jk's blog

13 Jul 2022

Multiple Argo Tunnels in High Availability

Multiple Argo Tunnels in High Availability

Using Argo Tunnels to protect multiple origins, and running them across multiple termination points.

Overview

We’re looking to create a private, egress-only link between your web servers and Cloudflare. Users will still be able to access the service, but traffic will only be routed through Cloudflare. Once the tunnel is set up, you can go ahead and remove all public ingress from your origin servers - all they’ll need is egress out to Cloudflare.

A real world example could involve protecting fragile on-premises resources. For example, if you had web servers in your on-prem environment that aren’t as secure as you’d want them to be - maybe the software or OS isn’t supported anymore - but they’ve still got users relying on them.

To prove the concept, we’re going to create a high availability (HA) link across two termination points. We’re going to point this link to two origin servers.

Prerequisites

  • Two web servers listening on port 80/443

  • cloudflared installed on two other servers

  • Your cloudflared servers are able to connect to your web servers

Setting up your first tunnel

  1. On one of your cloudflared servers, create an Argo Tunnel:

    cloudflared tunnel create tunnel-1

  2. Create .cloudflared/config.yaml with the following details:

    • Tunnel ID

    • Credentials file

    • The details of one of your origins

It should look something like this:

tunnel: 08e2f098-3240-234a-07ab-987324cab03a
credentials-file: /home/username/.cloudflared/08e2f098-3240-234a-07ab-987324cab03a.json

ingress:
    - hostname: tunnel-1.example.com
      service: http://10.0.0.8:80
      originRequest:
            noTLSVerify: true
    - service: http_status:404

  1. Create a DNS record pointing to your tunnel. In this example we would have a CNAME of tunnel-1.example.com pointing at 08e2f098-3240-234a-07ab-987324cab03a.cfargotunnel.com

  2. Run your tunnel with: cloudflared tunnel run tunnel-1

  3. Point your browser at tunnel-1.example.com and your first origin should be displayed.

Running as a service

Run the following command to install cloudflared as a service:

sudo cloudflared service install

Copy over your ~/.cloudflared/config.yaml to /etc/cloudflared/ and then run these commands to start the service and ensure it starts on boot.

sudo systemctl start cloudflared
sudo systemctl enable cloudflared

Configuring High Availability (HA)

Move to your second cloudflared server.

Copy across the following files:

Your credentials file (.cloudflared/08e2f098-3240-234a-07ab-987324cab03a.json in this example)

Your certificate file (.cloudflared/config.yaml)

Your config file (.cloudflared/config.yaml)

Run your tunnel with: cloudflared tunnel run tunnel-1

There’s no need to configure DNS - your CNAME is already pointing at this tunnel, so it’ll automatically route across both servers.

Once you’ve confirmed that everything’s working, you can configure cloudflared to run as a service.

Configuring a second origin

Head back to your first cloudflared server and edit your config.yaml file. Remember that if you configured it to run as a service the file now exists in /etc/cloudflared.

Add another hostname, pointing at your second web server. It should look something like this:

tunnel: 08e2f098-3240-234a-07ab-987324cab03a
credentials-file: /home/username/.cloudflared/08e2f098-3240-234a-07ab-987324cab03a.json

ingress:
        - hostname: tunnel-1.example.com
          service: http://10.0.0.8:80
          originRequest:
                  noTLSVerify: true
        - hostname: tunnel-2.example.com
          service: http://10.0.0.9:80
          originRequest:
                  noTLSVerify: true
        - service: http_status:404

And restart your cloudflared service by running: sudo systemctl restart cloudflared

Create a second DNS record pointing to this tunnel. In this example we would have a CNAME of tunnel-2.example.com pointing at 08e2f098-3240-234a-07ab-987324cab03a.cfargotunnel.com

If you point your browser at tunnel-2.example.com your second origin should be displayed.

Go to your second cloudflared server. Edit your config.yaml file and restart the service.

Conclusion

That’s it! We’re done! You can go ahead and remove all the internet ingress from your two origins, and feel safe in the knowledge that Cloudflare is protecting your resources.

Edit this on GitHub