CD
Cloudflare Developers6mo ago
AaronGong

Zero trust tunnel cannot access the database

I am using tunnel to expose local services. I started a fastapi service locally and used tunnel to expose the service, and everything went well. As you can see from the picture, you can access the service smoothly whether you use localhost or domain name.(pic1,pic2,pic3) Then, I wanted to access the postgres database through the tunnel as well, and I set it up (pic4) However, at this time, if you use the domain name to connect to the database, it will fail, but using localhost will succeed.(pic5,pic6) I don't know why this is happening. Maybe you would think that this might be caused by the database configuration, but I changed it and it didn't work. Moreover, when I used another intranet penetration tool (natapp) to connect to the database via the domain name, it was successful.(pic7,pic8)
No description
No description
No description
No description
No description
No description
No description
No description
27 Replies
Akama Aka
Akama Aka6mo ago
Try to use the ip
AaronGong
AaronGongOP6mo ago
Thanks for your suggestion, this doesn't work. Another thing I'm confused about is why the fastapi service can be accessed by domain name, but the database cannot.
Akama Aka
Akama Aka6mo ago
Have tried the 192.168. or the 10.x ip? Or is the IP Adress or so trusted in the pg_hba file?
AaronGong
AaronGongOP6mo ago
Yes, I have tried it. And as you can see, the fastapi service I configured is localhost, which can be accessed normally.
Akama Aka
Akama Aka6mo ago
hm Prob. CloudFlare blocks the 5432 port?
AaronGong
AaronGongOP6mo ago
😂 I have been trying for an afternoon.
Akama Aka
Akama Aka6mo ago
I gave up implementing Pg like that. Just got a VPS installed a firewall that drops every request that is not CloudFlare Origin :shrugIdk:
AaronGong
AaronGongOP6mo ago
OK, so I changed 5432 to 8999 to try it.
Akama Aka
Akama Aka6mo ago
okay
AaronGong
AaronGongOP6mo ago
No description
No description
Akama Aka
Akama Aka6mo ago
AaronGong
AaronGongOP6mo ago
Chaika
Chaika6mo ago
for non-http protocols you need to use client software to be able to connect ?tunnel-tcp
Flare
Flare6mo ago
Cloudflare Tunnels use Cloudflare's proxy, which only supports proxying HTTP Traffic. If you want to use non-http applications over your tunnel, Cloudflare has a few other options: For a few specific protocols such as SSH, RDP, and SMB, Cloudflare has guides for them here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/ For Arbitrary TCP like Minecraft, MySQL, and any other tcp application, Cloudflare has a guide here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/ For Arbitrary UDP like Minecraft Bedrock, SMTP, and any other udp application, you will need to use Private Networking with WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/ Please note for all of these except SSH and VNC which can be browser-rendered, you will either need to use cloudflared (Cloudflare's tunnel daemon) on the client machine running in the background or Private Networking with WARP, and have WARP installed on the client machine logged into your Zero Trust Team.
Akama Aka
Akama Aka6mo ago
:Excuse_me_what:
Chaika
Chaika6mo ago
can't just connect via the hostname since it's going through normal proxy (CF would have no idea who the traffic on 8999 is bound for, unless they assigned a unique ip per tunnel or did some port assignment magic which would be expensive with how much each IPv4 costs these days/stepping on the feet of spectrum)
AaronGong
AaronGongOP6mo ago
404😂
Akama Aka
Akama Aka6mo ago
And how long it takes until you get it
AaronGong
AaronGongOP6mo ago
Why is the fastapi service normal?
Chaika
Chaika6mo ago
are you saying one of those links 404s ? They all seem fine to me because it's HTTP http has protocol-level mechanisms (SNI, Host Header) to allow CDNs to understand which website the connection is for without needing a unique ip/providing the identifying information for them
Akama Aka
Akama Aka6mo ago
AaronGong
AaronGongOP6mo ago
yes,it's ok. Can you teach me how to expose my database service using cloudflare's service? Or you can give me some documentation, I will be very grateful!
Akama Aka
Akama Aka6mo ago
I dont think so its possible. What you can do is use Hyperdrive but idk if its really that what you want too
Chaika
Chaika6mo ago
what I linked above are docs on who to do it ?tunnel-tcp
Flare
Flare6mo ago
Cloudflare Tunnels use Cloudflare's proxy, which only supports proxying HTTP Traffic. If you want to use non-http applications over your tunnel, Cloudflare has a few other options: For a few specific protocols such as SSH, RDP, and SMB, Cloudflare has guides for them here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/ For Arbitrary TCP like Minecraft, MySQL, and any other tcp application, Cloudflare has a guide here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/ For Arbitrary UDP like Minecraft Bedrock, SMTP, and any other udp application, you will need to use Private Networking with WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/ Please note for all of these except SSH and VNC which can be browser-rendered, you will either need to use cloudflared (Cloudflare's tunnel daemon) on the client machine running in the background or Private Networking with WARP, and have WARP installed on the client machine logged into your Zero Trust Team.
Chaika
Chaika6mo ago
You can either use the Arbitrary TCP guide (which uses cloudflared access to proxy the connection over a local port/ip), or the Private Networking with WARP guide (more setup, but more flexible)
AaronGong
AaronGongOP6mo ago
Okay, thank you very much. I’m very happy to meet two enthusiastic friends. You have pointed me in the direction. @Chaika @Akama Aka @ DoKomi ThankU
Want results from more Discord servers?
Add your server