Prohibited IP through a Tunnel?
I'm getting this indication of some conflict. It recommends checking the A records for the "api" subdomain. The "api" subdomain DNS record points to a long string of text because it's proxying through a tunnel. So, there is no A record to check, it's a CNAME generated by the tunnel setup process.
A little context, I'm trying to self host from my house using Cloudflare to tunnel and for DNS.
The setup looks like this:
* The main example.com DNS entry points to a tunnel with the private side being the shared IP (/32) of 2 load balancers in the network that serve from 2 web servers behind them. This part works fine.
* Then there is a CNAME entry pointing to a second tunnel with the private side being the private IP (/32) of an api server in the same LAN. This does not work. I get either 403 or 1000 errors.
So basically if I go to the domain (example.com) it works, but if I go to the subdomain (api.example.com) it doesn't work.
I tried disabling all the WAF custom rules. Also tried making a SKIP all rule for anything coming from my public IP.
This seems like it should be a fairly straightforward setup. I'm sure I'm missing something small.
I appreciate any insight or leads.
9 Replies
From the tunnel logs, here is the request.
"originService": "https://api.example.com",shouldnt that be an internal url, not the same url again? sounds like your tunnel is proxying back to Cloudflare
I'm not sure I understand.
api.example.com -> tunnel -> webserver
It's not pointing back, I don't think. Maybe I don't understand what that means.
I'm visiting the site with a web browser. Why would it show that the API server is the origin?
I think originService is referring to the tunnel that api.example.com points to. That's the origin server that responds to the requests for that subdomain. No?
Or should it be a local IP address?
No, on my logs of the same I get
"originService": "http://web:3000",Which is the local address of the service so I would ask, what is the configuration on that tunnel in question? Specifically what is the origin for the hostname set to, because it sounds like its wrong
I think I've got it.
I do need to set the origin server to api.example.com because if it's set to the local host name, local IP or anything else, it doesn't match Cloudflare's origin certificate. In that case you get a handshake failure.
What I've done is add api.example.com to the hosts file so that it recognizes its own IP as the FQDN on the certificate.
Seems to be working now. Thanks for pointing this out. Very helpful!
Sure but for reference, this is how you're supposed to do that
I dont think the host one is 100% necessary but might as well - the TLS one is what will make your origin cert work.
Oh! Got it. That makes sense. I didn't know about those settings. - I guess it makes sense to use those if you have Cloudflare doing the load balancing. In this case I have the two local load balancers, so they can't have the same hostname, and that upsets Cloudflare since it's only looking for the one hostname. I'm not sure if there are more settings to make that work, but tricking them with the hosts file seems to work.
Mmmm okay
Sounds like an unusual setup but if it works it works