Troubleshooting Argo Tunnel

I’m hosting a NextCloud instance behind a NGINX reverse proxy.

Everything works (ie: I’m able to get to the login page of nextcloud that’s hosted internally) when Cloudflare DNS CNAME record (nextcloud) is setup to be Proxied through my domain’s A record; however, when I change the CNAME to go through the Argo tunnel via the tunnel-id, I get a HTTP 502/Bad Gateway error. BTW, my Argo Tunnel is setup and working as I’m hosting other internal services via the tunnel.

To summarize, when accessing internal service like NextCloud via Cloudflare Proxy that goes through my reverse proxy, things work; however, when going through the Argo Tunnel (ie: by passing the nginx reverse proxy), I get a Bad Gateway error.

Any ideas why this could be happening?

On your machine running the cloudflared instance if you do something like curl -Ikv https://www.example.com -resolve www.example.com:443:my.internal.ip.address does that work?

If you do a dig for whatever hostname you’ve specified as the origin for that host on the machine running cloudflared does it resolve to the proper host/IP?

Thanks so much for a quick response!

I wanted to confirm the command syntax:

curl -Ikv https://nextcloud.mydomain.com -resolve nextcloud.mydomain.com:443:192.168.2.20

?

Doing a ‘dig nextcloud.mydoman.com’ does return two A records for Cloudflare Proxy:

I doubt that this is a DNS resolution issue since I can access the internal service via the Cloudflare Proxy. The issue might be more Tunnel related.

curl -Ikv https://nextcloud.mydomain.com --resolve nextcloud.mydomain.com:443:192.168.2.20

needs an extra dash… my apologies… it’s been a long week.

TGIF !!

Command Run:

curl -Ikv https://nextcloud.mydomain.com -resolve nextcloud.mydomain.com:444:192.168.2.20

Please note that the target origin port is running https on 444 (instead of the default 443).

Here’s the output with the exact domain & IPs masked and/or changed:

`* Added nextcloud.mydomain.com:444:192.168.2.20 to DNS cache

• Trying 2606:4700:XXXX:XXXX:XXXX:443…
• Connected to nextcloud.mydomain.com (2606:4700:XXXX:XXXX:XXXX) port 443 (#0) ALPN, offering h2 ALPN, offering http/1.1 successfully set certificate verify locations:
• CAfile: none
• CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
• start date: Jan 21 00:00:00 2021 GMT
• expire date: Jan 20 23:59:59 2022 GMT
• issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x47c540)

HEAD / HTTP/2
Host: nextcloud.mydomain.com
user-agent: curl/7.73.0
accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• old SSL session ID is stale, removing
• Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  < HTTP/2 302
  HTTP/2 302
  < date: Fri, 19 Feb 2021 22:15:45 GMT
  date: Fri, 19 Feb 2021 22:15:45 GMT
  < set-cookie: __cfduid=d3567801cea1567587c21fbf78f1715931613772945; expires=Sun, 21-Mar-21 22:15:45 GMT; path=/; domain=.mydomain.com; HttpOnly; SameSite=Lax
  set-cookie: __cfduid=d3567801cea1567587c21fbf78f1715931613772945; expires=Sun, 21-Mar-21 22:15:45 GMT; path=/; domain=.mydomain.com; HttpOnly; SameSite=Lax
  < access-control-allow-credentials: true
  access-control-allow-credentials: true
  < cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  < expires: Thu, 01 Jan 1970 00:00:01 GMT
  expires: Thu, 01 Jan 1970 00:00:01 GMT
  < location: https://lockdown.cloudflareaccess.com/cdn-cgi/access/login/nextcloud.mydomain.com?meta=eyJraWQiOiI1MjEyYzNmOWVlY2YyMmMxMDg2YjAyZjAyMzA2MDYzODhlM2JkNGRiYmUyZmFiYWNmMDVhOWE5OWM1ZWU4YWFjIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJhdXRoX3N0YXR1cyI6Ik5PTkUiLCJzZXJ2aWNlX3Rva2VuX2lkIjoiIiwic2VydmljZV90b2tlbl9zdGF0dXMiOmZhbHNlLCJpYXQiOjE2MTM3NzI5NDUsIm5iZiI6MTYxMzc3Mjk0NSwiaXNfZ2F0ZXdheSI6ZmFsc2UsInR5cGUiOiJtZXRhIiwiaXNfd2FycCI6ZmFsc2UsImF1ZCI6IjU3ODI2NGZmNjRiODMxMmVkMDUwODNlZjY2MTg1MjUwZmM1NGY4ZGJmMzUzZDI4ZWNhYzczMTdlMDI1ZmYyMTAifQ.p-qI9L0-85du-WBqoNd1789hXJHqtFG4y8DuHixGjpp7kQAwBJoAwqJf4nu6tK9Hlxj8Cv8wXC5O1vGuHUL8PGB849o32h13doRaNcXFknLg1PeFCb2rzyXwTPWe7jzVuLtgB4aq5Xl6TaUHbeV3VFUx71OBx1oo0Cu3WdxP8GGBRGIAFgbDrta5YPcDqgkx_DpKN4c33mNEvFdSBwkKQy34ItZP1Q1GOtlNmvBKHrX_9sdi9-cB4mlriSlYvtmZEwjS0dYBfWmhj2AQG937IDpX7RKfoyYA-vj5qhpC2cpBaEktbTGQ1_syN99-zCvXNMMznYykHGxVbDA2cQsz3g&kid=578264ff64b8312ed05083ef66185250fc54f8dbf353d28ecac7317e025ff210&redirect_url=%2F
  location: https://lockdown.cloudflareaccess.com/cdn-cgi/access/login/nextcloud.mydomain.com?meta=eyJraWQiOiI1MjEyYzNmOWVlY2YyMmMxMDg2YjAyZjAyMzA2MDYzODhlM2JkNGRiYmUyZmFiYWNmMDVhOWE5OWM1ZWU4YWFjIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJhdXRoX3N0YXR1cyI6Ik5PTkUiLCJzZXJ2aWNlX3Rva2VuX2lkIjoiIiwic2VydmljZV90b2tlbl9zdGF0dXMiOmZhbHNlLCJpYXQiOjE2MTM3NzI5NDUsIm5iZiI6MTYxMzc3Mjk0NSwiaXNfZ2F0ZXdheSI6ZmFsc2UsInR5cGUiOiJtZXRhIiwiaXNfd2FycCI6ZmFsc2UsImF1ZCI6IjU3ODI2NGZmNjRiODMxMmVkMDUwODNlZjY2MTg1MjUwZmM1NGY4ZGJmMzUzZDI4ZWNhYzczMTdlMDI1ZmYyMTAifQ.p-qI9L0-85du-WBqoNd1789hXJHqtFG4y8DuHixGjpp7kQAwBJoAwqJf4nu6tK9Hlxj8Cv8wXC5O1vGuHUL8PGB849o32h13doRaNcXFknLg1PeFCb2rzyXwTPWe7jzVuLtgB4aq5Xl6TaUHbeV3VFUx71OBx1oo0Cu3WdxP8GGBRGIAFgbDrta5YPcDqgkx_DpKN4c33mNEvFdSBwkKQy34ItZP1Q1GOtlNmvBKHrX_9sdi9-cB4mlriSlYvtmZEwjS0dYBfWmhj2AQG937IDpX7RKfoyYA-vj5qhpC2cpBaEktbTGQ1_syN99-zCvXNMMznYykHGxVbDA2cQsz3g&kid=578264ff64b8312ed05083ef66185250fc54f8dbf353d28ecac7317e025ff210&redirect_url=%2F
  < cf-request-id: 085df60fc10000cf001c2ac000000001
  cf-request-id: 085df60fc10000cf001c2ac000000001
  < expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
  expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
  < report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report?s=KruGw3mAmQ7JuAsVR0zWJqI6N0U96CkM3uO%2FrIogiCgX6Gp3tTubJeKuRyPfloVHtyOTG8Wb%2F%2FrEXl0c%2FARjS0b%2FMAm8I7g3K76z4DLkTgtswa3Y477q%2F6OZP23RkKhy5E4%3D"}],“max_age”:604800,“group”:"cf-nel”}
  report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report?s=KruGw3mAmQ7JuAsVR0zWJqI6N0U96CkM3uO%2FrIogiCgX6Gp3tTubJeKuRyPfloVHtyOTG8Wb%2F%2FrEXl0c%2FARjS0b%2FMAm8I7g3K76z4DLkTgtswa3Y477q%2F6OZP23RkKhy5E4%3D"}],“max_age”:604800,“group”:"cf-nel”}
  < nel: {“report_to”:“cf-nel”,“max_age”:604800}
  nel: {“report_to”:“cf-nel”,“max_age”:604800}
  < server: cloudflare
  server: cloudflare
  < cf-ray: 6243592c6fa9cf00-IAD
  cf-ray: 6243592c6fa9cf00-IAD

<

• Connection #0 to host nextcloud.mydomain.com left intact`

Is your yml file pointing to something like https://192.168.2.20:444 ?

It’s pointing to https://localhost:444

What happens if you change it to this?