CD
Cloudflare Developers•9mo ago
quambo

Cloudflare Zero Trust on a VPS, Load Balancer, HTTPS

I'd like to set up 2 VPS with Hasura and cloudflared (via docker-compose), with all incoming traffic blocked, and a cloudflare load balancer listening to hasura.example.com, routing traffic to both VPS based on some rules. I'd like to have HTTPS working, without installing certs on hasura, so just let cloudflared handle it. Is this something that would work in theory? I've tried different things (like hooking up caddy in between, as reverse proxy and a lot of different configs), but I just can't get it to work. Most of the time, I end up with ERR_SSL_VERSION_OR_CIPHER_MISMATCH when trying to access hasura.example.com. Here is an example config using caddy (hope I don't even need caddy). With that config, I was at least able to connect the loadbalancer (to origin 100.90.0.5 on the virtual network). * SEE BELOW FOR EXAMPLE, POST WAS TOO LONG TO ADD IT HERE * Something I'm currently experimenting with is, without caddy, using cloudflared config to point the hostname to hasura docker container, but I'm not sure which origin I can then let point the loadbalancer to. 
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
Has anyone got an idea? Thanks!
11 Replies
quambo
quamboOP•9mo ago
version: "3.9"

services:
  hasura:
    container_name: hasura
    image: hasura/graphql-engine:v2.37.0
    ports:
      - "8080:8080"
    restart: always
    env_file:
      - .env
    environment:
      HASURA_GRAPHQL_ENABLE_CONSOLE: "false"
    networks:
      - cfzero
  caddy:
    container_name: caddy
    image: caddy:2.7.6-alpine
    depends_on:
      - "hasura"
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./certs:/certs
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      cfzero:
        ipv4_address: 100.90.0.5
  tunnel:
    depends_on:
      - "caddy"
    container_name: tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    env_file:
      - .env
    networks:
      - cfzero

networks:
  cfzero:
    ipam:
      config:
        - subnet: 100.90.0.0/24
          gateway: 100.90.0.254

volumes:
  caddy_data:
  caddy_config:
version: "3.9"

services:
  hasura:
    container_name: hasura
    image: hasura/graphql-engine:v2.37.0
    ports:
      - "8080:8080"
    restart: always
    env_file:
      - .env
    environment:
      HASURA_GRAPHQL_ENABLE_CONSOLE: "false"
    networks:
      - cfzero
  caddy:
    container_name: caddy
    image: caddy:2.7.6-alpine
    depends_on:
      - "hasura"
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./certs:/certs
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      cfzero:
        ipv4_address: 100.90.0.5
  tunnel:
    depends_on:
      - "caddy"
    container_name: tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    env_file:
      - .env
    networks:
      - cfzero

networks:
  cfzero:
    ipam:
      config:
        - subnet: 100.90.0.0/24
          gateway: 100.90.0.254

volumes:
  caddy_data:
  caddy_config:
Cyb3r-Jak3
Cyb3r-Jak3•9mo ago
That error typically means there is no SSL certificate covering the domain. Do you see one in your universal SSL certificate page?
quambo
quamboOP•9mo ago
Hmm.. right @Cyb3r-Jok3 , I supposed adding an LB with CF proxy would create the cert, thanks for the hint. Still interested in the best way to achieve what I need, do I need caddy with the CF origin cert setup or is it possible to just use cloudflared?
Cyb3r-Jak3
Cyb3r-Jak3•9mo ago
You can do http/https from cloudflared to the origin. Typically you would use something like caddy in front of it if you were using its features
quambo
quamboOP•9mo ago
Yeah, but I'm using caddy exclusively as reverse proxy to hasura, so can I https via cloudflared and proxy it to hasura via http? thanks for your help @Cyb3r-Jok3 , I find it very hard to find the right configs for LB + cloudflared + https, not much info around
Cyb3r-Jak3
Cyb3r-Jak3•9mo ago
Yeah you can
quambo
quamboOP•9mo ago
How does it work? Setting the cloudflared config to something like this: 
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
What origin am I supposed to point the LB to? How do I get a certificate?
No description
Cyb3r-Jak3
Cyb3r-Jak3•9mo ago
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb/
Cloudflare Docs
Load balancers · Cloudflare Zero Trust docs
When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat …
Cyb3r-Jak3
Cyb3r-Jak3•9mo ago
The edge certificate will be auto issued
quambo
quamboOP•9mo ago
So, I need to leave the "Virtual Network" empty and use origin $tunnelID.cfargotunnel.com? thanks for linking the article going to try this out
quambo
quamboOP•9mo ago
neverlucky 😛 maybe need to try later
No description
Want results from more Discord servers?
Add your server