Export docker container through cloudflared

Question

I have a NAS where I am running various web apps in docker containers through docker-compose. I want some of these web apps to be accessible through the internet, not only when I am connected to my home network.

The problem I'm currently facing is that while cloudflare is able to expose the default web apps (default NAS management 192.168.1.135:80 can be mapped to subdomain.domain.com, for instance), it is unable to expose any docker container I try to run (192.168.1.135:4444 cannot be mapped to subdomain2.domain.com), and I receive a 502 bad gateway error with every app I have tried so far.

The configuration shouldn't be the issue, and it's definitely not the NoTLSVerify flag because the apps run on HTTP and I have configured it that way, so I am out of options to know what is going on and how to solve it.

Answer 1

Turns out the problem is due to how docker works with networks, not with how Cloudflare accesses them. I first had to create a network that connected both containers, since adding cloudflare to my docker-compose file didn't work for some reason.

1. Create a docker network docker network create tunnel
2. Run docker without specifying the network docker run -d --name cloudflare cloudflare/cloudflared:latest tunnel --no-autoupdate run --token
3. Add the docker to the network docker network connect tunnel cloudflare
4. Run the container (note the container should have, as you specified, the network name identical to the one you created earlier, but cloudflare should not be in your docker-compose file) docker-compose up
5. In the cloudflare tunnel config, you will have to specify the docker internal address of your container (as @lu4t suggested). You can identify the address with docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container

Answer 2

Looks like the apps you're running on your NAS are proxied through the docker runtime. Consequently, the IP:port you need to add to the cloudflare tunnel config is the one that is reachable from the Host (not the IP of the host itself).

If the host is 192.168.1.135, you need to know which the the IP (internal to the docker network) of the app that you want to access from the outside, typically in the 172.0.0.1/24 range.

Example: If the containers running the apps you want to access are running on 172.0.0.2:4444 for app1 and 172.0.0.3:5555 for app2, the cloudflare config would look like this:

tunnel: the_ID_of_the_tunnel
credentials-file: /root/.cloudflared/the_ID_of_the_tunnel.json

ingress:
  - hostname: yourapp1.example.com
    service: http://172.0.0.2:4444
  - hostname: ypurapp2.example.com
    service: http://172.0.0.3:5555
  - service: http_status:404

See more details and a video here: How to redirect subdomain to port (docker)

Answer 3

When using docker-compose on a QNAP NAS be aware that by default it creates a new network that is not bound to your NIC but to a virtual one (that you can see in the Network & Virtual switch panel on the web UI).

So, if you're mapping the 4444 port, that port is not listening on your NAS IP address! To ensure it is, add this line to the docker-compose.yaml file:

services:
  your-service:
    network_mode: "bridge"