cloudflare tunnel (https routing)+ npm + https application (all of them in docker)

[hmntsharma]

Hello,

Has anyone had success with cloudflare zero trust tunnel (docker) with public hostname routing https to npm (docker) to another application (docker).

I can get the HTTP working but not https

If I bypass npm and configure the https routing on cloudflare directly for the application, it works but npm can only proxy HTTP.

I have tried let's encrypt and cloudflare origin certs both, in fact, in installed iproute2 and tcpdump to capture traffic on the npm docker
and I see the traffic but the webpage does not open.

Please share if anyone ever tried this setup and got it working.

Thanks,
Hemant

[JonhyOliveira]

Hey @hmntsharma, I'm a bit confused by your setup. Can you specify what's happening and what you expect to happen?

Here's an example, based on your post: "While on a Cloudflare Zero Trust tunnel I'm connecting to https://example.com (running NPM) and I get an invalid certificate"

Just a note: if your apps are running isolated in the docker network (they don't receive requests from a public net, such as the internet) it's less complex and error-prone to use http to communicate with NPM and have NPM deal with https.

[hmntsharma]

Hi @JonhyOliveira

I have a domain, say hmntsharma.com, DNS handled by Cloudflare.

On my RPi4, I connect the Cloudflare zero trust tunnel using docker.
The public hostname on the Cloudflare tunnel is pointing to the RPi host IP and the NPM Public HTTP Port to reach AdguardHome, using CNAME, adguard.hmntsharma.com.

I have got npm (docker, exposing public HTTP, HTTPS, and the Webadmin port to the host) and AdguardHome(docker not exposing any ports to the host) running on the same Pi and the same docker bridge.

On the npm, I have two sets of certs: one is via Let's Encrypt using Cloudflare DNS challenge, and the other is manually uploaded to it, which is created on the Cloudflare origin certs.

I have configured the proxy hosts on the npm to point to the HTTPS port of the AdguardHome IP:Port, using the certs.

To reach adguard.hmntsharma.com online, the request goes to cloudflare and cloudlfare presents its universal cert to the visitor, cloudflare then makes the connection to the RPi server, which in this case is the NPM proxy and the webpage opens. This works!

As soon as I change the cloudflare public hostname from HTTP to HTTPs and the public HTTPS port of the NPM (with no TLSverify option on Cloudflare), it does not work.

If I bypass NPM, expose the adguardhome ports to the host and then configure cloudflare to point to the RPi host IP and adguardhome exposed HTTPS port (with no TLSverify option on Cloudflare), it also works.

In short.

Visitor ---HTTPS(cloudflare universal cert)----> Cloudflare ---Cloudflare tunnel using HTTP---> NPM ---HTTPS----> AdguardHome. | **This works **

But

Visitor ---HTTPS(cloudflare universal cert)----> Cloudflare ---Cloudflare tunnel using HTTPS---> NPM ---HTTPS----> AdguardHome. | This does not

I installed tcpdump on the npm docker container and I can see the traffic hitting the container but not sure why the page does not open.

Kindly let me know if you need more information on this.

[JonhyOliveira]

Here are the main things I'd look into:

• How did you create the Adguard SSL certificate you use to connect "directly" to Adguard via HTTPS?
• How does it differ from the one used by NPM?
• What happens if you serve the Adguard certificate through NPM?

I'm not too familiar with how Zero Trust works, but if it can handle HTTPS to your Adguard instance I don't understand why it wouldn't be able to do it for a proxied version of it with a valid cert.

[hmntsharma]

• The SSL certificate is from cloudflare for the domain, npm gets it from let's encrypt, I have tried both, no joy.
• I have even tried HTTP from NPM to AdguardHome, no joy.

Following capture when adguardhome is on HTTP(80) AND Cloudflare is routing to NPM public HTTP port(80)
proxy configured for adguard HTTP, port 80

Works: from docker gateway IP 172.18.18.1 --> NPM(80) & NPM --> adguard (80)

17:56:58.390910 IP 172.18.18.1.35756 > nginx-rpm.80: Flags [P.], seq 2739667202:2739668106, ack 2381109003, win 249, options [nop,nop,TS val 1452206177 ecr 2300148830], length 904: HTTP: GET /control/status HTTP/1.1
17:56:58.391170 IP nginx-rpm.37290 > adguard.inpinity.80: Flags [S], seq 625557371, win 32120, options [mss 1460,sackOK,TS val 459115368 ecr 0,nop,wscale 7], length 0
17:56:58.391271 IP adguard.inpinity.80 > nginx-rpm.37290: Flags [S.], seq 1527378638, ack 625557372, win 31856, options [mss 1460,sackOK,TS val 3038354893 ecr 459115368,nop,wscale 7], length 0
17:56:58.391304 IP nginx-rpm.37290 > adguard.inpinity.80: Flags [.], ack 1, win 251, options [nop,nop,TS val 459115368 ecr 3038354893], length 0
17:56:58.391394 IP nginx-rpm.37290 > adguard.inpinity.80: Flags [P.], seq 1:967, ack 1, win 251, options [nop,nop,TS val 459115368 ecr 3038354893], length 966: HTTP: GET /control/status HTTP/1.1
17:56:58.391427 IP adguard.inpinity.80 > nginx-rpm.37290: Flags [.], ack 967, win 249, options [nop,nop,TS val 3038354893 ecr 459115368], length 0
17:56:58.392409 IP adguard.inpinity.80 > nginx-rpm.37290: Flags [P.], seq 1:457, ack 967, win 249, options [nop,nop,TS val 3038354894 ecr 459115368], length 456: HTTP: HTTP/1.1 200 OK
17:56:58.392447 IP nginx-rpm.37290 > adguard.inpinity.80: Flags [.], ack 457, win 249, options [nop,nop,TS val 459115369 ecr 3038354894], length 0
17:56:58.392555 IP nginx-rpm.37290 > adguard.inpinity.80: Flags [F.], seq 967, ack 457, win 249, options [nop,nop,TS val 459115369 ecr 3038354894], length 0
17:56:58.392628 IP nginx-rpm.80 > 172.18.18.1.35756: Flags [P.], seq 1:509, ack 904, win 249, options [nop,nop,TS val 2300160066 ecr 1452206177], length 508: HTTP: HTTP/1.1 200 OK
17:56:58.392663 IP 172.18.18.1.35756 > nginx-rpm.80: Flags [.], ack 509, win 249, options [nop,nop,TS val 1452206178 ecr 2300160066], length 0
17:56:58.392701 IP adguard.inpinity.80 > nginx-rpm.37290: Flags [F.], seq 457, ack 968, win 249, options [nop,nop,TS val 3038354894 ecr 459115369], length 0
17:56:58.392725 IP nginx-rpm.37290 > adguard.inpinity.80: Flags [.], ack 458, win 249, options [nop,nop,TS val 459115369 ecr 3038354894], length 0

Following capture when adguardhome is on HTTP(80) AND Cloudflare is routing to NPM public HTTPS port (443)
proxy configured for adguard HTTP, port 80

Does not work: from docker gateway IP 172.18.18.1 --> NPM(443) & nothing further

18:02:59.971625 IP 172.18.18.1.45620 > nginx-rpm.443: Flags [S], seq 3362133159, win 32120, options [mss 1460,sackOK,TS val 1452567757 ecr 0,nop,wscale 7], length 0
18:02:59.971704 IP nginx-rpm.443 > 172.18.18.1.45620: Flags [S.], seq 3175231649, ack 3362133160, win 31856, options [mss 1460,sackOK,TS val 2300521645 ecr 1452567757,nop,wscale 7], length 0
18:02:59.971868 IP 172.18.18.1.45620 > nginx-rpm.443: Flags [.], ack 1, win 251, options [nop,nop,TS val 1452567758 ecr 2300521645], length 0
18:02:59.972919 IP 172.18.18.1.45620 > nginx-rpm.443: Flags [P.], seq 1:234, ack 1, win 251, options [nop,nop,TS val 1452567759 ecr 2300521645], length 233
18:02:59.972958 IP nginx-rpm.443 > 172.18.18.1.45620: Flags [.], ack 234, win 249, options [nop,nop,TS val 2300521647 ecr 1452567759], length 0
18:02:59.973604 IP nginx-rpm.443 > 172.18.18.1.45620: Flags [P.], seq 1:8, ack 234, win 249, options [nop,nop,TS val 2300521647 ecr 1452567759], length 7
18:02:59.973702 IP 172.18.18.1.45620 > nginx-rpm.443: Flags [.], ack 8, win 251, options [nop,nop,TS val 1452567759 ecr 2300521647], length 0
18:02:59.973879 IP nginx-rpm.443 > 172.18.18.1.45620: Flags [F.], seq 8, ack 234, win 249, options [nop,nop,TS val 2300521648 ecr 1452567759], length 0
18:02:59.974269 IP 172.18.18.1.45620 > nginx-rpm.443: Flags [F.], seq 234, ack 9, win 251, options [nop,nop,TS val 1452567760 ecr 2300521648], length 0
18:02:59.974306 IP nginx-rpm.443 > 172.18.18.1.45620: Flags [.], ack 235, win 249, options [nop,nop,TS val 2300521648 ecr 1452567760], length 0
18:03:00.177454 IP 172.18.18.1.45634 > nginx-rpm.443: Flags [S], seq 349777533, win 32120, options [mss 1460,sackOK,TS val 1452567963 ecr 0,nop,wscale 7], length 0
18:03:00.177520 IP nginx-rpm.443 > 172.18.18.1.45634: Flags [S.], seq 1890797440, ack 349777534, win 31856, options [mss 1460,sackOK,TS val 2300521851 ecr 1452567963,nop,wscale 7], length 0
18:03:00.177597 IP 172.18.18.1.45634 > nginx-rpm.443: Flags [.], ack 1, win 251, options [nop,nop,TS val 1452567963 ecr 2300521851], length 0
18:03:00.178811 IP 172.18.18.1.45634 > nginx-rpm.443: Flags [P.], seq 1:234, ack 1, win 251, options [nop,nop,TS val 1452567965 ecr 2300521851], length 233
18:03:00.178847 IP nginx-rpm.443 > 172.18.18.1.45634: Flags [.], ack 234, win 249, options [nop,nop,TS val 2300521853 ecr 1452567965], length 0
18:03:00.179457 IP nginx-rpm.443 > 172.18.18.1.45634: Flags [P.], seq 1:8, ack 234, win 249, options [nop,nop,TS val 2300521853 ecr 1452567965], length 7

[JonhyOliveira]

Do your NPM logs help you in any way? If NPM is responding back then there should be some kind of log somewhere of what happened. If you're using the default docker compose you should have a data/logs/ directory with the access and error logs.

[hmntsharma]

The last few weeks were busy, but I got back to it tonight and here is what I have found.

The NPM does not respond at the application level on port 443. The files proxy-host-1_access.log & proxy-host-1_error.log do not record anything when proxying for 443.

But, it does receive the traffic as captured below.

[root@docker-nginx-rpm:/data/logs]# tcpdump -i eth0 -n "port 443"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:56:54.556971 IP 172.18.18.1.32842 > 172.18.18.240.443: Flags [S], seq 1462395421, win 32120, options [mss 1460,sackOK,TS val 3191002343 ecr 0,nop,wscale 7], length 0
20:56:54.557046 IP 172.18.18.240.443 > 172.18.18.1.32842: Flags [S.], seq 3279842107, ack 1462395422, win 31856, options [mss 1460,sackOK,TS val 4038956231 ecr 3191002343,nop,wscale 7], length 0
20:56:54.557129 IP 172.18.18.1.32842 > 172.18.18.240.443: Flags [.], ack 1, win 251, options [nop,nop,TS val 3191002343 ecr 4038956231], length 0
20:56:54.560519 IP 172.18.18.1.32842 > 172.18.18.240.443: Flags [P.], seq 1:234, ack 1, win 251, options [nop,nop,TS val 3191002346 ecr 4038956231], length 233
20:56:54.560631 IP 172.18.18.240.443 > 172.18.18.1.32842: Flags [.], ack 234, win 249, options [nop,nop,TS val 4038956234 ecr 3191002346], length 0
20:56:54.562007 IP 172.18.18.240.443 > 172.18.18.1.32842: Flags [P.], seq 1:8, ack 234, win 249, options [nop,nop,TS val 4038956236 ecr 3191002346], length 7
20:56:54.562234 IP 172.18.18.1.32842 > 172.18.18.240.443: Flags [.], ack 8, win 251, options [nop,nop,TS val 3191002348 ecr 4038956236], length 0
20:56:54.562634 IP 172.18.18.240.443 > 172.18.18.1.32842: Flags [F.], seq 8, ack 234, win 249, options [nop,nop,TS val 4038956236 ecr 3191002348], length 0
20:56:54.564279 IP 172.18.18.1.32842 > 172.18.18.240.443: Flags [F.], seq 234, ack 9, win 251, options [nop,nop,TS val 3191002350 ecr 4038956236], length 0
20:56:54.564379 IP 172.18.18.240.443 > 172.18.18.1.32842: Flags [.], ack 235, win 249, options [nop,nop,TS val 4038956238 ecr 3191002350], length 0
20:56:55.070913 IP 172.18.18.1.32846 > 172.18.18.240.443: Flags [S], seq 3917729349, win 32120, options [mss 1460,sackOK,TS val 3191002856 ecr 0,nop,wscale 7], length 0
20:56:55.071085 IP 172.18.18.240.443 > 172.18.18.1.32846: Flags [S.], seq 3472428548, ack 3917729350, win 31856, options [mss 1460,sackOK,TS val 4038956745 ecr 3191002856,nop,wscale 7], length 0
20:56:55.071255 IP 172.18.18.1.32846 > 172.18.18.240.443: Flags [.], ack 1, win 251, options [nop,nop,TS val 3191002857 ecr 4038956745], length 0
20:56:55.073943 IP 172.18.18.1.32846 > 172.18.18.240.443: Flags [P.], seq 1:234, ack 1, win 251, options [nop,nop,TS val 3191002860 ecr 4038956745], length 233
20:56:55.074011 IP 172.18.18.240.443 > 172.18.18.1.32846: Flags [.], ack 234, win 249, options [nop,nop,TS val 4038956748 ecr 3191002860], length 0
20:56:55.075171 IP 172.18.18.240.443 > 172.18.18.1.32846: Flags [P.], seq 1:8, ack 234, win 249, options [nop,nop,TS val 4038956749 ecr 3191002860], length 7
20:56:55.075318 IP 172.18.18.1.32846 > 172.18.18.240.443: Flags [.], ack 8, win 251, options [nop,nop,TS val 3191002861 ecr 4038956749], length 0
20:56:55.075551 IP 172.18.18.240.443 > 172.18.18.1.32846: Flags [F.], seq 8, ack 234, win 249, options [nop,nop,TS val 4038956749 ecr 3191002861], length 0
20:56:55.076571 IP 172.18.18.1.32846 > 172.18.18.240.443: Flags [F.], seq 234, ack 9, win 251, options [nop,nop,TS val 3191002862 ecr 4038956749], length 0
20:56:55.076635 IP 172.18.18.240.443 > 172.18.18.1.32846: Flags [.], ack 235, win 249, options [nop,nop,TS val 4038956750 ecr 3191002862], length 0



^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel
[root@docker-nginx-rpm:/data/logs]#

Another service on port 80 works just fine. It routes to https service.

[root@docker-nginx-rpm:/data/logs]# tcpdump -i eth0 -n "port 80"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:57:26.224837 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [S], seq 3556527471, win 32120, options [mss 1460,sackOK,TS val 3191034011 ecr 0,nop,wscale 7], length 0
20:57:26.224873 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [S.], seq 2596184687, ack 3556527472, win 31856, options [mss 1460,sackOK,TS val 4038987899 ecr 3191034011,nop,wscale 7], length 0
20:57:26.224908 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [.], ack 1, win 251, options [nop,nop,TS val 3191034011 ecr 4038987899], length 0
20:57:26.225392 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [P.], seq 1:1128, ack 1, win 251, options [nop,nop,TS val 3191034011 ecr 4038987899], length 1127: HTTP: GET / HTTP/1.1
20:57:26.225415 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [.], ack 1128, win 249, options [nop,nop,TS val 4038987899 ecr 3191034011], length 0
20:57:26.234741 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [P.], seq 1:3623, ack 1128, win 249, options [nop,nop,TS val 4038987908 ecr 3191034011], length 3622: HTTP: HTTP/1.1 200 OK
20:57:26.234788 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [.], ack 3623, win 249, options [nop,nop,TS val 3191034021 ecr 4038987908], length 0
20:57:26.234992 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [P.], seq 3623:7712, ack 1128, win 249, options [nop,nop,TS val 4038987909 ecr 3191034021], length 4089: HTTP
20:57:26.235023 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [.], ack 7712, win 249, options [nop,nop,TS val 3191034021 ecr 4038987909], length 0
20:57:26.235123 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [P.], seq 7712:9274, ack 1128, win 249, options [nop,nop,TS val 4038987909 ecr 3191034021], length 1562: HTTP
20:57:26.235148 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [.], ack 9274, win 249, options [nop,nop,TS val 3191034021 ecr 4038987909], length 0
20:57:26.235501 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [P.], seq 9274:9279, ack 1128, win 249, options [nop,nop,TS val 4038987909 ecr 3191034021], length 5: HTTP
20:57:26.235545 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [.], ack 9279, win 249, options [nop,nop,TS val 3191034021 ecr 4038987909], length 0
20:57:28.768172 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [P.], seq 1128:2255, ack 9279, win 249, options [nop,nop,TS val 3191036554 ecr 4038987909], length 1127: HTTP: GET / HTTP/1.1
20:57:28.789347 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [P.], seq 9279:12901, ack 2255, win 249, options [nop,nop,TS val 4038990463 ecr 3191036554], length 3622: HTTP: HTTP/1.1 200 OK
20:57:28.789444 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [.], ack 12901, win 249, options [nop,nop,TS val 3191036575 ecr 4038990463], length 0
20:57:28.789994 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [P.], seq 12901:16990, ack 2255, win 249, options [nop,nop,TS val 4038990464 ecr 3191036575], length 4089: HTTP
20:57:28.790065 IP 172.18.18.1.60288 > 172.18.18.240.80: Flags [.], ack 16990, win 249, options [nop,nop,TS val 3191036576 ecr 4038990464], length 0
20:57:28.790235 IP 172.18.18.240.80 > 172.18.18.1.60288: Flags [P.], seq 16990:18552, ack 2255, win 249, options [nop,nop,TS val 4038990464 ecr 3191036576], length 1562: HTTP

<..snippe..>

Cloudlfare sends the request for both it seems, HTTP and HTTPS but NPM does not respond for HTTPS the same way as it does for HTTP.

[antwal]

@hmntsharma I have the exact same problem for over a year now and I can't solve it with NPM; I also tried downgrading to version 2.9.x that someone said worked but it doesn't, on NPM only connections without SSL with Cloudflare Tunnel work

[antwal]

@hmntsharma I solved the problem with the latest version

I made these changes and tried with Authelia and it works.

Surely there will be other changes to make, but now it doesn't give any errors and WebAuthn also works correctly

Generate a Self-Signed Certificate using OpenSSL

localhost.conf

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = US
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName                = Locality Name (eg, city)
localityName_default        = Rochester
organizationName            = Organization Name (eg, company)
organizationName_default    = localhost
organizationalUnitName      = organizationalunit
organizationalUnitName_default = Development
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1

Create the Certificate using OpenSSL

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf

New default.conf

# "You are not configured" page, which is the default if another default doesn't exist
server {
	listen 80;
	#listen [::]:80;

	set $forward_scheme "http";
	set $server "127.0.0.1";
	set $port "80";

	server_name localhost-nginx-proxy-manager;
	access_log /data/logs/fallback_access.log standard;
	error_log /data/logs/fallback_error.log warn;
	include conf.d/include/assets.conf;
	include conf.d/include/block-exploits.conf;
	include conf.d/include/letsencrypt-acme-challenge.conf;

	location / {
		index index.html;
		root /var/www/html;
	}
}

# First 443 Host, which is the default if another default doesn't exist
server {
	listen 443 ssl http2;
	#listen [::]:443 ssl;

	set $forward_scheme "https";
	set $server "127.0.0.1";
	set $port "443";

	server_name localhost;
	access_log /data/logs/fallback_access.log standard;
	error_log /dev/null crit;

        ssl_certificate /etc/ssl/certs/localhost.crt;
        ssl_certificate_key /etc/ssl/private/localhost.key;
        
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;

        location / {
		index index.html index.htm;
		root /var/www/html;
        }
}

Docker Compose (add this, on NPM)

- /<your-path>/default.conf:/etc/nginx/conf.d/default.conf
- /<your-path>/localhost.crt:/etc/ssl/certs/localhost.crt
- /<your-path>/localhost.key:/etc/ssl/private/localhost.key

Cloudflare Tunnel (config.yml)

tunnel: <my id>
credentials-file: /home/nonroot/.cloudflared/<my id>.json

loglevel: info

originRequest: # Top-level configuration
  connectTimeout: 30s

# Forward to NPM Proxy
ingress:
  - hostname: "*.domain.ext"
    service: https://npm
    originRequest:
      noTLSVerify: true
  - service: http_status:404

NPM Proxy Setup

Cloudflare Setup

NPM Proxy Advanced (for host protected from authelia)

[hmntsharma]

That's good to know. I will give it a try soon in a few days.