Cloudflared Tunnel: Tunneling for custom ports
Can anyone please help me to understand, how can I expose custom ports(for example port 5432) or protocol(for example udp) on cloudflared tunnel?
I have tried to expose my database on the tunnel, so that other services can also access it. For this, I have:
Create a public hostname(say db.example.com) on the tunnel
Point the hostname to the service:
Type: TCP
URL: localhost:5432
Now, I'm trying to access the database using a client, but I'm getting a connection timed out error
10 Replies
You can't use public hostnames with non-HTTP protocols
+ WebSockets
But cloudflare tunnel is showing the option to create tunnel with non-HTTP protocols like SSH, RDP or Bastion.
So, can't I create it for database or UDP?
You can create Tunnels for non-HTTP services, but you can’t make them publicly routable
I didn't get it, if they can't be publicly routable, how can these services be used?
I mean why cloudflare is investing on bringing them under public hostname feature of tunnel?
For SSH at least, you can use the SSH WebUI. For the rest, I believe you have to use Spectrum to expose them
Basically because non-HTTP applications generally don't have a mechanism for identifying the hostname of an incoming connection, forcing them to dedicate an IP address to your application
Just asked internally, and when you add a non-HTTP protocol to your Public Hostname, it stands up a WebSocket server on that hostname that allows you to connect to the app via a local
cloudflared instancePlease correct me if I'm wrong:
what I'm understanding is suppose I host a non-HTTP service(like PostgreSQL) running on a port(say 5432) on an ip address(say 10.0.1.3), and assign a hostname(say example.com) to this ip address. Then, in the client machine I can't connect to the postgreSQL instance using the hostname example.com:5432
If this is so, then I guess there is a confusion, because we can connect to any service, just by passing the hostname and corresponding port. Whereas in HTTP or HTTPS, we don't have to specify the port explicity because modern browsers understand these protocols, and they themselves adds the standard ports(80 for http, and 443 for https) after domain name.
Using the public hostname, I'm trying to access PostgreSQL from the same device on which cloudflared tunnel as well as PostgreSQL are hosted, but still pgadmin is getting connection timed out error.
Basically, create a Public Hostname for your database as mentioned, to connect to it, you need an installation of
cloudflared on your client machine, to translate from a WebSocket to regular TCP
You would run something like this:
Then you can connect to your DB via 127.0.0.1:5432I see,
If I run the command:
Then on any device that is having cloudflared, I will be able to access the non-HTTP service on port 5432, even if the device hosting the service, and the client device are different
Is that correct?
Yes. Note too that adding the hostname does not add any implicit security. Anyone will be able to target your Database directly via this URL if they know it. I would recommend adding some WAF rules to protect it/adding Access where possible
Got it, thanks for the help. Got to learn something new