search

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide
Apache License 2.0
8.85k stars 777 forks source link

📝 #1198

Closed FStefanni closed 6 months ago

FStefanni commented 6 months ago

Available Documentation

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/

Suggested Documentation

Requisites for running cloudflared successfully with all its features. These includes, but are not limited to:

Additional context

I am trying to create a tunnel from a NixOS instance, and it works fine (rendereing of an http page, ssh via console, etc.) except for the SSH rendered via browser. The command I use is:

cloudflared tunnel --loglevel debug --no-autoupdate run --token=mysupertoken

If I try to use the same command and token from Debian, everything works. So what I suppose is that there is a difference in the NixOS configuration (maybe about sshd) that create the issue, but since no documentation about the setup is truly available, I am unable to understand what the issue truly is.

Just to let you know the error, this is what the browser console prints:

aaa@11223344556677889900abcdef
POST https://ssh.mydomain.it/cert_sign [HTTP/3 400 Bad Request 223ms]
[libssh2] 0.247000 Failure Event: -5 - Unable to exchange encryption keys JZ4D45Y6.js:1:3543
Uncaught (in promise) Error: [FATAL] ../../src/ssh/session.cc(230): libssh2_session_handshake(session_, 0 ) rc=-5

And this is the error that cloudflared prints:

2024-03-06T10:44:48Z DBG downstream->upstream copy: stream 5 canceled by local with error code 0 connIndex=0 destAddr=ssh://localhost:22 event=1 ingressRule=1 originService=ssh://localhost:22

Regards

jcsf commented 6 months ago

We don't support NixOS distribution. Therefore, we can't exactly tell what is missing. Feel free to propose a list of requirements if you are able to get it working.

uceumice commented 4 months ago

I am having the same issue whenever trying to access my machine via a browser rendered ssh terminal. The whole script of logs is pretty much same as the above.

Whenever I try to access my ssh application in browser, I am greeted with the following view: image

The error arises after a successful request to /cert_sign has been made. The /cert_sign returns a shining 200 with certificate in its response. image image

Uncaught (in promise) Error: [FATAL] ../../src/ssh/session.cc(230): libssh2_session_handshake(session_, 0 ) rc=-5
    a https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:1
    poll https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    initialize https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    onopen https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    Co https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    create https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    createTransport https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    componentDidMount https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    Kp https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    Kp https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    Kp https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    an https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    bd https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:1
    H0 https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:27
    <anonymous> https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    <anonymous> https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
JZ4D45Y6.js:1:3263
    onopen https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    AsyncFunctionThrow self-hosted:856
    (Async: async)
    Co https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    create https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    AsyncFunctionNext self-hosted:852
    (Async: async)
    createTransport https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    componentDidMount https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    Kp https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    some self-hosted:137
    Kp https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    some self-hosted:137
    Kp https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    an https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:8
    bd https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:1
    H0 https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:27
    <anonymous> https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65
    <anonymous> https://ssh-beidou-sus.ueuie.dev/JZ4D45Y6.js:65

The communication that took place via the websocket connection.

-> SSH-2.0-libssh2_1.9.0_DEV <- SSH-2.0-OpenSSH_9.6 -> forth.txt <- back.txt

The tunnel connection is trying to communicate with sshd, but fails eventually and reports about mismatched macs.

Mai 07 20:19:18 beidou sshd[5155]: Unable to negotiate with ::1 port 49422: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512 [preauth]

Logs printed by cloudflared are similar to these of the above.

2024-03-06T10:44:48Z DBG downstream->upstream copy: stream 5 canceled by local with error code 0 connIndex=0 destAddr=ssh://localhost:22 event=1 ingressRule=1 originService=ssh://localhost:22

And just as with @FStefanni's issue, it works fine (rendereing of an http page, ssh via console, etc.) except for the SSH rendered via browser. I am leaving this bit of more detailed log script of this particular issue as it is quite notorious to debug and having more keywords to grip to is certainly useful.

As to the cause of the issue, I will investigate of how cloudflare's access ssh proxy and cloudflare's communication with browser rendered terminal differ. Maybe libssh and openssh cause the problem.

I would greatly appreciate help from someone from cloudflare community who may already had to deal with a similar or the exact same issue themselves.

Regards

P.S.: There is a related community issue regarding Support old ssh kex and ciphers in web render.

joegoldin commented 1 month ago

Also experiencing this same issue on NixOS... :(