Access tunnel to docker host results in 502s when trying to get to services
I configured an Access Tunnel that terminates in a cloudflare/cloudflared docker container on my docker host. Everything is running via docker compose. In the Access dash I have a tunnel setup for the same, with the connection from the docker host as the connector.
In the tunnel config I have two public hostnames configured for the two apps I want to share. I have the service for each pointing to https://localhost:8989 (as an example).
In Access I configured applications for the two services to publish with the application URLs pointing to the same public hostnames configured under the tunnel.
In my DNS records dash I have a pair of CNAMEs that match the applications and public hostnames, those CNAMEs point to the Argo tunnel identifiers.
On the docker side I have the three containers (cloudflared and the two applications) on the same network by themselves. The applications are publishing their ports, the same as I specified in the tunnel public hostnames services.
When I try to hit the services I initially get the Access authentication page, then once I authenticate instead of getting the requested service I'm getting a 502 error. The Ray IDs don't show me a ton other than the traffic being allowed.
When I look at the docker container logs for cloudflared I was seeing requests for the apps with an error of:
cloudflared | 2023-05-27T03:22:47Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:8989: connect: connection refused" cfRay=<RAYID>-SEA event=1 ingressRule=1 originService=https://localhost:8989
cloudflared | 2023-05-27T03:22:47Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:8989: connect: connection refused" connIndex=0 dest=https://myapp.mydomain.com/ event=0 ip=198.41.192.47 type=http
Any ideas?1 Reply
I don't see those errors in the cloudflared container logs anymore, it shows no activity when I try to hit the apps now. I was thinking it might be a weird caching issue, so I made a custom cache rule for these hosts to bypass the cache. Nada.
Ok I got it working but I'm not a big fan of the solution. I changed the service addresses for the applications to the internal docker network IPs for the containers. So I guess the docker container only saw itself on localhost, which makes sense. I already have a network built using the host network so I can't build another, and I don't want the tunnel touching that network with the rest of the applications. Do I just have to live with this hacky solution? I set the applications with static IP assignments on the tunnel network in the docker compose file in the mean time.