Can't connect to my HA remotely by using a cloudflare tunnel (novice to the bone user)

crashweasel · March 16, 2023, 5:24pm

Hello all.
I’m going to try explaining my situation. But as mentioned in the title, most of the time I have no idea what I’m doing. All this linux, docker, home assistant is new for me.

I have a ISP modem that is connected to my usg unifi router. the range ip between those two is 192.168.0.0/24 where my usg has the ip address 192.168.0.177.
I have created a network 192.168.1.0/24 on my usg unifi to connect my home devices.
On this network I have a beelink mini pc on a static ip address 192.168.1.10.
I installed an ubuntu server on it and used the install guide of home automation guy to install docker, home assistant docker and portainer on it. So far so good, all this is working fine.

As you can see, I also installed cloudflared-tunnel on docker. I can see that the tunnel is active and I can ping my domain from my linux server.

But when I try to connect I get the bad gateway error 502 from cloudflare page.
This is the error I find in the homeassistant log:

2023-03-16 16:46:10.428 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
File “/usr/local/lib/python3.10/site-packages/aiohttp/web_protocol.py”, line 332, in data_received
messages, upgraded, tail = self._request_parser.feed_data(data)
File “aiohttp/_http_parser.pyx”, line 551, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message=“Bad status line ‘Invalid method encountered’”’

This is the log of my cloudflare tunnel:
2023-03-16T16:46:10Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” cfRay=7a8e78830d4f2e02-BRU ingressRule=0 originService=https://192.168.1.10:8123
2023-03-16T16:46:10Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=3 dest=http://( my domain is filled in here but removed it) /favicon.ico ip= (removed this also) type=http

I tried to find some help online on google and even chat-gpt, but I am turning the last 3 days in circle’s.

This is my HA config, all the # is what I tried, but without succes

#cloudflare test 2
#homeassistant:
 #  external_url: https://(removed)

#cloudflare test
#http:
#  use_x_forwarded_for: true
#  trusted_proxies:
#    - 192.168.0.0/24
#    - 192.168.1.0/24
#    - 172.18.0.0/24
#Add Container User Interfades to Navigation Menu
panel_iframe:
  portainer:
    title: "Portainer"
    url: "http://192.168.1.10:9000/#/containers"
    icon: mdi:docker
    require_admin: true
# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

# Text to speech
tts:
  - platform: google_translate

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

I even ad my netplan config file:

network:
  ethernets:
    enp2s0:
      addresses:
      - 192.168.1.10/24
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search: []
      routes:
      - to: default
        via: 192.168.1.1
  version: 2

This is my dockercompose config:

version: '3.0'

services:
  portainer:
    container_name: portainer
    image: portainer/portainer-ce
    restart: always
    ports:
      - "9000:9000/tcp"
    environment:
      - TZ=Europe/London
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/portainer:/data
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /opt/homeassistant/config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    privileged: true
    network_mode: host
  tunnel:
    container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=token is correct but removed it for security

I tried to add the integration of cloudflare in HA docker, as most guides are talking about an addon ( can’t use it because not HA os) created an api token with zone:zone:read and zone:dns:edit, I can chose my domain, but no record, as there is no A record created but only a cname.

I realy have no idea what to do anymore. I have read so many forums, but can’t find something that is related to my issue. I hope some of you have an idea what I’m missing…
My appologies for my bad spelling/language and noobisme. Thanks in advance.
(sorry for the messy layout, had took all images, but as a new user I can only add 1 image)

hunterdrayman · March 16, 2023, 8:31pm

Have you disabled cert verification in the TLS settings (where you define the hostname in the cloudflare tunnel config).

crashweasel · March 17, 2023, 7:14am

I did not, I will check this as soon as I can to see if that fix the problem. Will try in the mean time to see how to work with ssl/tls Thanks for the quick reply

crashweasel · March 18, 2023, 8:41am

just an update for people with the same issue:
Disable TLS seems not be the sollution, keep getting the same error.
I added an iptable on my linux to forward traffic from my cloudflare container to my homeassistant.

sudo iptables -A FORWARD -i docker0 -s 172.18.0.2 -d 192.168.1.10/32 -p tcp --dport 8123 -j ACCEPT

Also added the following in my config of HA

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.2

when I use http as a service I can now connect remotly.
Going to catch some reading now how to set up my ssl/tls with let’s encrypt in docker

dbrunt · March 30, 2023, 6:58am

You may want to check my post here where I finally got HA and Vaultwarden (Bitwarden) Password Manager both working locally and remote.using HTTPS SSL/TLS via Cloudflared Tunnels and Caddy 2 Proxy Server

The_Mask_888 · November 3, 2024, 7:49am

Hello all. I’m going to try explaining my situation.
I have a ISP modem that is connected to my usg unifi router. the range ip between those two is 192.168.1.0/24

I have created a network 192.168.10.0/24 on my router to connect my home smart devices. On this network I have a mini pc on ip address 192.168.1.119. I installed an Proxomox Hypervisor and inside I have one VM With Windows, One VM with Home assistant OS and One VM with ubuntu server with Docker and I have Portainer and cloudflared-tunnel the tunnel is active and I can ping my domain and create custom domains for portainer and proxomox and is working perfectly. to proxmox.mydomain.com and portrainer.myfomain.com.

But when I try to access ha.mydomain.com I get the bad gateway error 502 from cloudflare page.
I tried to find some help online on google and I already Enable the Disable TLS check.
This is my HA config, all the # is what I tried, but without succes

this is the log. but I don’t know where is the error

http: ip_ban_enabled: true login_attempts_threshold: 3 use_x_forwarded_for: true trusted_proxies: - 192.168.10.0/24 - 172.17.0.0/24 - 192.169.1.0/24 - 192.168.10.119
default_config:
I realy have no idea what to do anymore. I have read so many forums, but can’t find something that is related to my issue. I hope some of you have an idea what I’m missing…
here is the log on the computer
2024-11-03T00:49:08Z INF Starting tunnel tunnelID=da15e6b1-3499-4cb9-87e1-17c5a3364341 2024-11-03T00:49:08Z INF Version 2024.10.1 (Checksum b32e729d43adb66d22abf6539e287b436b1c312742c2488514ef6ea0a2d37adf) 2024-11-03T00:49:08Z INF GOOS: linux, GOVersion: go1.22.2-devel-cf, GoArch: amd64 2024-11-03T00:49:08Z INF Settings: map[no-autoupdate:true token:*****] 2024-11-03T00:49:08Z INF Generated Connector ID: f7eb72d4-6845-4233-b38d-99b27c630213 2024-11-03T00:49:08Z INF Initial protocol quic 2024-11-03T00:49:08Z INF ICMP proxy will use 172.17.0.2 as source for IPv4 2024-11-03T00:49:08Z INF ICMP proxy will use ::1 in zone lo as source for IPv6 2024-11-03T00:49:08Z INF Starting metrics server on 127.0.0.1:43029/metrics 2024/11/03 00:49:08 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See UDP Buffer Sizes · quic-go/quic-go Wiki · GitHub for details. 2024-11-03T00:49:08Z INF Registered tunnel connection connIndex=0 connection=d96d77cf-a6f8-44dc-97f9-198502bff64c event=0 ip=198.41.192.7 location=mia01 protocol=quic 2024-11-03T00:49:09Z INF Registered tunnel connection connIndex=1 connection=ab437fff-96d0-4d6e-a44c-36bae7f0c7b4 event=0 ip=198.41.200.43 location=mia05 protocol=quic 2024-11-03T00:49:09Z INF Registered tunnel connection connIndex=2 connection=ef652bfd-9a55-468c-82d6-6eaad2d9e254 event=0 ip=198.41.192.57 location=mia01 protocol=quic 2024-11-03T00:49:11Z INF Registered tunnel connection connIndex=3 connection=af2809ac-15a4-4a5a-bc16-90a75b591b38 event=0 ip=198.41.200.193 location=mia05 protocol=quic 2024-11-03T00:49:13Z INF Updated to new configuration config=“{“ingress”:[{“hostname”:“sawgrassproxmox.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.120:8006”}, {“hostname”:“sawgrass-ha.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.119:8123”}, {“service”:“http_status:404”}], “warp-routing”:{“enabled”:false}}” version=13 2024-11-03T00:54:12Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=1 event=1 ingressRule=1 originService=https://192.168.10.119:8123 2024-11-03T00:54:12Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=1 dest=https://sawgrass-ha.mydomain.com/ event=0 ip=198.41.200.43 type=http 2024-11-03T01:25:13Z INF Updated to new configuration config=“{“ingress”:[{“hostname”:“sawgrassproxmox.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.120:8006”}, {“hostname”:“sawgrass-ha.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.119:8123”}, {“hostname”:“sawgrass-portiner.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.122:9443”}, {“service”:“http_status:404”}], “warp-routing”:{“enabled”:false}}” version=14 2024-11-03T01:31:34Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=0 event=1 ingressRule=1 originService=https://192.168.10.119:8123 2024-11-03T01:31:34Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=0 dest=https://sawgrass-ha.mydomain.com/ event=0 ip=198.41.192.7 type=http 2024-11-03T01:35:06Z INF Updated to new configuration config=“{“ingress”:[{“hostname”:“sawgrassproxmox.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.120:8006”}, {“hostname”:“sawgrassha.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.119:8123”}, {“hostname”:“sawgrass-portiner.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.122:9443”}, {“service”:“http_status:404”}], “warp-routing”:{“enabled”:false}}” version=15 2024-11-03T01:35:12Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=2 event=1 ingressRule=1 originService=https://192.168.10.119:8123 2024-11-03T01:35:12Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=2 dest=https://sawgrassha.mydomain.com/ event=0 ip=198.41.192.57 type=http 2024-11-03T01:43:15Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=3 event=1 ingressRule=1 originService=https://192.168.10.119:8123 2024-11-03T01:43:15Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=3 dest=https://sawgrassha.mydomain.com/ event=0 ip=198.41.200.193 type=http 2024-11-03T02:50:29Z INF Updated to new configuration config=“{“ingress”:[{“hostname”:“sawgrassproxmox.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.120:8006”}, {“hostname”:“sawgrass-portiner.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.122:9443”}, {“service”:“http_status:404”}], “warp-routing”:{“enabled”:false}}” version=16 2024-11-03T06:53:29Z INF Updated to new configuration config=“{“ingress”:[{“hostname”:“sawgrassproxmox.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.120:8006”}, {“hostname”:“sawgrass-portiner.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.122:9443”}, {“hostname”:“hasawgrass.mydomain.com”, “originRequest”:{“noTLSVerify”:true}, “service”:“https://192.168.10.119:8123”}, {“service”:“http_status:404”}], “warp-routing”:{“enabled”:false}}” version=17 2024-11-03T06:54:23Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=3 event=1 ingressRule=2 originService=https://192.168.10.119:8123 2024-11-03T06:54:23Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=3 dest=https://hasawgrass.mydomain.com/favicon.ico event=0 ip=198.41.200.193 type=http