Swag and Zero Trust through CloudFlare

Let me start by saying I’m not an IT pro, more an enthusiast. I want to set up an environment as described in this article with Swag and Zero Trust through CloudFlare tunnels to start messing around with an upgrade for my homelab.

After the better part of two weeks of fumbling, looking through forums and Google, here’s where I ended up.

Pwndrop I managed to get running rather quickly. I swapped the CF variables with mine, fired up the container and the tunnel was made with the container accessible. I missed the part about the supersecretpath to be added in the url, so at first I didn’t understand what was happening with the redirect, but the blame for that is on me.

Swag on the other hand is another story. As with pwndrop I swapped the CF variables, fired up both swag and overseerr, and nothing… No tunnel appeared, and hence no access to overseerr. After looking in the logs (under /var/log/letsencrypt/letsencrypt.log in the swag container) I noticed CF errors:

The error from Cloudflare was: 0 confused info - both key and token defined.

Some further Googling and search here led me to believe I should add my own CF API token to config/dns-conf/cloudflare.ini, which I did. To my surprise now I did get a tunnel created in the CF dashboard! Unfortunately overseerr still isn’t accessible, I get an error 502 “Bad gateway”.

I’ve once again gone through the logs, this time without getting any wiser. Nothing seems to indicate a fault in swag. So I’m stuck, with two questions:

  1. Why wasn’t it necessary to edit a file within the pwndrop container, but it was necessary to edit cloudflare.ini in swag to get a tunnel up and running? Isn’t that what the environment variables in the docker compose are for?
  2. How do I get unstuck? Any pointers on how to further investigate what is going wrong?

Any help is much appreciated!

Ok, so I got it working, but I feel like an idiot now…

What I did:

  • In your CF dashboard you can check logs from your tunnel (On your Tunnels dashboard, click your tunnel and a right sidewindow appears. In that window, click on the connector ID which will take you to a detail page, where you can start the logging).
  • Alternatively, in my case this gave the same info, you can check the docker logs for errors.

Both pointed out that the connections was refused somewhere, and it was unable to reach the destination. More importantly, the final clue was also in the docker logs:

Cannot connect to the docker daemon, is it running?

Which seemed odd to me, as I knew it was running. Then it hit me. My compose file also contains other containers, so I picked which ones to start. I forgot to start the dockerproxy container…

Once that was up and running, overseerr suddenly became accessible!

Now onwards onto the authentication part!