New Add-On: Cloudflared

Hi, I need to expose both port 443 and 80 but I’m unsure how to do that. I tried adding two hostname fields:

- hostname: subdomain.example.com
  service: https://1.1.1.1
- hostname: subdomain.example.com
  service: http://1.1.1.1

I also tried adding port 443 on http and vice versa:

- hostname: subdomain.example.com
  service: http://1.1.1.1:443
- hostname: subdomain.example.com
  service: https://1.1.1.1:80

Any help would be appreciated!

It really depends on the use-case that you want to solve here, so let me give you my thoughts:

  1. My understanding is, that everything that you route into your Cloudflare Tunnel is always reachable via https from an end-users. Meaning: The connection from the client to the cloudflare reverse proxy is always https
  2. The connection from the proxy to your service can be done via many different ways (see documentation here). So this means, you can route to a http site.

Now if you need to offer your site via http to the public using the Cloudflare proxy (which it looks like to me), I do not think this is working (plus I suggest to overthink why this is needed in the first place). If you only need to reach a service, that is internally available via http, that can be easily done.

Since this is a Cloudflare issue, I suggest to have a look at their documentation and raise the questions with them.

Got a link to instructions for this? Not finding it in the Zero Trust dashboard.

1 Like

Zero Trust can be located under “Access” on the left side. Then click add application, you can set it up for each subdomain or domain as you want. The concept is simple you add an AUTH provider that you want then once you authorized the AUTH provider sends back to ZeroTrust the username that got authenticated and you tell Zero Trust which usernames are allowed in.

For example my home assistant is located here: hq.skynetsource.com, I have 2 auth methods for my authorized guests to choose from, you are welcome to try to login and get denied to see how it works.

1 Like

@brenner-tobias is there any plans to have subfolders working for domains? Basically being able to define subfolders like server.skynetsource.com/plex and then have that offloaded to Nginx Proxy Manager to handle actual routing.

Yes I considered that previously and will look into it again.

Love you forever!

After discussing we decided agains implementing the path variable in the add-on as an add-on option. The reason is, that the add-on keeps getting more complicated and we want to avoid that. Also, there are already many possibilities for you to archive, what you want to do:

  1. Use the Cath-All rule to forward everything that is not part of your additional_hosts to some reverse proxy. You can also use the nginx_proxy_manager flag to set this automatically to the NPM add-on running in HA as well.
  2. You can use a tunnel which is managed from the Cloudflare Dashboard (see explanation here). In order to do that, you simply have to set the tunnel_token in the add-on options.
  3. You can use a custom config.yml with the add-on. This will override all add-on options and give you the possibility to define anything you can with Cloudflared. See explanation here.

So hopefully with on of these options, you can solve your problem. Kindly let me know if you have any questions or problems with the above.

I tried option 1, and I do have a catch all setup but it looked like Cloudflared add-on stripped away all subfolder info and just passed a subdomain to NPM. Do you by any chance have an example how to set this up with a subfolder?

My current NPM add-on in HA is setup to work with subfolders so using catch-all rule like you are describing should automatically make it all work .

My understanding of the whole process is as follows (maybe I missed something?):

  1. cloudflare catches the initial request of say server.example.com/plex and passes it to the tunnel (it doesn’t care that there is a subfolder as it only looks at the domain)
  2. Your add-on takes it in and pushes it further to NPM (if I have that installed, or does the job of NPM)
  3. At this point NPM should see that it’s a subfolder request and route it based on how I set it up within it.

I think what you are describing in 2 and 3 is setting up the subfolder routes through Cloudflared itself, which I agree is probably beyond what this add-on should do, I just think the passing off to NPM is not maybe working right? Or did I miss something

What you are describing is exactly how it should work. I expected Cloudflare tunnel to simple use the catch_all_route and forward everything. It seems like it is not doing that, which is strange.
Having that said, this is not something that we define in the add-on, we are merely running Cloudflared as it is within the HA Add-on ecosystem.
So unfortunately all I can say to help you is to raise this with Cloudflared itself in order to get it sorted out, hopefully they can help you there. Kindly let me know if there is anything add-on specific that comes out of that.

1 Like

Gotcha, thank you! Not sure I know how to submit the bug report since I didn’t see catch_all_route in the official plugin. It’s ok though, I already went back to just using cloud flare without the tunnel. Thanks again for your help

You can have a look here, where the Ingress is explained, including the catch-all rule as last rule of the ingress block.

Welp got good news, got it all figured out. If you want to have NPM handle the routing you have to set up those routes to go directly to NPM like this:

- hostname: server.skynetsource.com
  service: https://172.16.3.2  #<-- your NPM IP, notice https
- hostname: router.skynetsource.com
  service: https://172.16.3.2  #<-- your NPM IP, notice https
- hostname: example.skynetsource.com
  service: http://172.16.3.161:455   #<-- some other local route, not through NPM

This will make the subfolders work if you have them setup in NPM. Maybe this could be added to the Doc of the add-on since setting up catch-all doesn’t actually push it to NPM.

I think the reason being is that a catch all route is not setup under the DNS in Cloud Flare, only the used hostnames are. So Cloud Flare itself will not be doing any catching :grinning_face_with_smiling_eyes:

glad it is working for you, though this should also work with the catch-all rule.
Regarding your point: You are completely right, if you use the catch-all rule, you have to manually add all DNS entries in Cloudflare DNS and also in NPM, that’s why I added the following in the documentation for this rule:

In order to route hostnames through the tunnel, you have to create individual CNAME records in Cloudflare for all of them, pointing to your external_hostname or directly to the tunnel URL that you can get from the CNAME entry of external_hostname .

So if you are doing that in the Cloudflare Dashboard, it should work as well, of course your solution is fine as well.

Hi, I am new to home assistant and this add-on looks very exciting!

I tried to setup the tunnel following the everything smart home guide video however, once the tunnel is created and authorized through cloudflare, I am getting an error in the logs. It seems to have to do with IPv6 assignment though to be honest I don’t have a clue what it means.

When I pull up my domain, I get a “this site can’t be reached” error.

Any help is appreciated,
Thanks

EDIT
Not sure what changed, but about a day later, I pulled up the domain and it had started working. I am still getting there error in the logs but no longer have any issue.

1 Like

Thanks for the explanation! I don’t completely understand why I need both protocols because I am trying to setup a prebuilt service. My best guess is that it needs http to get a Let’s Encrypt certificate. Although, maybe that’s not necessary since Cloudflare already does that and I could just decline automatic certificate generation.

Thanks again!

Great it is working now, you can ignore the IPv6 errors, these are not relevant and will be addressed in the next release of the Cloudflare tunnel itself (see here).

Thanks, still not sure though where the http requirement is comming from.
Regarding a certificate: You do not need a Let’s encrypt certificate. Cloudflare takes care of that (client facing) and the tunnel itself is encrypted as well. So no need for further certificates in the default scenario.

FWIW, I installed the Cloudflare Origin certificate/key on HA so that everything to the server is HTTPS/encrypted - from the VPN or LAN.

Note that this required the No-TLS-Verify option with Cloudflared. This is easy to set if you use Cloudflare managed tunnel UI - it is under Public Hostname / Additional application settings / TLS.

Love the Add-On - prefer to installing the service on Pi - much easier to manage and update.