View Source

Cloudflare offers (amongst it's rich services) a tunnel daemon that can expose a specified port to your customers while hiding your CAS server IP and protecting your system. The “cloudflared” daemon is used for this purpose.

This tunnel is useful for exposing the REST API (port 7743) required by:

Veriff,
Lightning’s LNURL (use with NGINX),
Onfido,
Morphis,
Operator Extensions.

The essential idea is that these CAS services can thus be mapped to a subdomain on your website while utilizing the Cloudflare DNS to hide your server IP.

This is a suitable replacement for an NGINX proxy server.
The tunnel will enjoy the same certification as your website.
Configuration is much simpler (no firewalls or proxy server manipulation required).

You must have a Cloudflare account (free) and their DNS services (paid) to use this option.

Create your Cloudflare tunnel

Navigate to: https://one.dash.cloudflare.com/

Create a tunnel.

General Bytes Knowledge Base > Cloudflare Zero Trust for REST API > image-20230717-191541.png

Enter a name:

Save it:

General Bytes Knowledge Base > Cloudflare Zero Trust for REST API > image-20230717-192142.png

Select your Environment:

General Bytes Knowledge Base > Cloudflare Zero Trust for REST API > image-20230717-192357.png

OS: Debian,
Architecture: 64-bit

Copy the installation command:

General Bytes Knowledge Base > Cloudflare Zero Trust for REST API > image-20230717-192941.png

Paste it into a SSH window on your CAS system, and
press Enter.

General Bytes Knowledge Base > Cloudflare Zero Trust for REST API > image-20230717-193454.png

Enter the tunnel endpoints.

All tunnel configuration is performed at this web page (no further changes at the CAS server).

Veriff requires the Subdomain to be RFC 952 compliant (only letters, digits, and hyphens).
Choose your Domain (it should already be listed in the dropdown box).
Type must be HTTPS.
The URL for the CAS port is determined by the “Master IP” setting using batm-manage info.
- The URL in this example (and most cases): 10.3.2.1:7743
- The internal port for CAS extensions is always: 7743.

Open/expand “Additional application settings” towards the bottom:

Click on “TLS”, and
enable the option “No TLS Verify”. Self-signed certificates cannot be TLS verified.

General Bytes Knowledge Base > Cloudflare Zero Trust for REST API > image-20230718-174217.png

Finally:

Save it (click “Save tunnel” in the bottom right corner).

General Bytes Knowledge Base > Cloudflare Zero Trust for REST API > image-20230718-174825.png

The tunnel will now be active and should be “live”, forwarding the REST API from CAS to your subdomain.

Test the tunnel

Using a browser, navigate to this test URL: https://cas-rest-api.yourcasdomain.com/extensions/lnurl

Replace cas-rest-api.yourcasdomain.com with your actual domain.

The browser should display this simple line of text: “BATM LNURL REST Service"

Use with NGINX

When the subdomain is exposed to the public, it should be protected by restricting the path of the URL. This is easily accomplished by implementing the NGINX reverse proxy. The cloudflared tunnel is then pointed towards the exposed internal port provided by NGINX.

This is recommended for endpoints like LNURL or PDF Wallets, where a link is sent to the customer. The public links should not include the /serverapi/ path, or any path that has room for manipulation. The NGINX server block can intercept and imply the path for a given subdomain, strengthening your security.

Example NGINX server block:

server {
    listen       8701 ssl;
    server_name wallets;

    ssl_certificate /etc/letsencrypt/live/yourcasdomain.com/fullchain.pem;    # must be current for LE method
    ssl_certificate_key /etc/letsencrypt/live/yourcasdomain.com/privkey.pem;  # must be current for LE method

    access_log /var/log/nginx/wallets_access.log;
    error_log /var/log/nginx/wallets_error.log;

    location / {
        proxy_pass https://10.3.2.1:7743/api/v1/crypto-wallets/;
    }
}

Exposes internal port https://127.0.0.1:8701 to the cloudflared tunnel, which
enables your pdf_wallet setting to point to the subdomain set by the cloudflared tunnel,
for example: https://wallets.yourcasdomain.com
NOTE: PDF wallets (when implemented this way) must not be proxied by Cloudflare. This just applies to PDF wallets, due to the way they are implemented (read once).

This configuration will protect CAS and simplify the links sent to your customers.

Troubleshooting

You may start the Cloudflared daemon in the foreground to watch live activity.

Stop the daemon: sudo systemctl stop cloudflared
Start it manually:

/usr/bin/cloudflared --no-autoupdate tunnel run --token insert_your_token_here

Look at the logs.

Cloudflare documentation regarding logs.
Working directory for the daemon using this article: /usr/local/etc/cloudflared

The default daemon behavior is to log to the system journal. To view the cloudflared entries:

sudo journalctl | grep cloudflare

Change the YAML file to modify the defaults, located at: /usr/local/etc/cloudflared/config.yml

For performance reasons, logging is disabled by default, but to turn it on for diagnostic reasons:

Open the config file: nano /usr/local/etc/cloudflared/config.yml
Add these lines (and save + exit):
1. logfile: /var/log/cloudflared/cftunnel.log
2. loglevel: debug
Restart the tunnel:
1. sudo systemctl restart cloudflared
Watch the logging in real time:
1. tail -f /var/log/cloudflared/cftunnel.log