Incus + cloudflared (cli, manual tunnels)

k4my4b · August 27, 2024, 12:08am

Hi, Has anyone succeeded in exposing the incus daemon/api through cloudflared?

/etc/cloudflared/config.yml

tunnel: <redacted>
credentials-file: /etc/cloudflared/<redacted>.json

ingress:
  - hostname: incus.example.xyz
    service: unix:/var/lib/incus/unix.socket
  - service: http_status:404

This seems to work, but only partially. for example:
the following command incus ls works without issues but incus start ct responds with Error: Failed to fetch https://incus.example.xyz:443/1.0/events: 502 Bad Gateway although the operation seems actually go through still so in this case the container would be started.

stgraber · August 27, 2024, 4:38am

Sounds like some issue with the proxy and websocket handling.
Maybe there’s some configuration you need to do to correctly handle websocket?

k4my4b · August 27, 2024, 9:42pm

So the way I got it working for me was by forcing the cloudflared daemon to use the quic protocol instead of http2. Also, I haven’t tested this but it doesn’t hurt to enable Websockets under Websites → <domain> → Network:

protocol: quic
tunnel: <redacted>
credentials-file: /etc/cloudflared/<redacted>.json

ingress:
  - hostname: incus.example.xyz
    service: unix:/var/lib/incus/unix.socket
  - service: http_status:404

OR
cloudflared tunnel --protocol quic run