Cloudflare offers (amongst it's rich services) a tunnel daemon that can expose your port to your customers while hiding your CAS server IP and protecting your system. The “cloudflared” daemon is used for this purpose.
This tunnel is useful for exposing the REST API required by:
Lightning’s LNURL,
Onfido,
Morphis,
Operator Extensions.
The tunnel may not currently work with Veriff.
The essential idea is that these CAS services can thus be mapped to a subdomain on your website while utilizing the Cloudflare DNS to hide your server IP.
The DNS entry should be a little obscure to reduce your vulnerability to drive-by attacks.
This is a suitable replacement for an NGINX proxy server.
The tunnel will enjoy the same certification of your website.
You must have a Cloudflare account (free) and their DNS services to use this option.
Create your Cloudflare tunnel
Navigate to: https://one.dash.cloudflare.com/
Create a tunnel.
Enter a name:
Save it:
Select your Operating System (debian) and architecture (64-bit):
Copy the installation command:
Paste it into your SSH window on your CAS system, and
press Enter.
Enter the tunnel endpoints.
All tunnel configuration is performed at this web page (none at the CAS server).
Any Subdomain is fine - but customers may see it - so don’t get crazy or use something that might cause you security issues.
Choose your Domain (it should already be listed in the dropdown box).
Type must be
HTTPS
.The URL for the CAS port is determined by the “Master IP” setting using
batm-manage info
.The URL in this example:
10.3.2.1:7743
The internal port for CAS extensions is
7743
.
Open/expand “Additional application settings” towards the bottom:
Click on “TLS”, and
enable the option “No TLS Verify”. Self-signed certificates cannot be TLS verified.
Finally:
Save it (click “Save tunnel” in the bottom right corner).
The tunnel will now be active and should be “live”, forwarding the REST API from CAS to your subdomain.
Test the tunnel
Using a browser, navigate to this test URL: https://agent86.yourdomain.com/extensions/lnurl
The browser should show this simple line of text: “BATM LNURL REST Service"
Troubleshooting
You may start the Cloudflared daemon in the foreground to watch live activity.
Stop the daemon:
sudo systemctl stop cloudflared
Start it manually:
/usr/bin/cloudflared --no-autoupdate tunnel run --token insert_your_token_here
Look at the logs.
Working directory for the daemon using this article:
/usr/local/etc/cloudflared
The default daemon behavior is to log to the system journal. To view the cloudflared
entries:
sudo journalctl | grep cloudflare
Change the YAML file to modify the defaults, located at: /usr/local/etc/cloudflared/config.yml
For performance reasons, logging is disabled by default, but to turn it on for diagnostic reasons:
Open the config file:
nano /usr/local/etc/cloudflared/config.yml
Add these lines (and save + exit):
logfile: /var/log/cloudflared/cftunnel.log
loglevel: debug
Restart the tunnel:
sudo systemctl restart cloudflared
Watch the logging in real time:
tail -f /var/log/cloudflared/cftunnel.log