SSH not working with cloudflared tunnel inside docker container

ashishjullia19 · February 11, 2023, 9:20pm

I’m using the following “docker-compose.yml” file:

---
version: '3.7'

volumes:
  wordpress:
  db:

services:
  wordpress:
    image: arm64v8/wordpress
    restart: always
    ports:
      - 8081:80
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - type: bind
        source: ./main-site-data
        target: /var/www/html
    networks:
      - test-wordpress
    depends_on:
      - db

  db:
    image: arm64v8/mariadb
    restart: always
    environment:
      MARIADB_DATABASE: exampledb
      MARIADB_USER: exampleuser
      MARIADB_PASSWORD: examplepass
      MARIADB_ROOT_PASSWORD: mysqlrootpass
      # MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - type: bind
        source: ./db-data
        target: /var/lib/mysql
    networks:
      - test-wordpress

  tunnel:
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
        - TUNNEL_TOKEN=<token>
    networks:
        - test-wordpress

  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    environment:
      - PUBLIC_KEY_FILE=/home/pi/.ssh/id_rsa.pub
      - USER_NAME=pi
    volumes:
      - type: bind
        source: ./config
        target: /config
      - type: bind
        source: ./main-site-data
        target: /var/www/html
      - type: bind
        source: /home/pi/.ssh/id_rsa.pub
        target: /home/pi/.ssh/id_rsa.pub
    ports:
      - 2222:2222
    restart: unless-stopped
    networks:
      - test-wordpress

networks:
  test-wordpress:
    name: test-wordpress

This^ is correctly routing traffic for Wordpress but not for ssh, I’m not sure what’s wrong with this setup, if any one can help, would be really appreciated.

With the following:
sudo ssh -p 2222 [email protected]<site>.com

I’m getting the following error:
ssh: connect to host ssh-one.<site>.com port 2222: Network is unreachable

Cyb3r-Jak3 · February 11, 2023, 10:05pm

You need to set up your client for SSH access:

ashishjullia19 · February 11, 2023, 10:35pm

So, I tried the following but it is not working, I want to ssh into the openssh container.

---
version: '3.7'

volumes:
  wordpress:
  db:

services:
  wordpress:
    image: arm64v8/wordpress
    restart: always
    ports:
      - 8081:80
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - type: bind
        source: ./main-site-data
        target: /var/www/html
    networks:
      - test-wordpress
    depends_on:
      - db

  db:
    image: arm64v8/mariadb
    restart: always
    environment:
      MARIADB_DATABASE: exampledb
      MARIADB_USER: exampleuser
      MARIADB_PASSWORD: examplepass
      MARIADB_ROOT_PASSWORD: mysqlrootpass
      # MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - type: bind
        source: ./db-data
        target: /var/lib/mysql
    networks:
      - test-wordpress

  tunnel:
    # container_name: cloudflared-tunnel-test-ashishjullia-dot-com
    # network_mode: "service:wordpress"
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    volumes:
      - type: bind
        source: ./ssh/ssh-config
        target: /root/.ssh/config
    environment:
        - TUNNEL_TOKEN=<token>
    networks:
        - test-wordpress

  openssh-server:
    image: lscr.io/linuxserver/openssh-server:latest
    hostname: pi4
    environment:
      # - PUID=1000
      # - PGID=1000
      - PUBLIC_KEY_FILE=/home/pi/.ssh/id_rsa.pub
      - USER_NAME=pi
    volumes:
      - type: bind
        source: ./config
        target: /config
      - type: bind
        source: ./main-site-data
        target: /var/www/html
      - type: bind
        source: /home/pi/.ssh/id_rsa.pub
        target: /home/pi/.ssh/id_rsa.pub
      # - type: bind
      #   source: ./ssh/ssh-config
      #   target: /home/pi/.ssh/config
    ports:
      - 2222:2222
    restart: unless-stopped
    networks:
      - test-wordpress

networks:
  test-wordpress:
    name: test-wordpress

Cyb3r-Jak3 · February 11, 2023, 10:41pm

The docker compose looks good. The docs are specifically for how you access SSH via cloudflared on the client side. Any application that does not use HTTP(S) on Access needs to have cloudflared install on the client as well to access it.

ashishjullia19 · February 11, 2023, 10:44pm

Oh, so (also please correct me if I’m wrong).

So what If I directly want to ssh inside the cloudflared container?

Is that possible? If “yes” can you please help me with that?

Because if it is possible then I can just simply map my host’s files to a particular directory of cloudflared’s container and can work with them without the need of openssh-server container.

Cyb3r-Jak3 · February 11, 2023, 10:50pm

It is not possible. The cloudflared container does not have any SSH server application and is only a proxy for requests

ashishjullia19 · February 11, 2023, 10:51pm

Hmm, my guess.

What is the best possible way?

Cyb3r-Jak3 · February 11, 2023, 10:55pm

If you want to use SSH without having cloudflared installed on the client, then you can try browser rendered ssh Add non-HTTP applications · Cloudflare Zero Trust docs

ashishjullia19 · February 11, 2023, 10:57pm

Okay, sounds good, I’ll give it a try.