CD
Cloudflare Developers•8mo ago
Exitium

SSL Nginx CF Tunnel

Anyone know how I can route my tunnel to a HTTPS server via Nginx Proxy Manager? If I tunnel to port 80, this works, but obvious traffic is decrypted Cloudflare -> Server, if I tunnel to 443 (which is open), I get bad gateway Thanks
No description
24 Replies
Chaika
Chaika•8mo ago
If I tunnel to port 80, this works, but obvious traffic is decrypted Cloudflare -> Server
Most cases that's fine. The setup is really like this: User -> Encrypted -> CF -> Encrypted -> cloudflared (running on server) -> Unencrypted -> localhost (if your origin service is localhost). So if your origin service is on the same server as the one running cloudflared, it's not going over the network unencrypted.
if I tunnel to 443 (which is open), I get bad gateway
To troubleshoot that issue, would need more logs. You can run journalctl -u cloudflared -f --lines=100 if you're running it as a service to get some logs out of it. I would also try curl https://localhost:443 -k -vvv -o /dev/null on the machine running cloudflared to see if it can reach it
Exitium
ExitiumOP•8mo ago
Attached logs 🙂

n5Ni0qf.txt

Exitium
ExitiumOP•8mo ago
Second command 
*   Trying 127.0.0.1:443...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Unknown (21):
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, unrecognized name (624):
{ [2 bytes data]
* error:0A000458:SSL routines::tlsv1 unrecognized name
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:0A000458:SSL routines::tlsv1 unrecognized name
*   Trying 127.0.0.1:443...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Unknown (21):
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, unrecognized name (624):
{ [2 bytes data]
* error:0A000458:SSL routines::tlsv1 unrecognized name
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:0A000458:SSL routines::tlsv1 unrecognized name
Thanks for your help
Chaika
Chaika•8mo ago
guessing your npm setup is configured for manage.exitium.uk? Does it work if you override the host header/sni? curl --resolve manage.exitium.uk:443:127.0.0.1 https://manage.exitium.uk -k -vvv -o /dev/null
Exitium
ExitiumOP•8mo ago
No description
No description
No description
Exitium
ExitiumOP•8mo ago
not sure how to override the header I'm sorry, I'm really not that experienced with nginx which is why I'm using NPM for convenience oh it's the command one sec
Exitium
ExitiumOP•8mo ago
@Chaika looks like a yes
No description
Chaika
Chaika•8mo ago
In your public hostname settings, under TLS -> Origin Server Name try putting "manage.exitium.uk", under HTTP Settings put that under Http host header as well. This would mean you'd have to do this in the future for other subdomains/not use a single wildcard public hostname though ..or you could just use http instead of https, not like using https for localhost -> localhost gains you anything
Exitium
ExitiumOP•8mo ago
Oh I can't wildcard the TLS origin? The certificate is a wildcard though, is it not? So it worked with manage.exitium.uk as the origin
Chaika
Chaika•8mo ago
your web server wants to see manage.exitium.uk before it serves any certificate as that's what you configured it to do
Exitium
ExitiumOP•8mo ago
Is there a way I can allow the wildcard so I can just have one public hostname setup in CF tunnel? Domain *.exitium.uk -> SSL Origin *.exitium.uk -> https://localhost:443 Thanks for all your help again
Chaika
Chaika•8mo ago
you could maybe configure npm that way, the issue is on it's end rather then cloudflared's/the tunnels why not just use http though? You're just wasting cpu cycles using https. Cloudflared locally, running on the same machine as your web server (since its localhost) is fine to do a plaintext http connection since it's same machine
Exitium
ExitiumOP•8mo ago
Probably overthinking things, but I run a Safing.io Community Node on that same server, so I thought it best to not decrypt traffic, given that unregulated traffic flows through the same interface?
Chaika
Chaika•8mo ago
it's like a vpn exit node?
Exitium
ExitiumOP•8mo ago
yeah, think of it as a tor exit node, SPN is similar to tor
Exitium
ExitiumOP•8mo ago
No description
Chaika
Chaika•8mo ago
I mean in general if you're running untrusted software on your machine you can have issues, in the sense that it could infect/take over your device, but I don't see any reason to be concerned about that messing with your traffic, as long as it can't fetch localhost/connect as well and bypass the tunnel I would be careful though, does your current provider allow running tor exit nodes/or spn exit nodes? Those types of services invite tons of spam. It only takes one abuser to use your node to attack someone or visit explicit material, and most vps providers don't think twice about nuking your node/ending the relationship. That would be my bigger concern about running such a service alongside other stuff I care about.
Exitium
ExitiumOP•8mo ago
I am isolating where possible, so the spn node is running dockerised, but I had to bind it to the host network as it needs access to the host interface (it's not designed for docker) Other internal things are dockerised on their own isolated networks. I run tailscale and cloudflare tunnel as daemons for development / public access to those containers
No description
Exitium
ExitiumOP•8mo ago
Actually, I'm not too sure, to be honest
Chaika
Chaika•8mo ago
well even if they do most require you to tell them about it first so they know what to do when the hundreds of abuse complaints come piling in of course I'm taking that knowledge from tor exits, but if spn is anything close you'll end with the same result
Exitium
ExitiumOP•8mo ago
Alright I'll take a look, thanks for your help again
Chaika
Chaika•8mo ago
Sure, TOR has this guide here about exit nodes: https://blog.torproject.org/tips-running-exit-node/ I imagine a lot of applicable as well
Exitium
ExitiumOP•8mo ago
Looks like they do allow it, can't find anything in terms and conditions against it, and there's a ton of people running tor exit nodes on my provider, doesn't say anywhere about informing them either that I can see
Chaika
Chaika•8mo ago
hmm might be fine then, eitherway though in terms of security of cloudflared -> http over localhost is going over the loopback interface, not the internet facing one I'd be more concerned about the spn node accessing local resources over http or https/making sure it's properly restricted on that front
Want results from more Discord servers?
Add your server