In your Cloudflare DNS dashboard, is your website grey or orange-cloud?
I’ve tried both.
orange-cloud → error 522 Cloudflare page
grey-cloud → redirected to my router page
I’ can’t figure where is the problem, I have tried more configuration.
internal tls, let’s encrypt with cloud flare dns module, cloudlfare origin and I have ever the same result.
So, Cloudflare can’t connect to your origin server.
Likely because you attempted to access your website from inside the same network your server is on, and the traffic went to your router (i.e. towards the internet).
Except that when the router receives the packets, it realises that the router itself is the destination! (i.e. your public IP address).
So it processes them as normal. Which, in a normal port-forwarding situation, would involve passing the traffic back to your web server. Except that because the traffic came from inside the local network, your router treats it as traffic for its own web GUI.
A common issue, solved by enabling hairpin NAT or by using split DNS, assuming your intent is to port forward to the web server. However, going back and looking at your original post…
I suspect you’ve betrayed the source of your problem here.
If you don’t have ports open, you will not be able to serve your website.
There is a way around this, but the DNS challenge on its own is only half the solution. The other half would be cloudflared
/ Argo Tunnel.
Oh yes… in the rush to secure everything I am lost.
Fantastic, thats the solution.
I’ve studied cloudflared it’s wonderfull.
I tried first without caddy for understand the function. And wow it’s worked, i was able to reach a server through my domain without open a port. Fantastic.
But then i tried with caddy it not work.
#cloudflared config
tunnel: x
credentials-file: x
logfile: clodflared.log
ingress:
- hostname: gorcy.domain.x
service: http://127.0.0.1:10000
#caddyfile
gorcy.domain.x:10000 {
tls {
dns cloudflare ABCD
resolvers 1.1.1.1
}
reverse_proxy http://192.168.1.7:9283
}
Not sure on this, i just discovered cloudflared, and I am now learning how to use caddy
Oh and i forgot to say that on Cloudflare DNS record i have only one CNAME named grocy with target (the tunnel UIDD).cfargotunnel.com
Unfortunately, “it’s not working” doesn’t give enough information for me to make any guesses at how you could possibly troubleshoot. Is it timing out? Is it returning an error? Is it trying to redirect you?
I have one wild guess based off the configs:
vs.
Caddy is probably trying to use HTTPS on port 10000 because Caddy tries to be secure by default, however, you’ve configured your Argo Tunnel to proxy over HTTP-insecure.
You’ve already configured DNS validation, so instead of downgrading Caddy to HTTP-insecure, I’d suggest upgrading the Argo Tunnel proxy to use HTTPS instead.
P.S.
For the sake of ease of use, I just set:
ingress:
- service: https://caddy
As my ingress rule; literally a catch-all, since all web traffic will get sorted out by Caddy on my machine regardless of which hostname it’s for. That means I control which domains actually go here in DNS itself, by configuring which ones are CNAMEd to the specific named tunnel in Cloudflare.
This is a lot more similar to how things work without tunnels; using ingress rules with different hostnames is more useful for the kind of scenario where you don’t have Caddy and want cloudflared
itself to handle the routing of multiple services.
Just tried and now it show me this error
ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: internal error" cfRay=69e494bca8b5374a-MXP ingressRule=0 originService=https://127.0.0.1:10000
And on the page " Error 502 Bad gateway"
Wow this is very usefull, but i dont understand how to implement it.
Easy, just remove the hostname
qualifier on your ingress rule.
For you it’d be like:
- service: http://127.0.0.1:10000
That’d send all Argo Tunnel traffic to Caddy regardless of which hostname it’s for.
Then you just configure your hostnames in Caddy exactly like you would normally, all on port 10000.
sub1.example.com:10000 {
# blah
}
sub2.example.com:10000 {
# blah
}
Is there any output in Caddy logs for this event?
What was it doing before you made the change, exactly? Were there any cloudflared
/Caddy logs from the previous issue?
nope, standard
2021/10/14 23:23:44.933 INFO using adjacent Caddyfile
2021/10/14 23:23:44.936 WARN input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile", "line": 1}
2021/10/14 23:23:44.942 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["[::1]:2019", "127.0.0.1:2019", "localhost:2019"]}
2021/10/14 23:23:44.943 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000665ab0"}
2021/10/14 23:23:44.943 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2021/10/14 23:23:44.949 INFO http enabling automatic TLS certificate management {"domains": ["gorcy.domain.x"]}
2021/10/14 23:23:44.982 INFO tls finished cleaning storage units
2021/10/14 23:23:44.982 INFO autosaved config (load with --resume flag)
2021/10/14 23:23:44.982 INFO serving initial configuration
Same log except the error. And on browser now i’ve checked again and it says “Client sent an HTTP request to an HTTPS server.” (you was right ). But before it was something like “can’t resolve hostname”
Hmm.
What do you get from:
curl -IL --resolve gorcy.domain.x:10000:127.0.0.1 https://gorcy.domain.x:10000
curl: (7) Failed to connect to gorcy.domain.x port 10000: Connection refused
I note that your Caddy is in a Docker container.
Have you configured port 10000 to forward to the Caddy container?
Yes, i tried also without the external networks “reverse-proxy”.
I noted that if i try to connect internally it show “ERR_SSL_PROTOCOL_ERROR”
Thanks for your help now had to go sleep, but i would to ask if it’s possible to extend the time of expiration of the topic. Sweat dreams
Done.
I retried this and now the response is “curl: (60) SSL certificate problem: unable to get local issuer certificate”
How about:
curl -kIL --resolve gorcy.domain.x:10000:127.0.0.1 https://gorcy.domain.x:10000
(Note the addition of the k
flag)
HTTP/2 502
server: Caddy
date: Mon, 18 Oct 2021 08:03:06 GMT
So i have problem with ssl?
And with the upstream server, apparently.
This could means that your local root certificate store has issues of some kind.
I’m not sure how to proceed on a raspberry pi, exactly, but I’d probably look into troubleshooting your ca-certificates next?
I’m trying with cloudflare origin CA and dns01 challenge, but neither can resolve the problem. So i decided to try all from the start without cloudflared and with the 10000 port opened on my router, but When i try to connect it says “ERR_NAME_NOT_RESOLVED”
This is the configuration
gorcy.mydomain.x:10000 {
tls /cert/certificate.pem /cert/key.pem
reverse_proxy http://127.0.0.1:9283
}
And on DNS Cloudflare:
A | mydomain.x–>> my ip
CNAME | gorcy → mydomain.x