Subdomain not loading webserver
I recently switched my domain's dns nameserver and settings to cloudflare. It activated around an hour ago. Then my website started working with my regular domain. I added a subdomain record which points to my IP which currently has a docker container running. I tested my public ip with the port and sure enough that works. But when I test the subdomain that points to that IP it doesnt. Any ideas?
62 Replies
What's the exact error you get? Proxied or not? Can you share the url that doesn't work?
This site can’t be reached
cloudflare says its proxied
yeah i can share it
but first, does it have to do with the port being not being 80 or 443?
on my docker container
myip:port worked
but not
subdomain:port
if it's proxied yes, Cloudflare only support specific ports through its proxy: https://developers.cloudflare.com/fundamentals/reference/network-ports/
Cloudflare Docs
Network ports · Cloudflare Fundamentals docs
Learn which network ports Cloudflare proxies by default and how to enable Cloudflare’s proxy for additional ports.
and those specific ports have to match specific protocols
ok so i have to setup a reverse proxy no matter what. like specifying the port in the domain name wont do anything?
well specifying the port in the domain name when it's not supported won't do anything, like driving into a brick wall
you have other options though
lol
1. Disabling Proxy, you'd lose CF's ddos protection/waf/etc, if you want/need them, but then can do any protocol/port you want
2. If you can configure https/encryption on it (cf offers free 15 year certs that work just like normal ones under ssl/tls -> origin server), you can use an Origin Rule to override the destination port, so that visitors would just type in your domain name (and default to https/443) and CF would connect to a different port invisiblity
3. Use a normal port/reverse proxy like you said
4. Cloudflare Tunnels are another option, a piece of software that runs on your origin server and connects outbound to Cloudflare securely, and acts as a sort of magical reverse proxy, don't need to worry about encryption or anything like that with it, you can just tell it "point x subdomain to 127.0.0.1:9880" and requests go through the network, into the tunnel, and locally into that service
(those are 4 separate options, not steps, in case not clear lol)
thats really interesting. so yeah i just tested disabling the proxy, and that did in fact work, but i re-enabled it because i think i might use one of your other methods. im interested in 2 and 4 that you outlined. my origin server is a docker container btw so im not sure how i would do number 4
you could run the connector (cloudflared) on your host os and then just connect to the port your docker container exposes
ah i see
the connector cloudflared does have a docker container too and you can use docker networking to have cloudflared connect directly to the container but docker networking is not something I know much about other then some people do it lol
lol i understand
well, thats interesting. though i think i might try option 2 since it seems simple for now since im still testing my webserver and provides security.
so do i just set up the certificate in the origin server place?
if the container is your origin server, you'd set it up on it yea
so i add the certificate. do i have to touch my origin server at all?
Can have one issued under ssl/tls -> origin server in the cf dash under your website, and can issue it just for that subdomain or wildcard, then treat it just like a normal certificate. Just make sure your SSL/TLS -> Overview Encryption mode is Full (Strict) and then after you get it setup on your origin (can connect directly to ensure it serves the origin cert), under Rules -> Origin Rules you make a simple rule matching your hostname (
hostname equals mycoolsubdomain.example.com) and overwrite dest. port to your custom one
you need to modify your origin server to use https on that port and serve the certificateoh. im not sure how id do that 😅 im using a pre-existing docker image
ill look it up one sec
you mentioned using a reverse proxy before, if you're more familiar with that it's not a bad idea, I do the same for all my stuff, just stick nginx in front and do all the cert/etc stuff on there reverse proxying to the actual applications within
oh u have the certs on ur reverse proxy? well i was going to set up trafeik a containerized reverse proxy, but im not very familiar with it. as of right now im not deploying the server im just trying to configure it and such
oh u have the certs on ur reverse proxy?yes, except I do nginx on the host
so nginx is on the same computer as your other webservers?
im doing that as well for this
yeah maybe i will just use a reverse proxy
even if I have an app in a container, I just nginx on the host itself instead of containerizing it, just my preference
is nginx a pain to setup?
and also how do you run nginx like within what environment. on like terminal?
it can be.. interesting. it's very widely used though, errors aren't too configuring and there's lot of tutorials out there as well as helpful builders https://www.digitalocean.com/community/tools/nginx
just on debian 12, server so ssh only, no graphical yea, not sure if there is some sort of graphical ui for nginx but I've never even looked
do you use tmux or smth of the sort
so that you can close your terminal and let the server keep running
systemd services
it'll install itself as one if you install it normally
ah i see
thats interesting
ye im on windows
so everything with servers is just that much less seamless
running docker on windows too, or just admining from windows?
running
unfortunately i have no linux devices at my disposal
ah ok well that makes some options harder lol
anyway i dont use the computer im on right now too often besides gaming and such
yeah 😭
thats why im sticking with docker
since its just known to be very easily deployable so i can basically follow any guide
probably a smart choice, and easiest would probably to see if you can make whatever app you're trying to deploy use https/the certs, or maybe a tunnel? You can run cloudflared /the connector on windows but I have no idea how networking between it running on your host and connecting to the container would work, hopefully it'd be just as simple as connecting locally
oh i didnt think i had to deploy the certs on the container if i were using a reverse proxy
if you were using a reverse proxy you wouldn't, could just set up on the proxy
kk got it. sorry for my ignorance, but what is a tunnel and what does cloudflared connector thing do?
on this page i see smth similar https://www.reddit.com/r/Traefik/comments/13fjlsk/recommended_setup_for_traefik_using_cloudflare/
Reddit
From the Traefik community on Reddit: Recommended Setup for Traefik...
Explore this post and more from the Traefik community
traefik is a reverse proxy so idk why cloudflare tunnels are useful/ what they are
if you know ngrok, easiest explaination is that. Otherwise the idea is basically you run a piece of software on your end (cloudflared) and it connects to the closest CF locations and establishes long lived connections. Then you setup public hostnames, "this subdomain goes down my tunnel and connects to this service locally", and the request goes Visitor -> Cloudflare -> Tunnel (running locally) -> service. The connection inbetween Cloudflare and the local tunnel is encrypted, so if you set it up to just connect to services, fully secure without setting up certificates. Additionally because the connection is outbound to Cloudflare, your IP changing doesn't matter, or firewall/nat/any other restrictions
ive used ngrok but i had no idea what i was doing 😭 i used it for allowing ppl in other locations to join my singleplayer minecraft world when i was much younger.
anyway, so the tunnel is the encrypted transportation of data from cloudflare to service without having to setup certs between cloudflare and service?
anyway, so the tunnel is the encrypted transportation of data from cloudflare to service without having to setup certs between cloudflare and service?with the benefit of not needing to open firewalls/worry about ip changes/etc, essentially, a magical reverse proxy
ah i see. so that essentially removes the need for a reverse proxy. would u suggest that as a way to go instead of traefik or nginx?
it can be way easier yea, can setup each hostname to go to a specific service (mycoolsubdomain.example.com -> 127.0.0.1:9480, mycoolsubdomain2.example.com -> 127.0.0.1:9580)
hmm
nginx/traefik have a few more advanced options and of course a tunnel = you're always going to be using CF, but a tunnel is a good option for a simple reverse proxy, gets the job done
are there any sources at there so that i dont have to badger you cause i feel bad about my onslaught of questions 😭
cause i have zero clue how to do smth like that
Cloudflare Docs
Create a remotely-managed tunnel (dashboard) · Cloudflare Zero Trus...
Follow this step-by-step guide to get your first tunnel up and running using Zero Trust.
it's semi-popular too, can find a decent amount of material/videos out there (although you have to be a bit careful, CF has changed the dash a decent bit over the last year, moving tunnels from Access sub menu to "Networks", etc)
got it. well thank you so much i think ill check that out!
yeah i think im going to do this traefik was so convoluted
its also like meant for linux
oh wait can i not have a dns record for that subdomain and a tunnel at the same time?
lastly for when you get back, do i have to have my public ip and port forwarded so that the cloudflare tunnel can connect to my ip?
for a single subdomain would need to only have one yea, doesn't make sense to split traffic between a tunnel and a non-tunnel (mostly)
that's the nice thing about tunnels that I mentioned, they're an outbound connection just like you connecting outbound to Discord. You don't need to open ports/port forward, mess with firewalls, or care about static ips/your ip changing, etc
Oh. Then what do I put into the spot in the tunnel where it asks for like how I connect to it
Cause right now I put ny public ip:port
What’s the right thing to put bc rn this required me to port forward I think
for your public hostname service you mean?
Yeah. It says public host name and I put my comics.blahblag.com
Then it asks for service and I put http://ip:port
if the tunnel's running on the host of your windows computer, try navigating to
http://127.0.0.1:port in your browser and see if that works. If so that's what you want to set as the serviceOh I thought the tunnel was sort of like a proxy to hand the requests from the cloudflare proxy to my host. But, how does the tunnel have access to my local host?
Oh wait
It is because if cloudlfared
right, cloudflared is running on your host, and the
service connections originate from it (within your network)Ah I see
Yep it worked!
Thank you so much for ur help 🙂
One more thing: what are pros and cons of this over proxy
(Im using the free tier btw)
I mean it's still going through the normal proxy/cdn, just has a different way of connecting to the origin
There's lots of pros, not worrying about your IP changing, firewalls, having to poke holes in your firewall/port forwarding, good integration with CF Access if you want to secure things, generally easier setup, etc
I think the biggest cons are just being reliant on another service fully, and that tunnels don't handle huge uploads/downloads well, they can handle a ton of invidiual requests though and you can always add more connectors/services if you wanted to scale, or throw CF's Load Balancing on top, etc
Ah I see. That’s interesting.
I appreciate ur advice it’s very useful.
Btw, I also see my website is secure that i setup with the tunnel. Cloudflare encrypts that connection as well as visitor to cloudflare?
Then my question after is can I set cloudflare to full or is it still flexible.
always full (strict)
yes, visitor -> encrypted -> cf -> encrypted -> cloudflared -> unencrypted (local net) -> service
Ok. And since I set up the tunnel I don’t have to add anything on my end?
Done
Looks good
@Chaika quick question. i just setup google smtp for my custom domain and it works great. im curious though do i still need to use cloudflare for routing emails?
for receiving and forwarding? yea
whats the difference between receiving and fowarding? isnt it just it forwards the email to my other email so that i receive it?