#Monitor tunnels from outside

Hi! I'm using cloudflare tunnels to run my homelab but I want to monitor from outside (in case my conection goes off or rasp dies) I have tried tools like https://www.openstatus.dev but they not reach the page for example jonathan.com.ar

Is there a way to monitor my different aplications running there from outside?

For HTTP apps/Public Hostnames, you can monitor them the same as you'd monitor any web server. It looks like you probably got hit by the fact you have Under Attack Mode on/are challenging every request, so the monitoring service was just seeing 403s?

The managed challenge is the one you say? thats at WAF

Under Attack is not enabled

What do you see under Security -> Events causing challenges?

The right side is openstatus

when you expand the managed challenge, which rule is doing it?

You mean this?

If you don't mean to be challenging every visitor coming to your site we could try to fix the rule causing it, or you could whitelist openstatus's IPs or give it a special header to bypass the challenges

What is the ssl rule matching on?

We could whitelist openstatus or remove the challenge, i'm okay with both I think

Well challenging everyone isn't exactly the best user experience lol, but it's up to you. The intent of that rule was to challenge everyone?
I tried searching for openstatus's IP List but couldn't find it, you would have to find it. Most monitoring solutions list all of their IPs so you can easily whitelist them (or go the header route)

No the was no intent at first I was just trying randoms things from WAF, this is outisde of the thread itself but what would you suggest me to challenge? only bots?

If you're talking about the bot fields you wouldn't want to challenge them, those are verified bots/ "the good ones"

The "known bots" are the good ones then? omg I was blocking them

withouth the challenge the connecton is okay with openstatus

yes those include google search index bot and such lol

As for this question though, it really depends on your situation.
There are certain community rules lists like https://gist.github.com/Le0Developer/4c68f9a878a4cc2db88755ae06191dbc if you want to preemptively try to block common "unwanted" requests like non-friendly bots which scan

CF has built in automatic DDoS protection and such but it only really kicks in at a pretty high requests per second, its heavily sampled. Need to be getting hit pretty hard for it to start helping out, but it is there

imo until you have a problem (or if you know you will have issues, like running sites which attract attacks) I would just stick with the default stuff

Okay! I think this will work (now I check this gist) but I also learned something new today so I'll give this a success hahah.

offtopic: what a disaster myself 2-3 months running with known bots on block action hahaha thanks!

There is some common rules which aren't a bad idea like blocking ports other then 80/443 (custom expression: not cf.edge.server_port in {80 443}). If you don't use those ports, CF has a few alt. ones open

also blocking wordpress/php stuff (ends_with(http.request.uri.path, ".php")) or (http.request.uri.path contains "wp-") if you don't use it. That one is included in the gist as well

Yeah this one I've noticed that bots attack usually php stuff

mostly that's just getting rid of bs requests which wouldn't ever be legit. If you don't do it, not like you'd get hacked, but it would be requests wasting (your servers) cpu

Yes i'm my case my server is pretty limited in resources so i'm just trying to prevent wasting that

The port one is more important with tunnels since they respond on all CF ports/don't care about port ex: https://jonathan.com.ar:8443/

This one you mean? I'm going to try it now!

(also just worth mentioning Cloudflare Pages is an option, self-hosting is fun and if you want to self-host your own website just because it's cool I understand, but your site looks like it could be fully static, you could throw it on Cloudflare Pages for free and Pages has unlimited static requests)

Yes thats totally valid, right now is inside my own infra just for the luls of using it / learning hahah, it would even be better I don't have 99.9% uptime on my house

This is a rule but which kind of rule?

URI path?

Custom Expression not via the builder, sorry I should have explained that, same for the ones via the gist

You can click Edit Expression in a Custom Rule

Now yesss

then you get a freeform text space to type your own out. It's based on wireshark filter language.
Some fields and operations, and items are not available in the Visual Editor, only the custom expression editor

Okie! I think is now for me time to play and find out whats the best for my case, but i'll will already implement this one that are "common" from the community (the ones you mentioned before are already deployed, thanks!)