#i need help with cloudflare tunnels

so i self host a service for my mc java server stuff that's called minetrax but it does not whant to work with my cloud flare tunnels like i set the tunnels settings properly and its active (minetrax) but when i try to access the subdomain that i set for it it does not got to minetrax. i even tried accessing the same service from playit.gg and that worked and even conventional port forwarding worked to so why does cloudflare tunnels not work?

To use non-http protocols through Cloudflare tunnels the client has to install software to connect, either cloudflared or WARP w/ Private Networking, eitherway can't simply connect to the public hostname/make it publicily accessible

?tunnel-tcp

Cloudflare Tunnels use Cloudflare's proxy, which only supports proxying HTTP Traffic. If you want to use non-http applications over your tunnel, Cloudflare has a few other options:

For a few specific protocols such as SSH, RDP, and SMB, Cloudflare has guides for them here:
https://developers.cloudflare.com/cloudflare-one/applications/non-http/

For Arbitrary TCP like Minecraft, MySQL, and any other tcp application, Cloudflare has a guide here: https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/

For Arbitrary UDP like Minecraft Bedrock, SMTP, and any other udp application, you will need to use Private Networking with WARP: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/connect-private-networks/

Please note for all of these except SSH and VNC which can be browser-rendered, you will either need to use cloudflared (Cloudflare's tunnel daemon) on the client machine running in the background or Private Networking with WARP, and have WARP installed on the client machine logged into your Zero Trust Team.

yes i know i have cloudflared in a docker running and i have lots of things running through cloud flare tunnels

here is proof that it works:
https://panel.astrellemc.net that goes to my minecraft panel that is running through cloud flare tunnels

right, those are all http services

When you mention playit.gg and port forwarding, I thought you were talking about proxying minecraft itself

that link is https to cloudflare tunnels and i can accses all of my other subdomains that i have running through cloudflare tunnels

no i have a port open for my minecraft server

so "minetrax" is just an http application you're trying to access through your tunnel?

yes or it can be https but yes

what's the error you get right now when trying to access it through a public hostname, and what's your configuration?

there's supposed to be a DNS record created for you when you add a public hostname but I don't see one for www, can you try deleting and recreating the public hostname? Could also copy the dns record from the panel subdomain (assuming same tunnel), but recreating would be easier

ok i deleted it and remade it

If you go into your website in Cloudflare in the normal dashboard, and then DNS -> Records, do you see a record for www at all?

ok so www does not whant to make a dns record at all but if i make another tunnel the same config but differant subdomain then it works

see https://webbb.astrellemc.net/

you mean another public hostname, not another tunnel, right?

correct

just copy the cname target (from webbb or panel, assuming same tunnel) and manually make the DNS record after you make the public hostname then, and see if that works

ok

those records aren't anything special, just need to get the traffic down into the tunnel

so what do i do to get www to work?

well you got one step done

i dont see that

now the tunnel itself is saying it can't reach http://192.168.1.41:25574

you're more then likely just hitting dns cache

how do i fix that

clear dns cache locally and switch your dns resolver to one who updates more quickly then your ISP default (assuming you're using the default), or wait it out (should be a max of an hour or so)

doesn't change the new error though, can the host the tunnel is running on reach http://192.168.1.41:25574? is the web server that is supposed to be there running/responding to requests?

ok now i see that

yes it can yes if i do http://192.168.1.41:25574 localy

like curl http://192.168.1.41:25574 from the same hostthe tunnel is running on?

If that does work, the next thing to check is the tunnel logs journalctl -u cloudflared -f --lines=100 (if on linux/using a systemd os) and see why it thinks it can't connect

no like i can accses the minetrax web from another device useing that on the same network

i think its somthing wrong with cloudflare it self because when i made the webb subdomain it auto made a cmne but when i did the same info but www it did not make one at all

the cname isn't the issue anymore, we're past that

hmm I would make sure accessible via the actual device running the tunnel/cloudflared

ok

either by trying to curl the endpoint from that machine or by checking logs and seeing why it thinks it can't connect, either would be helpful

i got this:

from curl? that looks.. ok? Anything from cloudflared logs?

cloudflared | 2024-05-09T01:19:56Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:5658: connect: connection refused" connIndex=3 event=1 ingressRule=6 originService=http://127.0.0.1:5658
cloudflared | 2024-05-09T01:19:56Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:5658: connect: connection refused" connIndex=3 dest=https://www.astrellemc.net/ event=0 ip=198.41.200.23 type=http

127.0.0.1:5658

the one you said above was port 25574

yes

what's the www public hostname configured service?

well something is being crossed somewhere lol

how many tunnels do you have? Just that one, with a few public hostnames?

a few

omg

its because i have another www public host name (so i have some how 2 of them)

omg it works now

hmm yea makes sense, was going to ask to make sure you're using the right tunnel. Was it on the same tunnel, or a different one?

oh also while we are at it i also need to figure out my problem with me or my friends getting rate limited when going to my dynmap website that also runs through public hostname

is the rate limit cloudflare branded/a cloudflare error page?

https://mapdyn.astrellemc.net/

try moving the map then it gives you a error red box then refresh the page and you will see it

strange it is not doing it now

I saw a red message and refreshed and now I see this:

yes because i refreshed my test server

oh ok

its back up now

when it did happen, did it look like this?

yep thats the one

If you go Security -> WAF -> Rate Limiting Rules, do you have anything setup?

do you see an old rate limiting section at that page at all? would be right below if you had any old ones

nope

Under the same Security tab there is Security -> Events, see if you can find any rate limiting events and the service causing it (would have to have happened recently tho)

that would cause the same style of error page but a visibily different error, iirc its the one about browser signature. If you're sure it said "You are being rate limited / 1015", it wouldn't be that

something like this

yes it was the 1015 that i was getting before

i am not getting it now though on my end

1015 is Rate limiting, 1010 is Browser Signature/Integrity

Browser Intregity Check is pretty useless anyway, if you think it could be it at all you can turn it off under Security -> Settings, or just wait until it happens again and check Security -> Events

ok