d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b45c2006be629f228d1ae98bc6372e83372653df
proxmox/docs/04-configuration/CLOUDFLARE_TUNNEL_QUICK_SETUP.md

6.4 KiB
Raw Blame History

Cloudflare Tunnel Quick Setup Guide

Last Updated: 2025-12-21
Status: Step-by-Step Setup

Current Status

cloudflared installed on VMID 102 (version 2025.11.1)
Nginx configured on RPC containers (2501, 2502) with SSL on port 443
⚠️ cloudflared currently running as DoH proxy (needs to be reconfigured as tunnel)

Step-by-Step Setup

Step 1: Get Your Tunnel Token

  1. Go to Cloudflare Dashboard:

  2. Create or Select Tunnel:

    • Go to Zero TrustNetworksTunnels
    • If you already created a tunnel, click on it
    • If not, click Create a tunnel → Select Cloudflared → Name it (e.g., rpc-tunnel)

  3. Copy the Token:

    • You'll see installation instructions
    • Copy the token (starts with eyJhIjoi...)
    • Save it securely - you'll need it in Step 2

Step 2: Install Tunnel Service

Option A: Use the Automated Script (Recommended)

cd /home/intlc/projects/proxmox
./scripts/setup-cloudflare-tunnel-rpc.sh <YOUR_TUNNEL_TOKEN>

Replace <YOUR_TUNNEL_TOKEN> with the token you copied from Step 1.

Option B: Manual Installation

# Install tunnel service with your token
ssh root@192.168.11.10 "pct exec 102 -- cloudflared service install <YOUR_TUNNEL_TOKEN>"

# Enable and start the service
ssh root@192.168.11.10 "pct exec 102 -- systemctl enable cloudflared"
ssh root@192.168.11.10 "pct exec 102 -- systemctl start cloudflared"

# Check status
ssh root@192.168.11.10 "pct exec 102 -- systemctl status cloudflared"

Step 3: Configure Tunnel Routes in Cloudflare Dashboard

After the tunnel service is running, configure the routes:

  1. Go to Tunnel Configuration:

    • Zero Trust → Networks → Tunnels → Your Tunnel → Configure

  2. Add Public Hostnames:

    For each endpoint, click "Add a public hostname":

    Subdomain Domain Service Type
    rpc-http-pub d-bis.org https://192.168.11.251:443 HTTP
    rpc-ws-pub d-bis.org https://192.168.11.251:443 HTTP
    rpc-http-prv d-bis.org https://192.168.11.252:443 HTTP
    rpc-ws-prv d-bis.org https://192.168.11.252:443 HTTP

    For WebSocket endpoints, also enable:

    • WebSocket (if available in the UI)

  3. Save Configuration

Step 4: Update DNS Records

  1. Go to Cloudflare DNS:

    • Navigate to your domain: d-bis.org
    • Go to DNSRecords

  2. Delete Existing A Records (if any):

    • rpc-http-pub → A → 192.168.11.251
    • rpc-ws-pub → A → 192.168.11.251
    • rpc-http-prv → A → 192.168.11.252
    • rpc-ws-prv → A → 192.168.11.252

  3. Create CNAME Records:

    For each endpoint, create a CNAME record:

    Type: CNAME
Name: rpc-http-pub (or rpc-ws-pub, rpc-http-prv, rpc-ws-prv)
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied (orange cloud) - IMPORTANT!
TTL: Auto

    Where <tunnel-id> is your tunnel ID (visible in the tunnel dashboard, e.g., abc123def456)

    Example:

    Type: CNAME
Name: rpc-http-pub
Target: abc123def456.cfargotunnel.com
Proxy: 🟠 Proxied

  4. Repeat for all 4 endpoints

Step 5: Verify Setup

5.1 Check Tunnel Status

In Cloudflare Dashboard:

  • Zero Trust → Networks → Tunnels
  • Tunnel should show "Healthy" (green status)

Via Command Line:

# Check service status
ssh root@192.168.11.10 "pct exec 102 -- systemctl status cloudflared"

# View logs
ssh root@192.168.11.10 "pct exec 102 -- journalctl -u cloudflared -f"

5.2 Test DNS Resolution

# Test DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org

# Should resolve to Cloudflare IPs (if proxied)

5.3 Test Endpoints

# Test HTTP RPC endpoint
curl https://rpc-http-pub.d-bis.org/health

# Test RPC call
curl -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test WebSocket (use wscat or similar)
wscat -c wss://rpc-ws-pub.d-bis.org

Troubleshooting

Tunnel Not Connecting

Check logs:

ssh root@192.168.11.10 "pct exec 102 -- journalctl -u cloudflared -n 50 --no-pager"

Common issues:

  • Invalid token → Reinstall with correct token
  • Network connectivity → Check container can reach Cloudflare
  • Service not started → systemctl start cloudflared

DNS Not Resolving

Verify:

  • DNS record type is CNAME (not A)
  • Proxy is enabled (orange cloud)
  • Target is correct: <tunnel-id>.cfargotunnel.com
  • Wait 5 minutes for DNS propagation

Connection Timeout

Check:

  • Nginx is running: pct exec 2501 -- systemctl status nginx
  • Port 443 is listening: pct exec 2501 -- ss -tuln | grep 443
  • Test direct connection: curl -k https://192.168.11.251/health

Quick Reference

Files Created

  • Script: scripts/setup-cloudflare-tunnel-rpc.sh
  • Config: /etc/cloudflared/config.yml (on VMID 102)
  • Service: /etc/systemd/system/cloudflared.service (on VMID 102)

Key Commands

# Install tunnel
./scripts/setup-cloudflare-tunnel-rpc.sh <TOKEN>

# Check status
ssh root@192.168.11.10 "pct exec 102 -- systemctl status cloudflared"

# View logs
ssh root@192.168.11.10 "pct exec 102 -- journalctl -u cloudflared -f"

# Restart tunnel
ssh root@192.168.11.10 "pct exec 102 -- systemctl restart cloudflared"

# Test endpoint
curl https://rpc-http-pub.d-bis.org/health

Architecture

Internet → Cloudflare DNS → Cloudflare Tunnel → cloudflared (VMID 102) 
  → Nginx (2501/2502:443) → Besu RPC (8545/8546)

Next Steps After Setup

  1. Monitor tunnel health in Cloudflare Dashboard
  2. Set up monitoring/alerts for tunnel status
  3. Consider Let's Encrypt certificates (replace self-signed)
  4. Configure rate limiting in Cloudflare if needed
  5. Set up access policies for private endpoints (if needed)

Related Documentation

Reference in New Issue View Git Blame Copy Permalink