Issue with Cloudflare tunnel for MARIADB
Hello!
Id like for my mariadb server to use the domain dbs.example.com
So on the machine it is hosted from, its proxied for tcp localhost:3306
Going onto another machine and connecting to it getting a timeout issue.
Same goes for my desktop. Any ideas?
43 Replies
?tunnel-tcp
Cloudflare Tunnels use Cloudflare's proxy, which only supports proxying HTTP Traffic. If you want to use non-http applications over your tunnel, Cloudflare has a few other options:
For a few specific protocols such as SSH, RDP, and SMB, Cloudflare has guides for them here:
https://developers.cloudflare.com/cloudflare-one/applications/non-http/
For Arbitrary TCP like Minecraft, MySQL, and any other tcp application, Cloudflare has a guide here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/
For Arbitrary UDP like Minecraft Bedrock, SMTP, and any other udp application, you will need to use Private Networking with WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/
Please note for all of these except SSH and VNC which can be browser-rendered, you will either need to use cloudflared (Cloudflare's tunnel daemon) on the client machine running in the background or Private Networking with WARP, and have WARP installed on the client machine logged into your Zero Trust Team.
So if im not mistaken i need to make a direct tunnel on each end
one hosting one accepting
Yeah the recieving ends needs to cloudflared
Fortunately it does
So mariadb is on m2 and i need the host on m3
it would be like
cloudflared access tcp --hostname mariadb.example.com --url 127.0.0.1:3306
then that machine can access the proxied tcp through the tunnel at 127.0.0.1:3306
if the whole thing needs to run entirely headless you can setup a service token
on the actuall cloudflare dash do i remove the public hostname
no
that hostname is the hostname that you put in
--hostname on the recieving end
i would strongly encourage that you enforce Access on the hostname as well btw, if not alreadySorry im on about the host of the mariadb server
yes
keep that
then on the other end, use it in the cloudflared command
Ill set it up and then do that
Okay one second haha sorry this is really confusing
It definitely is confusing!
So on the db host just keep that there no issue
now im going onto the machine i want to access the database on
and i do this!
yeah
thats it
Would it be an issue to change it to 3307?
or not
Or is it just binding that address to localhost 3307 so it wont cause an issue if i change the port @Erisa
You can just change the port it doesnt matter, thats where the return proxy is binding to
whatever port you pick, traffic going to that port will be tunnelled to the other host
I see! Two more questions sorry
For this it wouldnt be the domain anymore
it would be the localhost:3307
yep
And regarding the authorisation
How am i able to do that?
thats mysql auth so its whatever you had configured on the other end
sorry i ment the access on the hostname
ah
as its at a server level
if you mean how do you configure Cloudflare Access: on the zero trust dashboard, go to Access and add an application on the same hostname
I understand that but usally it brings you to a login page
How would that work?
or am i able to set up to allow access only from m3
the tunnel
And currently when tunning the tunnel on the client machine im unable to process commands without stopping the machine for some reason
Either it gives you the login page every time you use the command, or you setup service tokens and feed them to the command https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
Got it then regarding running the tunnel so its just running in the background 24/7?
curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com
Thats the command for the service token there, id just set the app to tcp://example.example.com
or keep as https?
for tcp apps you add it to
cloudflared access tcp with these options:
got it! and running headless?
I dont think theres a native/easy way to run the command as a service in the background, you would have to find a way to do that your own way
so it always has to have that command running? Im unable to close the shell or execute any commands if thats the case
You can run it in the background, there's several ways to do that on linux including tmux, screen, pm2 or creating a systemd service
I wouldn't be able to tell you which would work best, but if you research how to run a command in the background you should find something
No worries let me try it out 🙂
@Erisa Cloudflare tunnels wouldnt have anything to do with
SQLSTATE[HY000] [1045] Access denied for user 'test'@'localhost' (using password: YES)
that would it?
No
SQL auth is configured on the mariadb server
Mariadb doesnt need to be accessed externally now as it thinks its running locally just on the other machine right
So without the application it works and with it does not. I have allowed the policy to use the domain and allow on service token and then the correct service token is there any additional things i need to add as this is for tcp?
@Erisa
Please try not to ping me so much for the same thing, its annoying when I'm busy
"it does not" is vague - what doesnt work and in what way? What issue/error are you experiencing?
Sorry, when creating an application as you suggested, I set it up to allow service tokens and selected the token that is for the database. Apply it and restart the machines and they are unable to connect?
Whats the output from the
cloudflared access tcp .. command?Sorry for the late reply! Thats the message i get now that the application is active
Jul 23 16:39:58 ZeanoxM4 cloudflared[822]: 2024-07-23T15:39:58Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://example.mydomain.dev
Also when the application is active it completely bricks the 3 servers and makes them incredibly slow