Nginx + DDClient + Cloudflare

Hello All. Hopefully someone here may be able to help as this is driving me up a wall and I’m not finding much help or documentation to address this issue.

A bit about my setup:

  1. Ubuntu 18.04 LTS server
  2. Static ip and DNS set within Network Manager
  3. Running several apps (Jellyfin, Calibre-Web, Sonarr etc)
  4. Nginx fully installed
  5. GoDaddy domain proxied through Cloudflare
  6. DDClient synchronizing ip from server to Cloudflare
  7. Port 80, 443 and 8096 (Jellyfin for testing) allowed in server Firewall and from router to static ip

I’ve installed DDClient and setup the connection between my server and Cloudflare to propagate the proper ip address on the domains I currently have setup (example dot com and jellyfin dot example dot com). This connection seems to be working as when I visit the updated IP address listed on Cloudflare from the browser on the server, it opens the default Nginx landing page. If I use that ip with a port (ex: http:// CloudflareIP : 8096 for Jellyfin) in a browser on the server, it also opens Jellyfin, but very slowly. These links of course also work with simply localhost or 127.0.0.1 as the url on the server.

However, when attempting to visit the Cloudflare ip on another device, it doesn’t open the default index page nor any of the apps on ports. Also worth mentioning is that visiting http:// staticip or http:// staticip:port only works when calling the url from a device other than the server. When trying to visit the static ip from the server, it’s unable to connect. And of course, visiting the domain and subdomain listed in Cloudflare (example dot com and jellyfin dot example dot com) don’t pick up the Nginx index page at all, but instead show a Cloudflare page with host error; again confirming that the DDClient/Cloudflare connection is working.

What I’d like to know is how do I make the domains listed on Cloudflare serve externally or in other words, work as they’re supposed to. Additionally, how do I ensure that the speed of the pages served is faster than tested. As mentioned, when visiting http:// Cloudflare :8096 from the server, the page loads but is a bit slow. I assume this is due to bandwidth (which I can deal with), but want to make sure there’s nothing I’ve done to slow this down or anything that I can do to help the speed.

Lastly, the domains hosted with Cloudflare will be the main domain and subdomains (ex: example dot com, jellyfin dot example dot com, calibre dot example dot com and so on). I don’t know if this has any effect on possible configuration or misconfiguration recommendations, but wanted to include as much information as possible.

Any and all recommendations or possible scenarios are greatly appreciated. Thanks in advance.

For starters, this may be trivial but I’ll ask anyway: In Cloudflare DNS dashboard, are all the hostnames your server is behind, orange? If they’re not, Cloudflare will publish the IP as-is, and it will not be proxied by Cloudflare. When that’s the case, that means that the IP returned will be the IP you’ve set in the DNS (I can’t check that, because you didn’t give your real domain to test… so I’m posing this as a question…) - which means Cloudflare is not involved at all. In most home routers (and even some commercial ones), hitting your own external IP from within your LAN will get nowhere. They’re designed to only accept traffic if it comes from the WAN interface.

Maybe that’s your problem?

Also, port 8096 is not forwarded by Coudflare. Cloudflare supports only the ports listed here: https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy - the fact that going to this URL with the domain works sounds to further suggest that you’re simply not going through Cloudflare…

Hope this helps…

1 Like

Thanks for responding. I’ve posted about this in Nginx forums, Reddit and github to no replies so this is a start.

I’ve attached an image of my Cloudflare DNS settings. You mentioned the domain working. I believe you may have misread my post as the actual domains themselves don’t work locally or from any other devices.

When I visit the server static ip with or without port 8096, it only works on external devices which has nothing to do with this setup. It was working before I installed Nginx, DDClient or Cloudflare. Visiting the ip as listed in Cloudflare (with or without port) only works locally and not externally. The domains work for neither and send me to a Cloudflare error page; also attached.

I will add, that when using an online checker for the IP address, the address given is different than what’s placed into Cloudflare by DDClient. I assume that this is Cloudflare’s IP address because I used dig to lookup the ip for my domain name and subdomain and when placing that ip into the browser (locally and on another device), I’m seeing a Cloudflare page with 1003 error.

I assume this is because I haven’t placed Cloudflare’s SSL cert on the local Nginx install yet. However, that still doesn’t explain why the domains aren’t resolving to this error page. They simply show that they can’t connect.

Thanks, much easier with the actual data :slight_smile:

I did read the working only from specific place (but in a hindsight maybe you just have a self-reference to 127.0.0.1 on your /etc/hosts ?)

Anyway, I tried accessing your actual IP from my computer (which you may want to edit and remove, as it’s a public forum). I’m successful over HTTP, and over HTTPS, I get connection refused.

My first guess here would be, that on the SSL/TLS tab, you’re set to “Full”, or “Full (Strict)”. If that’s the case, Cloudflare will try to reach you over HTTPS only. That’s down, so “failure to connect” makes total sense. If that’s the case, try switching the SSL to “off”.

As for port 8096, that’s a no-go by design, as I’ve mentioned in my previous message. Cloudflare does not forward this port. Either use name-based virtual hosting for your other services, or, select one of the other ports that Cloudflare does forward, mentioned in the link I’ve posted in my previous reply.

P.S. Further, when I got to your domain through Cloudflare, it automatically redirects to HTTPS, also probably part of the issue:

$ curl --resolve darrenallendunn.com:80:104.31.81.182 -v http://darrenallendunn.com

  • Added darrenallendunn.com:80:104.31.81.182 to DNS cache
  • Hostname darrenallendunn.com was found in DNS cache
  • Trying 104.31.81.182:80…
  • TCP_NODELAY set
  • Connected to darrenallendunn.com (104.31.81.182) port 80 (#0)

GET / HTTP/1.1
Host: darrenallendunn.com
User-Agent: curl/7.68.0
Accept: /

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 301 Moved Permanently
    < Date: Tue, 04 Feb 2020 19:33:24 GMT
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < Cache-Control: max-age=3600
    < Expires: Tue, 04 Feb 2020 20:33:24 GMT
    < Location: https://darrenallendunn.com/
    < Alt-Svc: h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
    < X-Content-Type-Options: nosniff
    < Server: cloudflare
    < CF-RAY: 55ff137d2ca4d443-HAM
    <
  • Connection #0 to host darrenallendunn.com left intact

(The automatic redirect option can be disabled under: SSL/TLS -> Edge Certificates Tab -> “Always Use HTTPS” => Off)

I presume you are saying “cloudflare” here instead of your actual hostname (like www.example.com) Do you have an entry for “cloudflare” in /etc/hosts which resolves this to 127.0.0.1? This would explain the behaviour you are seeing.

If you have a static IP, why do you also need DDClient?

I always setup a static up on the server upon install as some of the services used required one (AdGuard Home for instance).

The url I typed was http://CloudflareIP:port, replacing CloudflareIP with the IP DDClient populates and is shown in the Cloudflare dashboard.

I’ve of course removed the images.

Taking your advice, I set the SSL/TLS encryption to off. Also, just for the sake of testing, I also set Always On to off. When I go to the domains now from an external device, it shows my default Nginx page. That’s a win.

However, when visiting the domains from the server’s browser itself, I’m met with an error; so it seems the problem is only halfway fixed.

Two questions then:

  1. How do I get the domains to work and serve the proper content everywhere?

  2. If I have SSL/TLS disabled, doesn’t this defeat the purpose of using Cloudflare? How would I secure the content on the server as well as connections?

Thanks again.

  1. What error exactly do you get from within the server? Also, note that you previously had a 301 redirect, which may be cached. Try removing browser cache. Or better, try making all your tests with: curl -v <url> - curl doesn’t cache and it’s much easier to debug that way. Especially given the useful outputs which you’re welcome to share.
  2. Cloudflare has many purposes, giving you TLS isn’t really one of them (IMHO), especially as you can do it yourself. If that’s your whole purpose, you can make your own TLS certificate for free by Let’s Encrypt and using something like acme.sh. However… Cloudflare does a few more things which you may like :slight_smile:

For full security, your server still needs to do TLS with Cloudflare. For that you’ll have to either get your own cert (as mentioned in previous paragraph), or use Cloudflare’s certificate (which they issue from an internal CA, which only they trust, see SSL/TLS -> Origin Server tab). That’s a very long-term certificate (mine are until the end of 2034), and only Cloudflare will trust them (you’ll not be able to TLS directly to your server without a warning). You can do that, then you can use Full or Full (Strict). With any TLS cert you can use Full. This will make the traffic encrypted but not protected from Man-in-the-Middle attack on connections between Cloudflare and You. If you want to prevent any possibility for Man-in-the-Middle (which means your site will be down and Cloudflare will return an error to the user just like a browser would do when you access a site with an invalid cert, with any such attack or expired/untrusted cert), use Full (Strict).

As you can understand, Cloudflare provides TLS just to be able to securely pass traffic to you, if they didn’t, using their services would actually harm the security of companies that can do TLS themselves.

It’s still putting your trust on Cloudflare, though. They can read the traffic if they want. It’s not end-to-end encrypted, because they decrypt your traffic, process it, and then securely pass it to the other end. It’s secure over the Internet, but they can still read it. That’s a disadvantage you must take when you use a 3rd-party proxy…

After you have TLS working, you can go ahead and enable automatic rewrites from HTTP to HTTPS by Cloudflare (or by your own server configuration).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.