPS. But also for those internal Web UIs like ArgoCD and Dashboard, I want to expose their Let’s Encrypt Challenge URLs via HTTP so I can generate useful certificates for them. Internal services have an ‘external’ DNS name for certificate compatibility but my local DNS routes these addresses to my cluster.

My idea is to use the Cloudflare WAF to filter incoming traffic and kubernetes ingresses to send the requests to the correct kubernetes service (based on the hostname and path).

So the setup would look like this:

image
image2781×1245 417 KB

Now, I have this fully working but my config.yml looks like this:

tunnel: 7bf1....
credentials-file: /home/ansible/.cloudflared/7bf1....

ingress:
  # http 80 for Lets Encrypt Challenges
  - hostname: echo.gkcluster.org
    path: /.well-known/acme-challenge/
    service: http://localhost
    originRequest:
      httpHostHeader: echo.gkcluster.org
      originServerName: echo.gkcluster.org
  # https 443 for accessing the service itself
  - hostname: echo.gkcluster.org
    service: https://localhost
    originRequest:
      httpHostHeader: echo.gkcluster.org
      originServerName: echo.gkcluster.org
  # remaining services are internal and only expose https for Lets Encrypt
  - hostname: grafana.gkcluster.org
    service: http://localhost
    originRequest:
      httpHostHeader: grafana.gkcluster.org
      originServerName: grafana.gkcluster.org
  - hostname: dashboard.gkcluster.org
    service: http://localhost
    originRequest:
      httpHostHeader: dashboard.gkcluster.org
      originServerName: dashboard.gkcluster.org
  - hostname: longhorn.gkcluster.org
    service: http://localhost
    originRequest:
      httpHostHeader: longhorn.gkcluster.org
      originServerName: longhorn.gkcluster.org
  - hostname: argocd.gkcluster.org
    service: http://localhost
    originRequest:
      httpHostHeader: argocd.gkcluster.org
      originServerName: argocd.gkcluster.org
  - service: http_status:404

This is a maintenance headache. There seem to be two issues getting in the way of what I would like to achieve.

  • I cant use http and https for the same subdomain except with explicit paths
  • I cant use a wildcard because the host header is not passed through to the origin unless explicitly stated in the ingress

The problem is essentially that I have two ingresses, I would prefer that the tunnel just forwards on HTTPS or HTTP based on a wildcard.

Is there any way to achieve that?

Thanks!

4

Sorry that should have been @fritex !

5

Okay, I may have been a bit vague In my post about how I want it, so I sketched it here:

image
image1920×834 70.9 KB

This is basically what I want, the thing I am asking about is that I want the origin server name and https host header to be the same as the actual subdomain+domain that was requested, and not *.example.com
(Wanted to put image of cloudflare zero-trust tunnel hostname dashboard, but I can only embed 1 image)
Currently I got it to work by making a new public hostname for the trilium service with origin server name and http host header correct, but I do not want to do this for every service I add.
When I currently request something on a different subdomain it does go to my server, but because of the origin server name and https host header being *.example.com caddy fails trying to get a certificate.
I thought about it some more, and maybe there is some way to automate the creation of these by locally managing the cloudflare tunnel and making a script to add a hostname, but idk if this is possible or is the best way.