I've seen & run into multiple issues with using Cloudflare to attempt to proxy public connections to foundry servers both for myself and a bunch of members in the community. This guide should help show you how I managed to get around all the dreaded 502, 523, 504, and slew of other Cloudflare error codes when trying to route through their proxy services with an Apache2 or Nginx service running on your host machine.
Note: You will no longer need the reverse Apache2 or Nginx server installed or running after this is set up! Cloudflare will act as your reverse proxy.
If you've tried something like this in the past and were furious because it wasn't working, I feel your pain. It took me 8 days (~6 hours each day) to figure this method out after countless other methods. Ultimately, the reason Cloudflare will fail if you use it with Apache2/Nginx running as your proxy on your Linux machine is that Cloudflare doesn't like redirects (if you're connecting via HTTP and have a redirect to HTTPS) and (getting hand-wavy “these are not the droids you're looking for” right now to save space) doesn't like having their HTTP/HTTPS traffic "being weird" – like it does with Foundry. I know. I wasted a week trying and testing all the configurations setups for both Apache2 and Nginx to literally no avail until I realized that. I knew then that I had to set up a “tunnel” from the Cloudflare proxy server to my origin server (where Foundry is hosted on my local network).
At the end of this you will have:
Before getting started, you need to have at least a few things:
sudo
permissionsFor this example, I will be using a secondary computer running Ubuntu 20.04 on my local network with properly configured port forwarding and firewall rules enabled.
The logical flow from start to finish is to generate your Cloudflare certificates; your private key, CSR, and Origin Server cert. After we have all those, we'll assign these to be used for your FoundryVTT server (sorry if you went through the entire process of getting your other self-signed certs or other certs, but we need to use Cloudflare's certs for this to work). Then, we'll set up a tunnel from the Cloudflare Proxy server to your Origin Server and test connectivity.
1. To get started, log into your Cloudflare account and begin linking your domain through Cloudflare.
2. Head to the DNS section and begin switching your domain's nameservers to Cloudflare's nameservers (there is a guide on how to do that, here).
Note: Wait at least 15 minutes before continuing. Sometimes you may have to wait up to 24 hours before the DNS settings are successfully changed. You will be notified when the nameservers are properly navigated to Cloudflare. Continue AFTER these have successfully been changed.
3. Head to the SSL/TLS section
a. Under the SSL/TLS group there will be another section called “Origin Server". Click the name and then “Create Certificate” on the page that will be displayed.
b. Choose “Generate private key and CSR with Cloudflare" and select “RSA-2048”. Ensure your root domain and first subdomain-as-wildcard are listed, e.g. "*.yourdomain.com" and "yourdomain.com".
c. Chose your expiration (in years). This is up to you, but unless you plan on keeping this running for a very long time, I may suggest keeping your certs with a pretty short expiration. I keep my set to annual (1-year expiration) for overall security.
Note: Do NOT share these keys with ANYONE. Once you leave that page, you will not be able to see your keys again so don't refresh or close the page.
Another Note: Here's the bottom line, if you're unfamiliar with why this is important, anyone that has a copy of your private key can decrypt your HTTPS traffic. That means any passwords that are passed to your server will be able to be read in plain text, thwarting the entire reason for using SSL/TLS and leaving your server open to further attacks from outside entities.
c. On your Linux host terminal, create a hidden directory & certificate files.
$ sudo mkdir /etc/.cloudflare-certs
$ sudo touch /etc/.cloudflare-certs/yourdomain.com.key
$ sudo touch /etc/.cloudflare-certs/yourdomain.com.pem
d. Now, we're going to add the key text into those files:
1. Enter $ sudo vim /etc/.cloudflare-certs/yourdomain.com.key
2. Press the “i” key on your keyboard to enter “insert” mode.
3. Copy the entire private key shown on the Cloudflare website ( Ctrl + Shift + Insert
is your friend – press them all at the same time).
4. Press esc
and then type :wq
.
5. Repeat the same process you just did with your Origin Certificate: $ sudo vim /etc/.cloudflare-certs/yourdomain.com.pem
.
6. If you need the other versions for other operating systems, copy them here. Just make sure you ensure they're safe and properly encrypted "at-rest" – not in use.
Note: PKCS#7 for Apache Tomcat & Windows, DER as a replacement for PEM.
e. Now, change the permission settings for these files by doing the following (for security reasons).
### Set the permissions to the .cloudflare-certs directory, private key, and origin certificate
$ sudo chmod 600 /etc/.cloudflare-certs
$ sudo chmod 600 /etc/.cloudflare-certs/yourdomain.com.key
$ sudo chmod 644 /etc/.cloudflare-certs/yourdomain.com.pem
f. Now, if you've used other self-signed certificates or certificates from Let's Encrypt we're going to swap out those for these Cloudflare certs. You may also disable the proxy setup for this type of installation.
1. Change the two lines sslCert
and sslKey
to your Origin Certificate and Private Key.
{
...
"sslCert": "/etc/.cloudflare-certs/yourdomain.com.pem"
"sslKey": "/etc/.cloudflare-certs/yourdomain.com.key"
...
"proxySSL": null,
"proxyPort": null,
...
}
1. Add the cloudflared
repository to your package manager.
$ echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/ focal main' |
sudo tee /etc/apt/sources.list.d/cloudflare-main.list
$ sudo curl https://pkg.cloudflare.com/cloudflare-main.gpg -o /usr/share/keyrings/cloudflare-main.gpg
1. a. For installation on Raspberry Pi OS
$ curl -L https://pkg.cloudflare.com/cloudflare-main.gpg |
sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null
Followed by
$ echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg]
https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
Credit to PiMyLifeUp
2. Install the cloudflared
service.
$ sudo apt-get update
$ sudo apt-get install cloudflared -y
3. Navigate & log into the Cloudflare Zero Trust dashboard, here.
a. Under the “Access” tab, click on “Tunnel”.
b. Click on “Create Tunnel” at the top & continue through the generator.
1. Name the tunnel whatever you'd like; I named mine “FoundryVTT”.
2. On the Installer Screen, press the Debian environment build and chose whichever architecture your host is running.
3. Now copy and paste the string of characters listed in the “If you already have cloudflared installed on your machine” box on the website. It should look something like this:
sudo cloudflared service install <THIS IS A REALLY LONG STRING OF CHARACTERS THAT IS UNIQUE TO THIS TUNNEL YOU JUST CREATED - DON'T SHARE THIS>
4. Once you run this command, a tunnel connector will be established; it may not update on the website.
5. On the final screen, choose the “Public Hostname” option, enter your domain name (this is the same name that is in your Foundry options.conf
file), set the path to *, set the protocol to “HTTPS" and enter “Private IP Address” followed by a colon and port of the FoundryVTT server, (default is 30000). So, for example, it should look like HTTPS://192.168.1.20:30000.
A. If you don't know what your private IP address is, you can run “ifconfig” and the IP address will be printed under your ethernet (usually eth0) or wireless (wlan0) adapter. Whichever one you're connecting to the internet from.
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255
ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 0 memory 0x00000000-00000000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
4. Login to the cloudflared
service using the command: sudo cloudflared login
.
a. Your browser should open. If it doesn't, just copy and paste the URL and login again like normal.
b. Assign that login to your created tunnel. This will link certificates and other required information. Without this, you'll have to add another certificate to your PATH, which I don't recommend.
5. Assuming everything went to plan, you should be able to refresh the webpage that has the named tunnel you just created and you should see a status of “Active”. If not, you may have to look up the docs, here and see if something may have gone wrong.
1. Ensure your foundry server is running (with sudo permissions, otherwise it will fail when trying to read your certificate files).
2. Navigate to your foundry server using your webpage URL. If you get a certificate error, you may need to install Cloudflare's Root CA into your trusted certificate repository on your PC. Instructions on how to do that are here.
And that should be it! If you get any errors, please refer to any of the linked documentation from Cloudflare or search Google for your specific error.
Note: This section is still a work in progress – I will be back after getting the motivation and testing to continue working on it - DM Ach