Issue with cloudflare access allowing my tcp service to other machines.

Hello! I successfully set up a cloudflare tunnel that goes from my m2 machine to m3 and m4. However i was told to use cloudflare access tokens in order to make everything more secure. The tunnels have been provided the user and key required however as soon as i deploy the application i seem to be getting issues. Jul 23 16:39:58 ZeanoxM4 cloudflared[822]: 2024-07-23T15:39:58Z ERR failed to connect to origin error="websocket: bad handshake" originURL=https://example.mydomain.dev/ Is there anything i am missing from the application i need to select or change? As well as that when the connection is active it completely bricks every single machine and makes them unusable. Any help would be greatly appriciated!
12 Replies
Chaika
Chaika•5mo ago
e cloudflare access tokens
You mean service tokens? I'm not sure how they would work with that, they require headers on the request to bypass access
failed to connect to origin error="websocket: bad handshake" originURL=https://example.mydomain.dev/
something's blocking the websocket entirely. Either a misconfigured policy to try to enforce tokens or something else on your website (like the waf, etc). Does it work without the policy?
As well as that when the connection is active it completely bricks every single machine and makes them unusable.
What command are you using?
Zeanox
ZeanoxOP•5mo ago
Thats the command that it runs i just restart the service And yeah sorry i do mean the service tokens. And it works completely fine without the policy 🙂
No description
Chaika
Chaika•5mo ago
show me the policy? Is it service auth?
Zeanox
ZeanoxOP•5mo ago
So in app launcher is disabled warp authentication and identity providers are disabled.
No description
No description
Chaika
Chaika•5mo ago
needs to be action: "Service Auth"
Zeanox
ZeanoxOP•5mo ago
Okay no worries and for the 401 responce just leave that off?
Chaika
Chaika•5mo ago
you could turn it on, doesn't matter too much, might make errors from cloudflared better. It's just a way if they don't meet the policy to 401 instead of giving it a login screen
Zeanox
ZeanoxOP•5mo ago
Amazing that has fixed it thank you so much for your help!!
Chaika
Chaika•5mo ago
"Allow" always forces identity / through an identity provider, even if the service auth policy let them through because they had the right headers, still needed to login to google/etc to get an identity. Service Auth lets you skip the identity part
Zeanox
ZeanoxOP•5mo ago
Ahh i understand, im assuming this wont be the case for ssh access? As id like to confirm both
Chaika
Chaika•5mo ago
it's just how policy actions work in general. What do you mean for ssh access?
Zeanox
ZeanoxOP•5mo ago
So next thing id be setting up is allowing certain users ssh access with the use of there warp device and a login However not too sure how it would work using an external terminal such as mobaxterm but we can only find out 🙂
Want results from more Discord servers?
Add your server