Include public domain to service behind Zero Trust when connected to WARP client.
Context: I have a tunnel calledIf I use the commandzt-gatewhich has a public hostname ofssh.mydomain.com -> ssh://10.0.0.30:22and a private hostname with10.0.0.30/32CIDR. I created anSSHself-hosted application that I can access SSH normally through SSH browser rendering. In my WARP client settings, I've selectedGateway with WARPand in my split tunnels configuration isInclude IPs and domainswith10.0.0.30/32CIDR andssh.mydomain.com. I'm asking for a SSH service but keep in mind that I have other non web/http services in the same way.
cloudflared access ssh --hostname ssh.mydomain.com --url localhost:1234 and login normally, I can SSH into localhost:1234 normally.
If I enable Zero Trust in my Windows WARP Client I can normally SSH into the same server using 10.0.0.30:22 address.
But, as I've configured a public hostname ssh.mydomain.com I still cannot do any connections using the domain, only from IP addresses. There's a doc page on how to do SSH (not all use cases for me, just an non-web example) (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/use-cases/ssh/#connect-to-ssh-server-with-warp-to-tunnel) which only shows examples connecting using IP addresses.
I thought that by using Include IPs and domains and including my desired domain, I could access these services using my public hostname, is it possible? If not, how can I create domains for non-http services I only want to access when connected to my warp client/cloudflared cli?
This CURL shows that it is not getting redirected to my local ip. At least I thought it should after my Include IPs and domains configuration.
Sorry If I blurred too much information, just trying to not leak sensitive information 🙂SSH · Cloudflare Zero Trust docs
The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH …
21 Replies
anyone?
I'm confused on what you are trying to achieve.
@Cyb3r-Jok3 I've set up public hostnames for non http services on my tunnel configuration. However I cannot access them even when connected and authenticated through WARP. When i'm running
cloudflared tunnel --hostname ... cli, I provide the hostname and it binds correctly to a local port, but I'm never able to use it as a domain/hostname in a connection URL. (I now i'm not supposed to use the domain when using cloudflare access --hostname, but I think It's supposed to work when connected through WARP)Like being able to do
ssh ssh.example.com?@Cyb3r-Jok3, exactly
If you have browser rendered ssh then then it I believe it isn’t suppose to be possible. The reason is that Cloudflare is in front the of domain so it will block the ssh attempts to their IP. The only way is to use the
cloudflare access ssh —hostnameAlright, I understand about ssh, but, as I said above, my usecase is arbitrary TCP. Why only HTTP connetions work through public hostnames?
That’s just how is designed. The purpose of the
cloudflare access is to be able to route arbitrary TCPAlright, but there's any way to public expose arbitrary tcp?
There is not. Tunnels weren’t designed for it they are designed for secure TCP
I was learning about cloudflare spectrum, neither that would allow me?
Yeah spectrum is designed for arbitrary TCP but just keep in mind the cost of $1/GB for pay go plans
There's no special intergation with tunnels though, for spectrum you'd have to port forward / open firewall ports, and there is protocol restrictions for spectrum unless you're Enterprise
thanks! So no way at all to connect cloudflare tunnels to non http applications (without
cloudflared cli), even with warp, right??There is WARP Private Networking. It works more like a traditional VPN, allowing you to access Private IP Ranges you add to a tunnel, via that tunnel while connected to WARP. This still wouldn't be public access though, they'd need to install Warp and join your ZT team
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/
You wouldn't be able to do ssh.example.com if ssh.example.com was your public hostname, but you could do ssh 10.0.0.1 if that's the internal IP of the server, or use some internal dns/dns overrides to have ssh.example.internal
Why only HTTP connetions work through public hostnames?It may help to explain better why that would not work. Tunnels use Cloudflare's normal HTTP Proxy, the public hostname shares the same IPs with a lot of other websites, Cloudflare uses HTTP's Server Name Identifier/or the Host Header to tell which website it should serve. For non-http traffic, Cloudflare has no idea where/how to route a generic tcp/udp connection, it just sees incoming connection to this ip/port from this ip/port, not enough info. cloudflared or warp provide extra context to make it work (although via different ways) (Above is only explaining the technical reason why CF couldn't just have that work, there are other product reasons as well) The workaround would be to assign each customer it's own IPv4/IPv6 addresses, then you know what customer each connection is bound for. That's what Spectrum does.
There is WARP Private Networking. It works more like a traditional VPNThanks! That's what i'm using right now.
It may help to explain better why that would not work.Awesome explanation!!! Now everything is clear. this makes a lot of sense, as DNS only tells which IP to connect and arbitrary TCP does not provide any ip information. Could I use a custom DNS configuration on WARP to resolve my hostname to the private IP from the tunnel? I can force a DNS query to be resolved from cloudflare by turning on
Split Tunnels to that scecific domain. Can I enable some sort of DNS filetring to resolve a different IP when the request comes from a WARP connected client?Back when I used Private Networking, I just modified my local hosts file (lol, was just easier), but I don't see any reason why you couldn't use Zero Trust DNS Policies to override hostnames to resolve as Internal IPs which go through the tunnel, or using some internal DNS Server via the aforementioned split tunnel/fallback function
Websockets starts with an http connection and then builds the tcp bridge, neither that should work, right?
Thanks for the helpful information in this discussion. Is this an accurate summary for the points brought up here?
- Cloudflare Tunnel:
- Provides a secure way to connect your resources to Cloudflare without a publicly routable IP address. [1^]
- A lightweight daemon in your infrastructure (
cloudflared) creates outbound-only connections to Cloudflare’s global network. [1^]
- Can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. [1^]
- Can expose your HTTP resources to the Internet via a public hostname. [2^]
- Can also be configured to route traffic to multiple hostnames to multiple services in your environment. [2^]
- Can proxy connections to nonstandard ports[3^].
- Cloudflare Spectrum:
- Provides security and acceleration for any TCP or UDP based application, routing them through Cloudflare to mask the origin and protect it from DDoS attacks. [4^]
- Spectrum works as a layer 4 reverse proxy, establishing a proper TCP connection before traffic is proxied to the origin. This moves any impact of SYN or SYN-ACK reflection attacks to the Cloudflare edge. [6^]
- With Spectrum, your origin IP is concealed, preventing attackers from targeting your origin server directly. [6^]
- It's a global TCP and UDP proxy running on Cloudflare’s edge nodes, passing through the packets to the backend server. [7^]
- When a Spectrum application is created, it is assigned a unique IPv4 and IPv6 address, which may change over time[5^].
- The origin server must be publically reachable via the internet unlike CF tunnels. (?)
- [1^]: Cloudflare Tunnel · Cloudflare Zero Trust docs
- [2^]: Public hostnames · Cloudflare Zero Trust docs
- [3^]: Arbitrary TCP · Cloudflare Zero Trust docs
- [4^]: Cloudflare Spectrum · Cloudflare Spectrum docs
- [5^]: Protocols per plan · Cloudflare Spectrum docs
- [6^]: DDoS Protection for Spectrum · Cloudflare Spectrum docs
- [7^]: Configuration options · Cloudflare Spectrum docsi think so
Probably close enough, Spectrum is more up in the air/configurable then that though. And yes, the origin server has to be reachable by Cloudflare like a normal origin, no special integration with Tunnels.
Spectrum has filters for specific protocols like Minecraft, rdp, ssh, etc, which I believe actually validates the traffic conforms to that protocol, which is L7/application level in a way. Spectrum lets you pick if you want IPv4, IPv6, or both. You can use a proxy protocol to include more information on the traffic, you can have Cloudflare terminate tls on the edge, you can use Argo Smart Routing. You can use Spectrum with Static IPs as well. Spectrum is really cool, like a magical cloud firewall/port forwarder, sadly a lot of those fancy things are Enterprise, and Enterprise addons at that