#SSL Nginx CF Tunnel

Anyone know how I can route my tunnel to a HTTPS server via Nginx Proxy Manager?
If I tunnel to port 80, this works, but obvious traffic is decrypted Cloudflare -> Server, if I tunnel to 443 (which is open), I get bad gateway

Thanks

If I tunnel to port 80, this works, but obvious traffic is decrypted Cloudflare -> Server
Most cases that's fine. The setup is really like this:
User -> Encrypted -> CF -> Encrypted -> cloudflared (running on server) -> Unencrypted -> localhost (if your origin service is localhost).
So if your origin service is on the same server as the one running cloudflared, it's not going over the network unencrypted.
if I tunnel to 443 (which is open), I get bad gateway
To troubleshoot that issue, would need more logs.
You can run journalctl -u cloudflared -f --lines=100 if you're running it as a service to get some logs out of it.
I would also try curl https://localhost:443 -k -vvv -o /dev/null on the machine running cloudflared to see if it can reach it

Attached logs 🙂

Second command

*   Trying 127.0.0.1:443...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Unknown (21):
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, unrecognized name (624):
{ [2 bytes data]
* error:0A000458:SSL routines::tlsv1 unrecognized name
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:0A000458:SSL routines::tlsv1 unrecognized name

Thanks for your help

guessing your npm setup is configured for manage.exitium.uk? Does it work if you override the host header/sni?
curl --resolve manage.exitium.uk:443:127.0.0.1 https://manage.exitium.uk -k -vvv -o /dev/null

not sure how to override the header I'm sorry, I'm really not that experienced with nginx which is why I'm using NPM for convenience

oh it's the command one sec

@strong oar looks like a yes

In your public hostname settings, under TLS -> Origin Server Name try putting "manage.exitium.uk", under HTTP Settings put that under Http host header as well.
This would mean you'd have to do this in the future for other subdomains/not use a single wildcard public hostname though

..or you could just use http instead of https, not like using https for localhost -> localhost gains you anything

Oh I can't wildcard the TLS origin?
The certificate is a wildcard though, is it not?

So it worked with manage.exitium.uk as the origin

your web server wants to see manage.exitium.uk before it serves any certificate

as that's what you configured it to do

Is there a way I can allow the wildcard so I can just have one public hostname setup in CF tunnel?

Domain *.exitium.uk -> SSL Origin *.exitium.uk -> https://localhost:443

Thanks for all your help again

you could maybe configure npm that way, the issue is on it's end rather then cloudflared's/the tunnels

why not just use http though? You're just wasting cpu cycles using https. Cloudflared locally, running on the same machine as your web server (since its localhost) is fine to do a plaintext http connection since it's same machine

Probably overthinking things, but I run a Safing.io Community Node on that same server, so I thought it best to not decrypt traffic, given that unregulated traffic flows through the same interface?

it's like a vpn exit node?

yeah, think of it as a tor exit node, SPN is similar to tor

I mean in general if you're running untrusted software on your machine you can have issues, in the sense that it could infect/take over your device, but I don't see any reason to be concerned about that messing with your traffic, as long as it can't fetch localhost/connect as well and bypass the tunnel

I would be careful though, does your current provider allow running tor exit nodes/or spn exit nodes? Those types of services invite tons of spam. It only takes one abuser to use your node to attack someone or visit explicit material, and most vps providers don't think twice about nuking your node/ending the relationship.
That would be my bigger concern about running such a service alongside other stuff I care about.

I am isolating where possible, so the spn node is running dockerised, but I had to bind it to the host network as it needs access to the host interface (it's not designed for docker)
Other internal things are dockerised on their own isolated networks.

I run tailscale and cloudflare tunnel as daemons for development / public access to those containers

Actually, I'm not too sure, to be honest

well even if they do most require you to tell them about it first so they know what to do when the hundreds of abuse complaints come piling in

of course I'm taking that knowledge from tor exits, but if spn is anything close you'll end with the same result

Alright I'll take a look, thanks for your help again

Sure, TOR has this guide here about exit nodes: https://blog.torproject.org/tips-running-exit-node/
I imagine a lot of applicable as well

Looks like they do allow it, can't find anything in terms and conditions against it, and there's a ton of people running tor exit nodes on my provider, doesn't say anywhere about informing them either that I can see

hmm might be fine then, eitherway though in terms of security of cloudflared -> http over localhost is going over the loopback interface, not the internet facing one