Arthur Fiorette
Arthur Fiorette
Explore posts from servers
CDCloudflare DevelopersKKysely
PostsComments
CDCloudflare Developers
Created by Arthur Fiorette on 6/27/2023 in #general-help
Include public domain to service behind Zero Trust when connected to WARP client.
Context: I have a tunnel called zt-gate which has a public hostname of ssh.mydomain.com -> ssh://10.0.0.30:22 and a private hostname with 10.0.0.30/32 CIDR. I created an SSH self-hosted application that I can access SSH normally through SSH browser rendering. In my WARP client settings, I've selected Gateway with WARP and in my split tunnels configuration is Include IPs and domains with 10.0.0.30/32 CIDR and ssh.mydomain.com. I'm asking for a SSH service but keep in mind that I have other non web/http services in the same way.
If I use the command cloudflared access ssh --hostname ssh.mydomain.com --url localhost:1234 and login normally, I can SSH into localhost:1234 normally. If I enable Zero Trust in my Windows WARP Client I can normally SSH into the same server using 10.0.0.30:22 address. But, as I've configured a public hostname ssh.mydomain.com I still cannot do any connections using the domain, only from IP addresses. There's a doc page on how to do SSH (not all use cases for me, just an non-web example) (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/use-cases/ssh/#connect-to-ssh-server-with-warp-to-tunnel) which only shows examples connecting using IP addresses. I thought that by using Include IPs and domains and including my desired domain, I could access these services using my public hostname, is it possible? If not, how can I create domains for non-http services I only want to access when connected to my warp client/cloudflared cli? This CURL shows that it is not getting redirected to my local ip. At least I thought it should after my Include IPs and domains configuration. 
curl -v ssh.mydomain.com
*   Trying 172.67.182.134:80...
* TCP_NODELAY set
* Connected to ssh.mydomain.com (172.67.182.134) port 80 (#0)
> GET / HTTP/1.1
> Host: ssh.mydomain.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 27 Jun 2023 01:05:46 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Tue, 27 Jun 2023 02:05:46 GMT
< Location: https://ssh.mydomain.com/
< Report-To: {"endpoints":[{"url":"redacted"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: redacted
< alt-svc: h3=":443"; ma=86400
< Cf-Team: redacted
<
* Connection #0 to host ssh.mydomain.com left intact
curl -v ssh.mydomain.com
*   Trying 172.67.182.134:80...
* TCP_NODELAY set
* Connected to ssh.mydomain.com (172.67.182.134) port 80 (#0)
> GET / HTTP/1.1
> Host: ssh.mydomain.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Tue, 27 Jun 2023 01:05:46 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Tue, 27 Jun 2023 02:05:46 GMT
< Location: https://ssh.mydomain.com/
< Report-To: {"endpoints":[{"url":"redacted"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: redacted
< alt-svc: h3=":443"; ma=86400
< Cf-Team: redacted
<
* Connection #0 to host ssh.mydomain.com left intact
Sorry If I blurred too much information, just trying to not leak sensitive information 🙂
25 replies