Howdy! Is there any type of logging
Howdy! Is there any type of logging viewable for hyperdrive private database tunnels? I have a postgresql server that is connectable directly via ssh port forwarding, via the tunnel established for hyperdrive
cloudflared access tcp, and of course on the machine itself. However, running the recommended test code (const sql = postgres(env.XXXX.connectionString);) results in a connection timeout with no further info provided. Thanks!12 Replies
Hi! Yep, the tunnel team has built out quite good logging facilities: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/monitor-tunnels/logs/
Cloudflare Docs
Logs | Cloudflare Zero Trust docs
Tunnel logs record all activity between a cloudflared instance and Cloudflare’s global network, as well as all activity between cloudflared and your origin server. These logs allow you to investigate connectivity or performance issues with a Cloudflare Tunnel. You can configure your server to store persistent logs, or you can stream real-time lo...
If that doesn't work, next step would be to see if what you're passing in for the hostname/ID/secret is correct. Those can be easy to mess. Double checking that you've set up the Access Application and attached the Service Token policy to it correctly too, etc. There's a few points to wire up here.
Thank you! I have the tunnel logs and they are great. I've tested the tunnel back and forth and it's all good and showing logs accordingly. The issue is troubleshooting why hyperdrive isn't connecting to the tunnel.
I've read and re-read the docs to make sure I haven't missed anything, but I'm obviously missing something and trying to identify the root cause preventing hyperdrive from connecting through to the tunnel.
One of the things we're working on rolling out is verifying connectivity at the time you make the config, to give a bit stronger signal earlier in the process if something isn't talking all the way through.
Have you taken a look at the logs for your Access application, to see if the connection attempts are reaching it?
https://developers.cloudflare.com/cloudflare-one/insights/logs/audit-logs/
Cloudflare Docs
Access audit logs | Cloudflare Zero Trust docs
Use Access audit logs to review authentication events and HTTP requests to protected URI paths.
(cc @thomasgauvin , in case there's some Docs or QoL additions that come out of this.)
I'm seeing the application accessed under the main Analytics page, but there are no corresponding logs in Logs -> Access
No worries! I was going to try and start from scratch to see if I missed a step, but if you were working on that initial connection test and Doc/QoL additions, I'm ok to wait for those too. If there is any other items I should check, let me know!
That'll be a fast follow on the initial release. Hoping to get there in the next week or two.
I will say that ultimately it probably is going to tell you what you already know, which is that there's a missing bit of wiring somewhere. We have Hyperdrive over tunnels running in production already and they're humming along, so it's not an outage or anything. Have you been able to connect via cloudflared or websocat or something to your host? I wonder if when making the hyperdrive you passed in the hostname with https or something like that. Another one we've bumped into is databases that aren't configured to support SSL. That's required and will fail out without it. Check that, maybe?
I will say that ultimately it probably is going to tell you what you already know, which is that there's a missing bit of wiring somewhere. We have Hyperdrive over tunnels running in production already and they're humming along, so it's not an outage or anything. Have you been able to connect via cloudflared or websocat or something to your host? I wonder if when making the hyperdrive you passed in the hostname with https or something like that. Another one we've bumped into is databases that aren't configured to support SSL. That's required and will fail out without it. Check that, maybe?
Excellent re: follow-up releases. Yes, I was able to connect through the tunnel via
cloudflared access tcp at the same hostname used for the wrangler hyperdrive create.... command, and logs indicated all was good with regards to the tunnel itself. I also used the same token generated for hyperdrive.
On the SSL/TLS part, I indeed configured the backend to use SSL/TLS with a self-signed cert. (Or, would you recommend using CF's origin CA and generating a client cert/key from the Origin cert feature?) More documentation on best practices on that part would be helpful.
(But, if there was a cert issue, I would have expected to see an entry in the postgresql logs, which I did not see, so my rough guess was a connectivity issue between hyperdrive and the tunnel itself.)We only support standard certs right now. Custom certs are on the roadmap, but won't work yet I'm afraid
I'd say your intuition is right, if you're not seeing tunnel logs then it's not reaching the tunnel. Though I'll note that it doesn't log connections or much of anything unless you're logging in debug level
Duly noted! I'll double check the cert type and confirm debug mode on the server. (I was viewing the tunnel logs on the cloudflare side, but will also set debug logs on the server side to confirm I'm not missing anything.)
If there is any other info I can send over via DM that would be helpful, let me know! And there isn't any urgency on my end other than checking out this new functionality for some use cases. Glad to see progress on this and excited to check out the future releases!
Much appreciated! We (obviously) have a pretty strong interest in issues with the onboarding flow here, so I'll DM you with some follow-ups when I'm back in office Monday. In the meantime if you wouldn't mind posting or sending your hyperdrive ID, that'll be the first thing we need to dig for on our end.
Thanks for giving this a look!