New Add-On: Cloudflared

@brenner-tobias thank you for making this addon it’s pretty great and the documentation is excellent. I had Cloudflare already set up, just dropping in the addon and turning it on took 15 seconds and everything was working right out of the box.

Quick question, do I need to do something special to get subfolders to work?

For example: server.example.com/plex

i have all of the subfolders set up in NPM addon and they used to all work before I enabled the addon. Now I get 404 Not Found for all the subfolder locations.

Here is my Cloudflared config:

additional_hosts:
  - hostname: router.example.com
    service: http://172.16.3.1:8000
  - hostname: server.example.com
    service: http://172.16.3.161
    disableChunkedEncoding: true
  - hostname: requests.example.com
    service: http://172.16.3.161:5055
    disableChunkedEncoding: true
external_hostname: hq.example.com
tunnel_name: homeassistant
tunnel_token: ""
nginx_proxy_manager: true
log_level: notice

…I was hoping that maybe if I already have NPM installed there is a way to pass the traffic to it so it can just handle the routing

Same problem with addon edge

Hello! The second day I can not figure out how to install remote access through this addon.
I got the domain name sample.tk
I registered on the cloudflare website.
Added a domain name to the site.
Set dns in freenom settings
Added repository https://github.com/brenner-tobias/ha-addon
Installed the addon in HA
Registered in its settings the address sample.tk
I run … but there is nothing in the logs.
Judging by the changed description at the beginning of this thread on the forum, now there is no link in the logs.
So what’s next? There is no external access. What are the next steps?
Thanks in advance for your help.

Judging by the changed description at the beginning of this thread on the forum, now there is no link in the logs.

Regarding the above I think you are referring to the strike through part. I think you misread that since its only referring to auto opening the link not being possible however it should still be in the logs.

So you start the add-on and there are no logs at all?

You have to click refresh in the logs view. It will literally pause giving you the url. Make sure log level is set to debug as well.

Trying it rn! Thanks

edit: it works!

Hello
I have been using this addon from last month and so far it is great for my doubled NAT setup as my ISP do not support port forwarding
But from last 2 days I keep dropping the connection , sometimes it works and most of the time it does not .
This is my configuration file

additional_hosts:
  - hostname: plex.xxxxxxx.xx
    service: http://192.168.0.111:32400
  - hostname: radarr.xxxxxxx.xx
    service: http://192.168.0.111:7878
  - hostname: qbit.xxxxxxx.xx
    service: http://192.168.0.111:8080
  - hostname: sonarr.xxxxxxx.xx
    service: http://192.168.0.111:8989
external_hostname: xxxxxxx.xx
tunnel_name: homeassistant1
tunnel_token: ""

This is the log

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service init-banner: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
-----------------------------------------------------------
 Add-on: Cloudflared
 Use a Cloudflared tunnel (formerly Argo Tunnel) to remotely connect to Home Assistant without opening any ports
-----------------------------------------------------------
 Add-on version: 2.0.16
 You are running the latest version of this add-on.
 System: Ubuntu 22.04.1 LTS  (amd64 / qemux86-64)
 Home Assistant Core: 2022.9.0
 Home Assistant Supervisor: 2022.08.6

 System setup not officially supported by Home-Assistant.
 Errors with this add-on may occur.
 We don't offer support with unsupported setups.

-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub or forums.
-----------------------------------------------------------
s6-rc: info: service init-banner successfully started
s6-rc: info: service init-log-level: starting
s6-rc: info: service init-log-level successfully started
s6-rc: info: service init-cloudflared-config: starting
[08:41:13] INFO: Checking Add-on config...
[08:41:14] INFO: Checking for existing certificate...
[08:41:14] INFO: Existing certificate found
[08:41:14] INFO: Checking for existing tunnel...
[08:41:14] INFO: Existing tunnel with ID b04b949f-3f85-4e12-xxx-xxxxxx found
[08:41:14] INFO: Checking if existing tunnel matches name given in config
[08:41:16] INFO: Existing Cloudflare tunnnel name matches config, proceeding with existing tunnel file
[08:41:16] INFO: Creating config file...
[08:41:18] INFO: Validating config file...
Validating rules from /tmp/config.json
OK
[08:41:18] INFO: Creating new DNS entry xxxxxxx.xx...
2022-09-09T03:11:19Z INF xxxxxxx.xx is already configured to route to your tunnel tunnelID=b04b949f-3f85-4e12-xxx-xxxxxx
[08:41:19] INFO: Creating new DNS entry plex.xxxxxxx.xx...
2022-09-09T03:11:21Z INF plex.xxxxxxx.xx is already configured to route to your tunnel tunnelID=b04b949f-3f85-4e12-xxx-xxxxxx
[08:41:21] INFO: Creating new DNS entry radarr.xxxxxxx.xx...
2022-09-09T03:11:22Z INF radarr.xxxxxxx.xx is already configured to route to your tunnel tunnelID=b04b949f-3f85-4e12-xxx-xxxxxx
[08:41:22] INFO: Creating new DNS entry qbit.xxxxxxx.xx...
2022-09-09T03:11:23Z INF qbit.xxxxxxx.xx is already configured to route to your tunnel tunnelID=b04b949f-3f85-4e12-xxx-xxxxxx
[08:41:23] INFO: Creating new DNS entry sonarr.xxxxxxx.xx...
2022-09-09T03:11:25Z INF sonarr.xxxxxxx.xx is already configured to route to your tunnel tunnelID=b04b949f-3f85-4e12-xxx-xxxxxx
[08:41:25] INFO: Finished setting-up the Cloudflare tunnel
s6-rc: info: service init-cloudflared-config successfully started
s6-rc: info: service cloudflared: starting
s6-rc: info: service cloudflared successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
[08:41:25] INFO: Connecting Cloudflared Tunnel...
2022-09-09T03:11:26Z INF Starting tunnel tunnelID=b04b949f-3f85-4e12-a505-bd2812a9f0a1
2022-09-09T03:11:26Z INF Version 2022.9.0
2022-09-09T03:11:26Z INF GOOS: linux, GOVersion: go1.18.5, GoArch: amd64
2022-09-09T03:11:26Z INF Settings: map[config:/tmp/config.json cred-file:/data/tunnel.json credentials-file:/data/tunnel.json loglevel:info metrics:0.0.0.0:36500 no-autoupdate:true origincert:/data/cert.pem]
2022-09-09T03:11:26Z INF Generated Connector ID: 7426a58b-1be8-446f-910e-f0dd3ece56f3
2022-09-09T03:11:26Z INF Initial protocol quic
2022-09-09T03:11:26Z INF Starting metrics server on [::]:36500/metrics
2022/09/09 08:41:26 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2022-09-09T03:11:27Z INF Connection dcf17ea8-b8ca-486e-ae8c-e2ea208babee registered connIndex=0 ip=198.41.200.193 location=DEL
2022-09-09T03:11:27Z INF Connection d970b20a-156e-4f7f-9bf5-f198f497bcc5 registered connIndex=1 ip=198.41.192.57 location=BOM
2022-09-09T03:11:29Z INF Connection 90c8201c-d865-45c5-b36e-8ae42afdb567 registered connIndex=2 ip=198.41.200.23 location=DEL
2022-09-09T03:11:30Z INF Connection 7c6c8764-5def-4db7-8ffb-21b378090bb2 registered connIndex=3 ip=198.41.192.47 location=BOM
2022-09-09T03:12:02Z ERR  error="Incoming request ended abruptly: context canceled" cfRay=747cbd652cc8b2a9-MAA ingressRule=0 originService=http://homeassistant:8123
2022-09-09T03:12:02Z ERR Request failed error="Incoming request ended abruptly: context canceled" connIndex=2 dest=https://xxxxxxx.xx/manifest.json ip=198.41.200.23 type=http
2022-09-09T03:13:52Z ERR  error="Incoming request ended abruptly: context canceled" cfRay=747cbfa5bc33a919-MAA ingressRule=0 originService=http://homeassistant:8123
2022-09-09T03:13:52Z ERR  error="Incoming request ended abruptly: context canceled" cfRay=747cbd673f2079e7-HYD ingressRule=0 originService=http://homeassistant:8123
2022-09-09T03:13:52Z ERR Request failed error="Incoming request ended abruptly: context canceled" connIndex=2 dest=https://xxxxxxx.xx/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fxxxxxxx.xx%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fxxxxxxx.xx%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9teWhvbWVhc3Npc3RhbnQuZ3EiLCJjbGllbnRJZCI6Imh0dHBzOi8vbXlob21lYXNzaXN0YW50LmdxLyJ9 ip=198.41.200.23 type=http
2022-09-09T03:13:52Z ERR  error="Incoming request ended abruptly: context canceled" cfRay=747cbdc3599a79f4-HYD ingressRule=4 originService=http://192.168.0.111:8989
2022-09-09T03:13:52Z ERR Request failed error="Incoming request ended abruptly: context canceled" connIndex=2 dest=https://xxxxxxx.xx/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fxxxxxxx.xx%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fxxxxxxx.xx%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9teWhvbWVhc3Npc3RhbnQuZ3EiLCJjbGllbnRJZCI6Imh0dHBzOi8vbXlob21lYXNzaXN0YW50LmdxLyJ9 ip=198.41.200.23 type=http
2022-09-09T03:13:52Z ERR Request failed error="Incoming request ended abruptly: context canceled" connIndex=2 dest=http://sonarr.xxxxxxx.xx/login?returnUrl=/ ip=198.41.200.23 type=http
2022-09-09T03:15:43Z ERR Failed to handle QUIC stream error=EOF connIndex=2 ip=198.41.200.23

Most of the time I get "A timeout occurred " Error code 524

Does it have anything to do with increasing the buffer size ?
Because I was getting that error previously but it worked fine til now

Exact thing has happened to me as well. Same base os as well.

Sorry the add-on stopped working. Looking at the logs, everything looks fine on the add-on / HA side (though you are running it in a “not supported environment”), so this feels like an issue with Cloudflared itself. We updated to 2022.9.0 three days ago, so maybe that is causing some problems. I suggest you try using the add-on version v2.0.15 and also raise this with Cloudflared.

Thanks for the suggestion , I tried the lower version on my server same thing is happening , it seems to me it is my ISP issue tried everything but nothing seemed to worked so far . After the cloudflared restart it works for few minutes after that start loosing connection.
In ipv6 I can forward port and access HA but not possible in ipv4 . I noticed that cloudflared start supporting ipv6 from version 2022.7.1 . I tested it in my server using --edge-ip-version 6 but not able to connect . I have not played it with much but I think i can get it working with ipv6

So finally I installed the tailscale on a vps then use my tailscale ip to tunnel via cloudflared. The problem I am facing is I can access my other hostnames but not able to access homeassistant. I am keep getting white screen on the webpage even though - service: http_404 is enabled . I have added my tailscale IP in trusted_proxies but it still not connecting . What could be the issue with it ?

Great add-on, thanks a lot for your work! I’ve been using cloudflared for some time running on a separate VM but this add-on allows me to streamline my systems and run it on HA.
I have a doubt about end-to-end encryption when using the tunnel which may seem stupid but reading through Cloudflare’s documentation I’m not sure if I got it right. I have a couple of applications, most served on https and one served on http. When connecting to the http one through the tunnel my browser dutifully informs me that it is not encrypted but according to the Cloudflare documentation one could infer that the traffic is encrypted end2end. I can and will secure said application but just out of curiosity wanted to confirm this point. Any clarification welcome.

Hello Tobias,

can you please confirm or contradict that the add-on in not working with the newest Home Assistant?
I ask because I tried to make it work since several hours with no success.

Looking forward to read from you.
Thank you in forward!

Works fine with HA 2022.9.4.

Thank you, I finally made it without knowing why. Sometimes it might just needs an extra moment

Is anybody combining this with mTLS? Unless I’m misunderstanding, cloudflared enables the secure connection between Cloudflare and your local network (ie. Home Assistant) but it still allows anybody to access the tunnel using the public hostname, right?

Yes anyone can access the tunnel if they know your domain name. However in Cloudflare you can turn on Zero Trust which will put an authentication in place like GitHub or Google. User basically has to authenticate with a selected service and then you select who is allowed to get through

Hi, I need to expose both port 443 and 80 but I’m unsure how to do that. I tried adding two hostname fields:

- hostname: subdomain.example.com
  service: https://1.1.1.1
- hostname: subdomain.example.com
  service: http://1.1.1.1

I also tried adding port 443 on http and vice versa:

- hostname: subdomain.example.com
  service: http://1.1.1.1:443

- hostname: subdomain.example.com
  service: https://1.1.1.1:80

Any help would be appreciated!

It really depends on the use-case that you want to solve here, so let me give you my thoughts:

1. My understanding is, that everything that you route into your Cloudflare Tunnel is always reachable via https from an end-users. Meaning: The connection from the client to the cloudflare reverse proxy is always https
2. The connection from the proxy to your service can be done via many different ways (see documentation here). So this means, you can route to a http site.

Now if you need to offer your site via http to the public using the Cloudflare proxy (which it looks like to me), I do not think this is working (plus I suggest to overthink why this is needed in the first place). If you only need to reach a service, that is internally available via http, that can be easily done.

Since this is a Cloudflare issue, I suggest to have a look at their documentation and raise the questions with them.

Got a link to instructions for this? Not finding it in the Zero Trust dashboard.