cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Need help creating a tunnel w/ specific port

Open jschwalbe opened this issue 4 years ago • 18 comments
trafficstars

Hello,

I'm diving into Cloudflare tunnels, and trying to get my Home Assistant instance to tunnel correctly, but having problems.

I use a non-standard port for the Home Assistant (HA) server, 9120, and all my things are already connecting to that port, so I'd rather not have to change it.

I've successfully managed to create a tunnel using the following config:

tunnel: HA
credentials-file: /home/js/.cloudflared/[the-numbers].json

ingress:
  - hostname: subdomain.domain.com
    service: https://subdomain.domain.com:9120
  - service: http_status:404

This partially works. I can connect to https://subdomain.domain.com:443 (and http on 80), plus various other ports as outlined in this doc. But I cannot connect to https://subdomain.domain.com:9120, which is the ultimate goal here.

Is this possible? How? :) Thanks!

jschwalbe avatar Aug 08 '21 02:08 jschwalbe

Also.. I'd like to DISABLE connecting from to it from any other port besides 9120. Is this possible, too? Thanks again!

jschwalbe avatar Aug 08 '21 02:08 jschwalbe

@jschwalbe I have similar set up of different internal servers - a mix of HA, HomeBridge, DNS server, NAS - all running on custom ports. For the service section, try providing the internal ip address. For example, my set up for homebridge is as

service: 192.168.1.112:8581

The config.yml is essentially telling the tunnel internally how the external request should resolve. My understanding is that the service should be your internal ip:port. The whole ideas is to hide your internal services and eliminate port forwarding and exposing it to outside world. So in this manner, only the request coming to subdomain.domain.com will get connected to 9120. You can even go a step further by putting firewall rules at your router side to only accept requests coming from cloudflare ip list. There is a document on cloudflare blog site which provides those ip list. If someone try to impersonate cloudflare call, then your router can block it.

appler1d3r avatar Aug 08 '21 03:08 appler1d3r

@appler1d3r thanks for the insightful reply, I’m done tinkering for the night, but one question, does your setup work such that hitting your-domain.com:8581 loads what you want? (In other words just drop the preceding https:// from my config?)

edited to also ask: does your setup prevent your-domain.com:443 from replying?

i get that it’s “security by obscurity” but I’d still feel better if it didn’t reply on all those ports!

jschwalbe avatar Aug 08 '21 03:08 jschwalbe

@jschwalbe, nope. Because your-domain.com:8581 is not exposed to outer world like the traditional way. For that to work, I would have to expose 8581 through port forwarding which I dont want to. Internally I access through my internalip:8581. I do have hosts files on machines that I access that server with custom domain name for my internal ips and also on the router. So I access internally with something like this: homebridge:8581 mynas:6001 mydns:8081 All my servers have fixed IPs.

appler1d3r avatar Aug 08 '21 03:08 appler1d3r

I dont think you can block 80 and 443 since they are traditional http and https port. For example try youtube.com:443. But you can block other ports by setting up firewall rules on cloudflare side. Refer to the doc link you posted on your first post.

appler1d3r avatar Aug 08 '21 03:08 appler1d3r

I’m not sure we’re on the same page. Hoping a dev can chime in.

Specifically on the page linked above “ If traffic for your domain is destined for a different port than listed above […]” it seems that other ports are available, but I cannot get it to work. Dev?

jschwalbe avatar Aug 08 '21 13:08 jschwalbe 

For the service section, try providing the internal ip address. For example, my set up for homebridge is as

service: 192.168.1.112:8581

@appler1d3r 's response is bang on. This setup should work. It would route traffic meant for the domain specified in ingress to the locally addressed service in your origin.

Specifically on the page linked above “ If traffic for your domain is destined for a different port than listed above […]” it seems that other ports are available, but I cannot get it to work. Dev?

I'm not really sure I understand this problem. Do you want cloudflared to reject traffic from 443?

sudarshan-reddy avatar Aug 09 '21 09:08 sudarshan-reddy

The primary objective is to allow ingress to mydomain.com:8581.

jschwalbe avatar Aug 09 '21 11:08 jschwalbe

That can be achieved by pointing your local service address here:

ingress:
  - hostname: subdomain.domain.com
    service: <internal ip>:8581

sudarshan-reddy avatar Aug 09 '21 11:08 sudarshan-reddy

That doesn’t work - I get an error if I don’t specify a protocol ie: *https://*internalip:port

I’m on my phone doing this so get the error logs posted once I get home.

jschwalbe avatar Aug 09 '21 13:08 jschwalbe

Sorry. I wasn't clear. The service should contain the scheme.

So it'll be server: <scheme>:<internal ip>:8571

sudarshan-reddy avatar Aug 09 '21 14:08 sudarshan-reddy

Thanks. So clearly I’m doing something wrong.

Just to verify.. with the above setup you can connect to your domain at port 8571 (and not just 80 & 554)? For me there is no connection made at port 8571, but ports 80 & 554 work fine. Please verify.

jschwalbe avatar Aug 09 '21 17:08 jschwalbe

@jschwalbe, are you using cloudflare_tunnel ?

w35l3y avatar Aug 28 '21 10:08 w35l3y

@w35l3y I am not - just the binary on a server. I'm looking through the repo and it seems the same but wrapped a pretty container for HA. When using this, can you connect to https://example.mydomain.com:8123 ? or is it still port 443? Thanks

jschwalbe avatar Aug 28 '21 11:08 jschwalbe

they will always be 80 or 443, but you can create as many subdomains as you want like so...

no-autoupdate: true
ingress:
  - hostname: example9120.mydomain.com
    service: http://local_ip:9120
  - hostname: example8123.mydomain.com
    service: http://local_ip:8123
  - hostname: example8571.mydomain.com
    service: http://local_ip:8571
  - service: http_status:404 # Leave it as is
tunnel: HA

w35l3y avatar Aug 28 '21 11:08 w35l3y

Ok so I'm doing everything as right as possible, but it's apparently just not possible to do what I want. Again, the stated objective is not use a specific ingress port exposed to the world, rather than ports 80, 443, etc. For now I just picked one of the ports from the doc I linked to above and using a firewall rule I'm able to deny everything besides that port.

jschwalbe avatar Aug 28 '21 12:08 jschwalbe

@jschwalbe did you manage to resolve this please? I currently expose port 443 and then use nginx (reverse proxy) locally to redirect a subdomain to my HA server, also on a non-standard port. My domain, DNS and certs are all managed by cloudflare and I do authenticated origins pulls to make sure to only let in connections via cf and not directly. I then use cf firewall to only allow connections from my home country (UK) and a few other things to tighten things up as much as I can.

If I could get a tunnel to work I can close port 443 to the outside world which would give me more piece of mind as I'm just looking at all the attempts to gain access on port 443 in my pfsense logs now.....

Altycoder avatar Mar 08 '22 16:03 Altycoder

To be clear, Cloudflare Tunnel does not do what @jschwalbe @Altycoder want. It forwards from a public subdomain to an internal ip:port on your private network or computer. It will not forward from public_host:port to internal_ip:port

jacohend avatar Oct 27 '22 21:10 jacohend