Hi, I'm a new user of Cloudron. I managed to setup my cloudron behind a cloudflare tunnel.
This his how:
- if using subdomain like cloudron.example.com you need to have Cloudflare Advanced Certificates. free accouts have certificates that cover *.example.com ony
- let's say I want to configure it-tools.cloudron.example.com
- remove A record generated by cloudron
- Create a new public hostname in your tunnel configuration with this mapping:
it-tools.cloudron.example.com => https://localhost + No TLS Verify
I managed to expose 2 apps like this. I can login with my.cloudron.example.com
Next step is to use Cloudron built-in OIDC. Unfortunalty when I visit .well-known/openid-configuration I get a white page with no errors
My access logs from cloudron looks like this:
127.0.0.1 - - [10/Apr/2024:06:16:04 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
127.0.0.1 - - [10/Apr/2024:06:16:05 +0000] "GET /favicon.ico HTTP/1.1" 302 138 "https://my.cloudron.example.com/.well-known/openid-configuration" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
127.0.0.1 - - [10/Apr/2024:06:16:05 +0000] "GET / HTTP/1.1" 200 13777 "https://my.cloudron.example.com/.well-known/openid-configuration" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
This is the timeline from Insomnia:
* Preparing request to https://my.cloudron.example.com/.well-known/openid-configuration
* Current time is 2024-04-10T06:18:47.508Z
* Enable automatic URL encoding
* Using default HTTP version
* Enable SSL validation
* Enable cookie sending with jar of 2 cookies
* Found bundle for host my.cloudron.example.com: 0x110035e9640 [can multiplex]
* Re-using existing connection! (#1) with host my.cloudron.example.com
* Connected to my.cloudron.example.com (2606:4700:20::681a:2ad) port 443 (#1)
* Using Stream ID: 3 (easy handle 0x110009b7600)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /.well-known/openid-configuration HTTP/2
> Host: my.cloudron.oniverse.io
> user-agent: insomnia/8.6.0
> accept: */*
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< date: Wed, 10 Apr 2024 06:18:47 GMT
< content-type: undefined
< content-length: 0
< content-security-policy: default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';
< referrer-policy: same-origin
< strict-transport-security: max-age=63072000
< x-content-type-options: nosniff
< x-download-options: noopen
< x-permitted-cross-domain-policies: none
< x-powered-by: Express
< x-xss-protection: 1; mode=block
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VOAN6vltVfLXyisO8ZCm5FwmkmkJClBH6t1TGsDBGSidA%2Fs4Kiiq43nALP2OOproyD62u5tX9caOoE%2BDKAgspdseByXkWb8zuppE1RGZGcmj2S199Rv2aPVxvhj8qU4iMzLlXHnaOuw4HesbHXQK0RA1zges"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 87209f1eda862161-CDG
< alt-svc: h3=":443"; ma=86400
I tried to set the OIDC in Cloudflare Access but I get this page when I try it:
I'm pretty sure of my client credentials are correct, I only have one.
The access logs:
127.0.0.1 - - [10/Apr/2024:06:22:28 +0000] "GET /api/v1/notifications?page=1&per_page=20 HTTP/1.1" 304 0 "https://my.cloudron.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
127.0.0.1 - - [10/Apr/2024:06:22:48 +0000] "GET /openid/auth?client_id=cid-fb36343b92c1bd5c9098893116845eb9&domain=cid-fb36343b92c1bd5c9098893116845eb9&redirect_uri=https%3A%2F%2Fexample.cloudflareaccess.com%2Fcdn-cgi%2Faccess%2Fcallback&response_type=code&state=ea1d75aeff7af5413b92df9f70d2c94c6c4bc887ee88324e4b1292d130ffb036.JTdCJTIyaWF0JTIyJTNBMTcxMjczMDE2OSUyQyUyMmF1dGhEb21haW4lMjIlM0ElMjJuZXdwYXJhZGlnbXN0dWRpby5jbG91ZGZsYXJlYWNjZXNzLmNvbSUyMiUyQyUyMmhvc3RuYW1lJTIyJTNBJTIybmV3cGFyYWRpZ21zdHVkaW8uY2xvdWRmbGFyZWFjY2Vzcy5jb20lMjIlMkMlMjJyZWRpcmVjdFVSTCUyMiUzQSUyMiUyRiUyMiUyQyUyMmF1ZCUyMiUzQSUyMiUyMiUyQyUyMmlkcElkJTIyJTNBJTIyYmJlOTJlYmMtNzJmMC00NWUzLWFjMTUtNzcxMzk5Y2E4Nzg2JTIyJTJDJTIyaXNFbnRTZXR1cCUyMiUzQWZhbHNlJTJDJTIyaXNJRFBUZXN0JTIyJTNBdHJ1ZSUyQyUyMmlzU2FtZVNpdGVOb25lQ29tcGF0aWJsZSUyMiUzQXRydWUlMkMlMjJub25jZSUyMiUzQSUyMm41dWs4dklxa05CZnBIMlA1JTIyJTdE&scope=openid+email+profile HTTP/1.1" 303 113 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
127.0.0.1 - - [10/Apr/2024:06:22:48 +0000] "GET /openid/interaction/4APmG06oy-tbtBhV9J4y5 HTTP/1.1" 200 1202 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
127.0.0.1 - - [10/Apr/2024:06:22:48 +0000] "POST /openid/interaction/4APmG06oy-tbtBhV9J4y5/confirm HTTP/1.1" 303 0 "https://my.cloudron.example.com/openid/interaction/4APmG06oy-tbtBhV9J4y5" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
127.0.0.1 - - [10/Apr/2024:06:22:49 +0000] "GET /openid/auth/4APmG06oy-tbtBhV9J4y5 HTTP/1.1" 303 1603 "https://my.cloudron.example.com/openid/interaction/4APmG06oy-tbtBhV9J4y5" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
If anyone could help me with this, I will be grateful.
Cloudron => Cloudflare Launcher => AWS