Hello all, The first thing I setup to self-host was NextCloud, and I followed instructions and built the stack directly on the host computer. It’s hosted on port 80, and I created a Cloudflare tunnel from “cloud.mydomain.com” which points to http://192.168.1.111 and everything works perfectly. I can access the site from wherever, and everything felt great. Now for the thing I really want, an Immich server.
I followed the instructions and set up Immich in a docker container. Everything seems to be working great, I can access it from within my network and backup photos just like I was hoping. Within the same Cloudflare tunnel, I tried to add a new Public Hostname. I want “photos.mydomain.com” to point to the same host but on port 2283. I added the public hostname and pointed it to http://192.168.1.111:2283, but whenever I point a browser there I get the “502 Bad Gateway” error from cloudflare.
I assume this is a Cloudflare configuration issue, but I’m not 100% sure. Do I need to do anyting special with docker if I intend to access it through Cloudflare? I THINK docker is set up correctly because I am able to access the Immich from a different computer on my local network. I thought using Cloudflare made it so that I don’t to worry about setting up a reverse proxy. Is that maybe not true?
Or does Immich need something specific to tell it to accept traffic outside of my network? I remember having to set up NextCloud with “trusted domains” but when that wasn’t correct, I got an error message from NextCloud, not from Cloudflare.
Any help would be appreciated. I’ve poked around a bunch and I’m pretty sure I can’t solve this on my own.
first you should check logs of cloudflare tunnel - most likely it cannot access your docker network. if you are using cloudflare container - it should use same network as a Immich instance.
in short: find the tunnel log and see what is happening there.
The logs just say
2023-12-16T03:32:18Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.1.111:2283...
Assuming it is the problem of Docker containers not being able to talk to each other, I added the option
--network="bridge"
to the docker command that launches the cloudflare tunnel. Then in the docker-compose file for Immich, I added the linenetwork_mode: bridge
to each service. No dice. I think next I’ll try installing the cloudflare tunnel as a service directly on that computer.Thanks for taking the time to help out, I appreciate it.
Hey! Running the cloudflare tunnel through systemd right on the machine worked wonders! Thanks! Probably not the most secure way, but at least I know I can play with networks at a later date. For now it appears to be up and running. Thanks a bunch!
I would recommend you setup a Reverse Proxy, such as NGINX Proxy Manager, Cloudflare free tier only allow to forward 80 and 443 port. A reverse proxy would listen on port 443 and 80 for all connection and forward request to the right site using the hostname.
Cloudflare Tunnels will let you proxy any port, as long as it’s HTTP(S) or SSH, even on free tier.
Also I believe there’s a thing now for proxying other ports anyway on free tier without tunnels, but I haven’t looked too much into it.
Thanks. I was hoping (but not sure) that cloudflare would act as a proxy by sending the traffic to the port I wanted, and that would sort things out (since it’s all running off of one machine). Still, maybe setting up Nginx is the way to go. I’ll have to put that a little ways down the to do list.
Thanks for reaching out, I appreciate it.
Well, in my setup I use both, Cloudflare point to my proxy manager, so there is a dual proxy in a way. but the users always hit cloudflare first and never my own proxy, so I can use CF security feature as well (blocking other country, ip, known bad actors etc)
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare HTTP Hypertext Transfer Protocol, the Web SSH Secure Shell for remote terminal access
[Thread #358 for this sub, first seen 16th Dec 2023, 11:55] [FAQ] [Full list] [Contact] [Source code]
deleted by creator