Issue with Cloudflare tunnel for MARIADB

Hello! Id like for my mariadb server to use the domain dbs.example.com So on the machine it is hosted from, its proxied for tcp localhost:3306 Going onto another machine and connecting to it getting a timeout issue. Same goes for my desktop. Any ideas?
43 Replies
Erisa
Erisa•6mo ago
?tunnel-tcp
Flare
Flare•6mo ago
Cloudflare Tunnels use Cloudflare's proxy, which only supports proxying HTTP Traffic. If you want to use non-http applications over your tunnel, Cloudflare has a few other options: For a few specific protocols such as SSH, RDP, and SMB, Cloudflare has guides for them here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/ For Arbitrary TCP like Minecraft, MySQL, and any other tcp application, Cloudflare has a guide here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/ For Arbitrary UDP like Minecraft Bedrock, SMTP, and any other udp application, you will need to use Private Networking with WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/ Please note for all of these except SSH and VNC which can be browser-rendered, you will either need to use cloudflared (Cloudflare's tunnel daemon) on the client machine running in the background or Private Networking with WARP, and have WARP installed on the client machine logged into your Zero Trust Team.
Zeanox
ZeanoxOP•6mo ago
So if im not mistaken i need to make a direct tunnel on each end one hosting one accepting
Erisa
Erisa•6mo ago
Yeah the recieving ends needs to cloudflared
Zeanox
ZeanoxOP•6mo ago
Fortunately it does So mariadb is on m2 and i need the host on m3
Erisa
Erisa•6mo ago
it would be like cloudflared access tcp --hostname mariadb.example.com --url 127.0.0.1:3306 then that machine can access the proxied tcp through the tunnel at 127.0.0.1:3306 if the whole thing needs to run entirely headless you can setup a service token
--service-token-id value, --id value specify an Access service token ID you wish to use. [%TUNNEL_SERVICE_TOKEN_ID%]
--service-token-secret value, --secret value specify an Access service token secret you wish to use. [%TUNNEL_SER
--service-token-id value, --id value specify an Access service token ID you wish to use. [%TUNNEL_SERVICE_TOKEN_ID%]
--service-token-secret value, --secret value specify an Access service token secret you wish to use. [%TUNNEL_SER
Zeanox
ZeanoxOP•6mo ago
on the actuall cloudflare dash do i remove the public hostname
Zeanox
ZeanoxOP•6mo ago
No description
Erisa
Erisa•6mo ago
no that hostname is the hostname that you put in --hostname on the recieving end i would strongly encourage that you enforce Access on the hostname as well btw, if not already
Zeanox
ZeanoxOP•6mo ago
Sorry im on about the host of the mariadb server
Erisa
Erisa•6mo ago
yes keep that then on the other end, use it in the cloudflared command
Zeanox
ZeanoxOP•6mo ago
Ill set it up and then do that Okay one second haha sorry this is really confusing
Erisa
Erisa•6mo ago
It definitely is confusing!
Zeanox
ZeanoxOP•6mo ago
So on the db host just keep that there no issue now im going onto the machine i want to access the database on and i do this!
Erisa
Erisa•6mo ago
yeah thats it
Zeanox
ZeanoxOP•6mo ago
No description
Zeanox
ZeanoxOP•6mo ago
Would it be an issue to change it to 3307? or not Or is it just binding that address to localhost 3307 so it wont cause an issue if i change the port @Erisa
Erisa
Erisa•6mo ago
You can just change the port it doesnt matter, thats where the return proxy is binding to whatever port you pick, traffic going to that port will be tunnelled to the other host
Zeanox
ZeanoxOP•6mo ago
I see! Two more questions sorry
Zeanox
ZeanoxOP•6mo ago
No description
Zeanox
ZeanoxOP•6mo ago
For this it wouldnt be the domain anymore it would be the localhost:3307
Erisa
Erisa•6mo ago
yep
Zeanox
ZeanoxOP•6mo ago
And regarding the authorisation How am i able to do that?
Erisa
Erisa•6mo ago
thats mysql auth so its whatever you had configured on the other end
Zeanox
ZeanoxOP•6mo ago
sorry i ment the access on the hostname
Erisa
Erisa•6mo ago
ah
Zeanox
ZeanoxOP•6mo ago
as its at a server level
Erisa
Erisa•6mo ago
if you mean how do you configure Cloudflare Access: on the zero trust dashboard, go to Access and add an application on the same hostname
Zeanox
ZeanoxOP•6mo ago
I understand that but usally it brings you to a login page How would that work? or am i able to set up to allow access only from m3 the tunnel And currently when tunning the tunnel on the client machine im unable to process commands without stopping the machine for some reason
Erisa
Erisa•6mo ago
Either it gives you the login page every time you use the command, or you setup service tokens and feed them to the command https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
Zeanox
ZeanoxOP•6mo ago
Got it then regarding running the tunnel so its just running in the background 24/7? curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com Thats the command for the service token there, id just set the app to tcp://example.example.com or keep as https?
Erisa
Erisa•6mo ago
for tcp apps you add it to cloudflared access tcp with these options:
--service-token-id value, --id value specify an Access service token ID you wish to use. [%TUNNEL_SERVICE_TOKEN_ID%]
--service-token-secret value, --secret value specify an Access service token secret you wish to use. [%TUNNEL_SERVICE_TOKEN_SECRET%]
--service-token-id value, --id value specify an Access service token ID you wish to use. [%TUNNEL_SERVICE_TOKEN_ID%]
--service-token-secret value, --secret value specify an Access service token secret you wish to use. [%TUNNEL_SERVICE_TOKEN_SECRET%]
Zeanox
ZeanoxOP•6mo ago
got it! and running headless?
Erisa
Erisa•6mo ago
I dont think theres a native/easy way to run the command as a service in the background, you would have to find a way to do that your own way
Zeanox
ZeanoxOP•6mo ago
so it always has to have that command running? Im unable to close the shell or execute any commands if thats the case
Erisa
Erisa•6mo ago
You can run it in the background, there's several ways to do that on linux including tmux, screen, pm2 or creating a systemd service I wouldn't be able to tell you which would work best, but if you research how to run a command in the background you should find something
Zeanox
ZeanoxOP•6mo ago
No worries let me try it out 🙂 @Erisa Cloudflare tunnels wouldnt have anything to do with SQLSTATE[HY000] [1045] Access denied for user 'test'@'localhost' (using password: YES) that would it?
Erisa
Erisa•6mo ago
No SQL auth is configured on the mariadb server
Zeanox
ZeanoxOP•6mo ago
Mariadb doesnt need to be accessed externally now as it thinks its running locally just on the other machine right So without the application it works and with it does not. I have allowed the policy to use the domain and allow on service token and then the correct service token is there any additional things i need to add as this is for tcp? @Erisa
Erisa
Erisa•6mo ago
Please try not to ping me so much for the same thing, its annoying when I'm busy "it does not" is vague - what doesnt work and in what way? What issue/error are you experiencing?
Zeanox
ZeanoxOP•6mo ago
Sorry, when creating an application as you suggested, I set it up to allow service tokens and selected the token that is for the database. Apply it and restart the machines and they are unable to connect?
Erisa
Erisa•6mo ago
Whats the output from the cloudflared access tcp .. command?
Zeanox
ZeanoxOP•6mo ago
Sorry for the late reply! Thats the message i get now that the application is active Jul 23 16:39:58 ZeanoxM4 cloudflared[822]: 2024-07-23T15:39:58Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://example.mydomain.dev Also when the application is active it completely bricks the 3 servers and makes them incredibly slow
Want results from more Discord servers?
Add your server