Can't connect to my HA remotely by using a cloudflare tunnel (novice to the bone user)

crashweasel · March 16, 2023, 5:24pm

Hello all.
I’m going to try explaining my situation. But as mentioned in the title, most of the time I have no idea what I’m doing. All this linux, docker, home assistant is new for me.

I have a ISP modem that is connected to my usg unifi router. the range ip between those two is 192.168.0.0/24 where my usg has the ip address 192.168.0.177.
I have created a network 192.168.1.0/24 on my usg unifi to connect my home devices.
On this network I have a beelink mini pc on a static ip address 192.168.1.10.
I installed an ubuntu server on it and used the install guide of home automation guy to install docker, home assistant docker and portainer on it. So far so good, all this is working fine.

As you can see, I also installed cloudflared-tunnel on docker. I can see that the tunnel is active and I can ping my domain from my linux server.

But when I try to connect I get the bad gateway error 502 from cloudflare page.
This is the error I find in the homeassistant log:

2023-03-16 16:46:10.428 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
File “/usr/local/lib/python3.10/site-packages/aiohttp/web_protocol.py”, line 332, in data_received
messages, upgraded, tail = self._request_parser.feed_data(data)
File “aiohttp/_http_parser.pyx”, line 551, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message=“Bad status line ‘Invalid method encountered’”’

This is the log of my cloudflare tunnel:
2023-03-16T16:46:10Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” cfRay=7a8e78830d4f2e02-BRU ingressRule=0 originService=https://192.168.1.10:8123
2023-03-16T16:46:10Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: tls: first record does not look like a TLS handshake” connIndex=3 dest=http://( my domain is filled in here but removed it) /favicon.ico ip= (removed this also) type=http

I tried to find some help online on google and even chat-gpt, but I am turning the last 3 days in circle’s.

This is my HA config, all the # is what I tried, but without succes

#cloudflare test 2
#homeassistant:
 #  external_url: https://(removed)

#cloudflare test
#http:
#  use_x_forwarded_for: true
#  trusted_proxies:
#    - 192.168.0.0/24
#    - 192.168.1.0/24
#    - 172.18.0.0/24
#Add Container User Interfades to Navigation Menu
panel_iframe:
  portainer:
    title: "Portainer"
    url: "http://192.168.1.10:9000/#/containers"
    icon: mdi:docker
    require_admin: true
# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

# Text to speech
tts:
  - platform: google_translate

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

I even ad my netplan config file:

network:
  ethernets:
    enp2s0:
      addresses:
      - 192.168.1.10/24
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search: []
      routes:
      - to: default
        via: 192.168.1.1
  version: 2

This is my dockercompose config:

version: '3.0'

services:
  portainer:
    container_name: portainer
    image: portainer/portainer-ce
    restart: always
    ports:
      - "9000:9000/tcp"
    environment:
      - TZ=Europe/London
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/portainer:/data
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /opt/homeassistant/config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    privileged: true
    network_mode: host
  tunnel:
    container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=token is correct but removed it for security

I tried to add the integration of cloudflare in HA docker, as most guides are talking about an addon ( can’t use it because not HA os) created an api token with zone:zone:read and zone:dns:edit, I can chose my domain, but no record, as there is no A record created but only a cname.

I realy have no idea what to do anymore. I have read so many forums, but can’t find something that is related to my issue. I hope some of you have an idea what I’m missing…
My appologies for my bad spelling/language and noobisme. Thanks in advance.
(sorry for the messy layout, had took all images, but as a new user I can only add 1 image)

hunterdrayman · March 16, 2023, 8:31pm

Have you disabled cert verification in the TLS settings (where you define the hostname in the cloudflare tunnel config).

crashweasel · March 17, 2023, 7:14am

I did not, I will check this as soon as I can to see if that fix the problem. Will try in the mean time to see how to work with ssl/tls Thanks for the quick reply

crashweasel · March 18, 2023, 8:41am

just an update for people with the same issue:
Disable TLS seems not be the sollution, keep getting the same error.
I added an iptable on my linux to forward traffic from my cloudflare container to my homeassistant.

sudo iptables -A FORWARD -i docker0 -s 172.18.0.2 -d 192.168.1.10/32 -p tcp --dport 8123 -j ACCEPT

Also added the following in my config of HA

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.2

when I use http as a service I can now connect remotly.
Going to catch some reading now how to set up my ssl/tls with let’s encrypt in docker

dbrunt · March 30, 2023, 6:58am

You may want to check my post here where I finally got HA and Vaultwarden (Bitwarden) Password Manager both working locally and remote.using HTTPS SSL/TLS via Cloudflared Tunnels and Caddy 2 Proxy Server