I’ve installed the Cloudflared integration on my HAOS 2024.12.2 VM, and authorised the tunnel in my Cloudflare account. If I try to access https://mydomain I get “400 Bad request”, and don’t see anything in the Cloudflared log. I’m guessing that this is because I have port 443 (and 80) on my router forwarded to another machine, which hosts my web server.
If I forward port 443 to port 443 on my HAOS machine I still get still get “400 Bad request”, and still don’t see anything in the Cloudflared log when I try to access that URL. Same if I forward port 443 to port 8123 on the HAOS machine.
I do get these intermitted errors on the Cloudflared log (although not when I am attempting to access the URL):
2024-12-13T18:56:13Z WRN Failed to serve tunnel connection error="timeout: no recent network activity" connIndex=1 event=0 ip=198.41.192.107
2024-12-13T18:56:13Z WRN Serve tunnel error error="timeout: no recent network activity" connIndex=1 event=0 ip=198.41.192.107
2024-12-13T18:56:13Z INF Retrying connection in up to 1s connIndex=1 event=0 ip=198.41.192.107
2024-12-13T18:56:14Z WRN Failed to serve tunnel connection error="failed to accept QUIC stream: timeout: no recent network activity" connIndex=3 event=0 ip=198.41.192.7
2024-12-13T18:56:14Z WRN Serve tunnel error error="failed to accept QUIC stream: timeout: no recent network activity" connIndex=3 event=0 ip=198.41.192.7
2024-12-13T18:56:14Z INF Retrying connection in up to 1s connIndex=3 event=0 ip=198.41.192.7
2024-12-13T18:56:14Z WRN Connection terminated error="timeout: no recent network activity" connIndex=1
2024-12-13T18:56:15Z WRN Connection terminated error="failed to accept QUIC stream: timeout: no recent network activity" connIndex=3
2024-12-13T18:56:17Z WRN Failed to serve tunnel connection error="timeout: no recent network activity" connIndex=2 event=0 ip=198.41.200.13
2024-12-13T18:56:17Z WRN Serve tunnel error error="timeout: no recent network activity" connIndex=2 event=0 ip=198.41.200.13
2024-12-13T18:56:17Z INF Retrying connection in up to 1s connIndex=2 event=0 ip=198.41.200.13
2024-12-13T18:56:19Z WRN Connection terminated error="timeout: no recent network activity" connIndex=2
I also get these errors occasionally in the client web browser when I retry accessing the URL:
These will revert to “400 Bad request” errors if I refresh the browser a few times.
I know very little about Cloudflare or reverse proxies. The documentation states that “no ports need to be opened”, but if an incoming https request arrives at my router, will it not be directed to whichever machine port 443 is forwarded to? If this happens NOT to be my HA host (which is the case here), or indeed if port 443 is not forwarded anywhere I don’t understand how incoming requests will reach my HA server.
Can anyone clarify what exactly I need to do re. port forwarding, and hazard a guess at why I’m getting these errors?
Using cloudflared, you do not need to forward any ports. The cloudflared daemon opens a request to CloudFlare and keeps that tunnel open. When an external client requests your domain, CloudFlare routes that request over the tunnel that the cloudflared daemon opened from inside your network.
The whole point of cloudflared is so you don’t have to forward ports after properly configuring your tunnels.
Can you show how you have the tunnel configured? Basically it should be setup so that any request to HTTPS://your.domain.tld is routed to http://<internal IP of Hass like 192.168.2.50>:<Hass frontend port>
I did read the docs and followed the process. The tunnel is shown as “active” in my Cloudflare web account. When I start the add-on in HA the Cloudflared log looks OK:
Add-on version: 5.2.3
You are running the latest version of this add-on.
System: Home Assistant OS 14.0 (amd64 / qemux86-64)
Home Assistant Core: 2024.12.2
Home Assistant Supervisor: 2024.11.4
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[19:22:43] INFO: Checking add-on config...
[19:22:43] INFO: Checking for existing certificate...
[19:22:43] INFO: Existing certificate found
[19:22:43] INFO: Checking for existing tunnel...
[19:22:43] INFO: Existing tunnel with ID 6a580a13-46d1-4359-9ecf-4408cf014b27 found
[19:22:43] INFO: Checking if existing tunnel matches name given in config
[19:22:43] INFO: Existing Cloudflare Tunnel name matches config, proceeding with existing tunnel file
[19:22:43] INFO: Creating config file...
[19:22:43] INFO: Validating config file...
Validating rules from /tmp/config.json
OK
[19:22:44] INFO: Creating DNS entry mydomain.co.uk...
2024-12-13T19:22:45Z INF mydomain.co.uk is already configured to route to your tunnel tunnelID=6a580a13-46d1-4359-9ecf-4408cf014b27
[19:22:45] INFO: Finished setting up the Cloudflare Tunnel
[19:22:45] INFO: Connecting Cloudflare Tunnel...
2024-12-13T19:22:45Z INF Starting tunnel tunnelID=6a580a13-46d1-4359-9ecf-4408cf014b27
2024-12-13T19:22:45Z INF Version 2024.12.1 (Checksum b868cfffc393dd9f1c5ae79812353c2ff73cfa95da4c3dcb0ec98ce55d13943d)
2024-12-13T19:22:45Z INF GOOS: linux, GOVersion: go1.22.5, GoArch: amd64
2024-12-13T19:22:45Z INF Settings: map[config:/tmp/config.json cred-file:/data/tunnel.json credentials-file:/data/tunnel.json metrics:0.0.0.0:36500 no-autoupdate:true origincert:/data/cert.pem]
2024-12-13T19:22:45Z INF Generated Connector ID: 74228ec4-9a80-462b-ad34-8048dceac5be
2024-12-13T19:22:45Z INF Initial protocol quic
2024-12-13T19:22:45Z INF ICMP proxy will use 172.30.33.3 as source for IPv4
2024-12-13T19:22:45Z INF ICMP proxy will use ::1 in zone lo as source for IPv6
2024-12-13T19:22:45Z INF Starting metrics server on [::]:36500/metrics
2024-12-13T19:22:46Z INF Registered tunnel connection connIndex=0 connection=f14efd27-3985-48ee-a2b7-28700cc10b09 event=0 ip=198.41.192.107 location=lhr09 protocol=quic
2024-12-13T19:22:46Z INF Registered tunnel connection connIndex=1 connection=e3fe0c1d-ff0c-46ae-9487-b00166ff9316 event=0 ip=198.41.200.33 location=lhr14 protocol=quic
2024-12-13T19:22:47Z INF Registered tunnel connection connIndex=2 connection=cefd613d-1945-4e62-b6fa-0640824619db event=0 ip=198.41.192.47 location=lhr10 protocol=quic
2024-12-13T19:22:48Z INF Registered tunnel connection connIndex=3 connection=e51e352c-8b3d-4a25-9491-0ed02d45655a event=0 ip=198.41.200.193 location=lhr14 protocol=quic
Is your Hass frontend using the default port? 8123? Or anything special about your Hass setup?
The docs say when configuring for the local tunnel setup it will “automatically” setup the route. I assume that the add on is smart enough to get the Hass IP and frontend port itself, but you never know.
I would recommend setting cloudflared up yourself, not using the add-on (like a local cloudflared binary or local docker container). That way you can debug things properly instead of trying to debug the add on and any underlying issues.
Yes my HA uses the standard port 8123. I can’t think of anything special about it - it runs as a HAOS VM on a Proxmox host.
Calle I’m not familiar with the YAML config from your settings - I only have access to the add-on UI. the only entry I made was the hostname (i.e. mydcomain.co.uk). I didn’t specify additional hosts or any other options.
Do I need to specify additional hosts/services and if so, do you know
(a) how these should be entered in the UI
(b) what I should specify for the service - e.g is it the IP address of my HAOS machine and port 0000, (c) where do I specify the tunnel name?
I have no idea how to set up Cloudflared without the add-on. Is this something that can be done from the console of the HAOS host?
Use the three dots in the upper right corner to switch between configuration mode ie. UI or yaml. My additional services are other add-ons hosted in HA that I want to reach trough Cloudflare, therefore you can ignore them. One thing I really can recommend is that you read the official WIKI found here: Home · brenner-tobias/addon-cloudflared Wiki · GitHub
Thanks for confirming. I think I may have stumbled on the solution. Following someone else’s experience from a thread elsewhere, I tried adding my LAN IP range (192.168.1.0/24) to the list of trusted proxies in configuration.yaml. I am now able to connect to my HA host on https://mydomain.co.uk.
I don’t know if this has anything to do with the fact that my HAOS is running on a Proxmox host (this was also the other user’s setup).
Oof, forgot about the trusted proxies stuff. I did also have to add the lxc IP of the cloudflared host to my trusted proxies addresses before it would work and I promptly forgot that was a needed step.
It may be beneficial to open a pull request in the add on repo with this mentioned in the wiki or install docs somewhere so others don’t get stuck on this issue.
Fwiw, I also use proxmox and it’s deff not an issue with it being a lxc or VM
So now that I have Cloudflared up and running I’m getting ALOT of “connection lost” errors (which can take several minutes to rectify themselves), as well as frequent “Argo tunnel errors” from Cloudflare. Is this to be expected with Cloudflared?
Having decided to abandon my Cloudflared experiment, I am now unable to free my domain from the Cloudflare tunnel. I have uninstalled the Cloudflared add-on, removed the http: section from my configuration.yaml, and deleted the tunnel in the Zero Trust area of my Cloudflare account, but requests to my domain are still resulting in “Error 1033 Argo Tunnel error”.
Can anyone advise on how I can free my domain from the Cloudflare tunnel?
