Want to subscribe to topics you're interested in?
Become a Member

Cloudflare Error 1033 when trying to setup Argo Tunnel

Discussion in 'Web Development & Web Performance' started by BamaStangGuy, Feb 19, 2021.

  1. BamaStangGuy

    BamaStangGuy Premium Member Premium Member

    657
    189
    43
    May 25, 2014
    Ratings:
    +265
    Local Time:
    10:14 AM
    I followed the manual guide here and everything went great until I tried to load the site.

    https://blog.centminmod.com/2021/02/09/2250/how-to-setup-cloudflare-argo-tunnel-on-centos-7/

    I am trying to set this up for bamapolitics.com so I set the hostname as www.bamapolitics.com

    I noticed you had a separate subdomain tun.domain.com in your tutorial. Did I mess up by setting mine up as www.domain.com?

    I only want the tunnel to work for that domain.
     
  2. eva2000

    eva2000 Administrator Staff Member

    46,468
    10,554
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,386
    Local Time:
    1:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    What issues you having ? edit: oh 1033 error in title of thread !

    For apex domains I setup tunnel to work for www and non-www version of the domain. ServerManager.guide Wordpress blog is using Argo Tunnel with such a config.
     
  3. eva2000

    eva2000 Administrator Staff Member

    46,468
    10,554
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,386
    Local Time:
    1:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Error 1033 Troubleshooting Cloudflare 1XXX errors

     
  4. eva2000

    eva2000 Administrator Staff Member

    46,468
    10,554
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,386
    Local Time:
    1:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    FYI CF Argo Tunnel had some issues from Argo Tunnel Availability Issues

     
  5. BamaStangGuy

    BamaStangGuy Premium Member Premium Member

    657
    189
    43
    May 25, 2014
    Ratings:
    +265
    Local Time:
    10:14 AM
    Does this require a different setup process from your tutorial?
     
  6. eva2000

    eva2000 Administrator Staff Member

    46,468
    10,554
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,386
    Local Time:
    1:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    No same process just setup non-www domain.com DNS CNAME to tunnelid.cfargotunnel.com and setup www CNAME to domain.com and ensure both www and non-www are listed in config.yml config file

    from https://blog.centminmod.com/2021/02...#step-3-creating-cloudflared-yaml-config-file

    Code (Text):
    tunnel: your_tunnelid
    credentials-file: /root/.cloudflared/your_tunnelid.json
    origincert: /root/.cloudflared/cert-tun.domain.com.pem
    protocol: http2
    originRequest:
      connectTimeout: 30s
    
    metrics: localhost:5432
    #tag: cmm=blog
    pidfile: /var/run/cmm-test-argo.pid
    autoupdate-freq: 24h
    loglevel: info
    logfile: /var/log/cloudflared.log
    
    ingress:
      - hostname: tun.domain.com
       service: https://localhost:443
       originRequest:
         connectTimeout: 10s
         noTLSVerify: true
      - hostname: hostname.domain.com
       service: https://localhost:443
       originRequest:
         connectTimeout: 10s
         noTLSVerify: true
      - hostname: host.example.com
       service: https://localhost:443
       originRequest:
         connectTimeout: 10s
         noTLSVerify: true
      - service: http_status:404
    

    so would be like
    Code (Text):
    tunnel: your_tunnelid
    credentials-file: /root/.cloudflared/your_tunnelid.json
    origincert: /root/.cloudflared/cert-tun.domain.com.pem
    protocol: http2
    originRequest:
      connectTimeout: 30s
    
    metrics: localhost:5432
    #tag: cmm=blog
    pidfile: /var/run/cmm-test-argo.pid
    autoupdate-freq: 24h
    loglevel: info
    logfile: /var/log/cloudflared.log
    
    ingress:
      - hostname: tun.domain.com
       service: https://localhost:443
       originRequest:
         connectTimeout: 10s
         noTLSVerify: true
      - hostname: domain.com
       service: https://localhost:443
       originRequest:
         connectTimeout: 10s
         noTLSVerify: true
      - hostname: www.domain.com
       service: https://localhost:443
       originRequest:
         connectTimeout: 10s
         noTLSVerify: true
      - service: http_status:404
    
     
  7. BamaStangGuy

    BamaStangGuy Premium Member Premium Member

    657
    189
    43
    May 25, 2014
    Ratings:
    +265
    Local Time:
    10:14 AM
    Now I am getting this: https://tun.bamapolitics.com/

    Code:
    #x# HTTPS-DEFAULT
     server {
     
       server_name tun.bamapolitics.com;
       return 302 https://tun.bamapolitics.com$request_uri;
       root /home/nginx/domains/tun.bamapolitics.com/public;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    
    server {
      listen 443 ssl http2 reuseport;
      server_name tun.bamapolitics.com;
    
      include /usr/local/nginx/conf/ssl/tun.bamapolitics.com/tun.bamapolitics.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/tun.bamapolitics.com/origin.crt;
      ssl_verify_client on;
     
     
     
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/tun.bamapolitics.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/tun.bamapolitics.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/tun.bamapolitics.com/autoprotect-tun.bamapolitics.com.conf;
      root /home/nginx/domains/tun.bamapolitics.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/pre-staticfiles-local-tun.bamapolitics.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    46,468
    10,554
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,386
    Local Time:
    1:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    bad request 400 ? Argo Tunnel is incompatible with Cloudflare Authenticated Origin Pull as they both do the same thing to prevent visitor access that bypasses Cloudflare proxy and tries HTTP access via the server’s real IP access – just done in different ways. So comment out
    Code (Text):
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/tun.bamapolitics.com/origin.crt;
      ssl_verify_client on;
    

    I should update my blog article at https://blog.centminmod.com/2021/02/09/2250/how-to-setup-cloudflare-argo-tunnel-on-centos-7/ with that note seeing as more likely Centmin Mod users may have manually enabled Cloudflare Authenticated Origin Pulls.

    edit: updated at Cloudflare Authenticated Origin Pull Incompatibility
     
  9. BamaStangGuy

    BamaStangGuy Premium Member Premium Member

    657
    189
    43
    May 25, 2014
    Ratings:
    +265
    Local Time:
    10:14 AM
    That was it. It is working now but Bama Politics redirects to the main website. Why is that?
     
  10. eva2000

    eva2000 Administrator Staff Member

    46,468
    10,554
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,386
    Local Time:
    1:14 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    The config.yml config hostnames need to correspond to Centmin Mod Nginx vhost server_names you setup. So if you don't have a tun.domain.com on your Centmin Mod Nginx it will go to main hostname default HTML page. If you don't have a site on tun.domain.com just remove their entries from config.yml and restart Argo Tunnel's cloudflared service.