Website not available with ssl/TLS enabled
My website suddenly isn’t available when tls/ssl (flexible) are enabled in Cloudflare tunnels. After signing in to https://emulate.SwoopingasaService.net , there is only a blank page.
27 Replies
Only ever use Full (Strict). It doesn't matter for tunnels, but you should set it anyway
We can't login, so can't exactly see that error. I would use dev tools (ctrl+shift+i) before logging in, check for any errors in console, and check the response details on the login request after you click sign in
Hi, that’s what I did. It gave me source mapping errors. This wasn’t occurring about a week ago and I didn’t change anything. All signs point toward this being something to do with cf tunnels
Source map errors are harmless in and of themselves, it's just helpful for debug, some people strip them though because they reveal info about your code. If you scroll up above those, is there anything else?
All I could find
If you open up dev tools before logging in, and then navigate to the network tab, and then click HTML on Firefox or Document on Chrome, you should be able to see a request with more info. I'd be curious of the status code and headers on it, I would just be very careful about not exposing anything sensitive because your login details are in that request (blur out any cookies/auth headers, don't show request body, etc)
Could also check cloudflared logs to see if it's failing in some way,
journalctl -u cloudflared -f --lines=1000
if on systemd (Ubuntu, Debian, and derivs)Status is 200
Nothing in the logs on the cloudflare dashboard
Nothing showing up when I put that command in
if you're not logged in as root, probably need to prefix it with
sudo
, also has to be ran where cloudflared is running, and I'm assuming linux
could be cache or something else, what was cf-cache-status on the response headers?There’s nothing in the logs at all
Both on what’s hosting the site and where the proxy container lies
I do notice in the headers section of dev tools, the cookie is set to http only
Could that be the issue?
Since this works perfectly fine without TLS
Ok so that fixed SOME of my issues. I allowed cookies from this site. Still getting a blank page, but it’s allowing the js plug-ins to function
http only just means only send the cookie over the headers, don't let it be accessible via Javascript
nothing to do with http/https
Only thing I see in dev tools now is my site is using same site attributes for _session and token
It says to change Samesite to samesite=none
Ok gotcha
Nevermind back to square one now with source map errors
what do you mean it works without tls?
I can login and access the site when the tunnel security setting is set to “off” versus strict or flexible
You mean when you access the site over http, over the tunnel, it works, but not when you access the site over https, over the tunnel?
Yes
Sounds like your web server is misconfigured then
What are your public hostname settings?
no. Like I said, this was not an issue a week ago and I didn’t change anything. I even restored from a known working backup
Also TLS verification is disabled
What's your full public hostname settings?
HTTPS, TLS Verification disabled?
Yes
And I’ve played around changing all of them already to try and get it to work
If you connect locally, not going through the tunnel (if possible), does it work, over both http and https?
Just via the IP address? Yes
using http or https?
Both. Perhaps a domain name issue or something?
yea, could be related, some apps aren't made to be accessed over a reverse proxy. I pulled it down just to test and was unable to get it working at all over the tunnel, could only login locally, the auth process is a bit odd with the redirects, and it seems only really made for local access, with zero other config options.
It looks like it was getting stuck in the main app controller setup, it calls /api/auth but never moves on, I'm guessing it's swallowing an exception internally somewhere. Could try reaching out to the devs of it, explaining you're trying to run it behind a reverse proxy and running into something weird, or you could try WARP Private Networking which would stlil give you remote access, more difficult to setup though and requires installing/running WARP in the background
yikes. yeah i can let them know, but this was working a week or so ago so i cant imagine its an issue with the site/app. I did mention it to them when it initially happened, but didn't get a response back for any fixes