Cloudflare tunnel & oCIS?

Hi there!
I am currently trying to get away from Dropbox and looking for an alternative without much overhead (looking at you, Nextcloud). oCIS seems perfect and syncs to the desktop, which is needed by my family.
A simple install via docker-compose works fine on the local network, however, when I try to open it to the outside with the help of cloudflare’s tunnel (which I use for the rest of my docker setup), it breaks:

TLS handshake error from <docker host's ip>:60862: remote error: tls: bad certificate

could not initialize oidcAuth provider | service=proxy error=502 Bad Gateway: 502 Bad Gateway Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared

I tried to use a rather minimal docker-compose setup, maybe one of you see immediately where I went wrong?

version: "3.7"
services:
  ocis:
    image: owncloud/ocis:latest@sha256:c6b137cf781c57d3fd4cc74099dd67316f885e26b8509c688322ba774119a023
    container_name: owncloud
    environment:
      OCIS_INSECURE: "true"
      OCIS_URL: "https://public_url"
      PROXY_TLS: "false"
      OCIS_LOG_LEVEL: debug
    volumes:
      - /opt/owncloud/ocis-config/ocis.yaml:/etc/ocis/ocis.yaml
      - /opt/owncloud/ocis-data:/var/lib/ocis
    ports:
      - 9200:9200
    restart: always # or on-failure / unless-stopped
    logging:
      driver: local

Very interesting product (cloudflared).

I’ve had trouble before getting ocis to run with SSL offloading.

I got it working by creating a backend server SSL certificate in the Cloudflare interface. You can, with just a few clicks, create a 15 year certificate validated by Cloudflare.

I put the certificate files into the ocis-config folder, mounted them straight in / inside the container.
And then added some env variables for ocis to pick those up:

version: "3.7"
services:
  ocis:
    image: owncloud/ocis:latest@sha256:c6b137cf781c57d3fd4cc74099dd67316f885e26b8509c688322ba774119a023
    container_name: owncloud
    environment:
      OCIS_INSECURE: "true"
      OCIS_URL: "https://ocis.domain.tld"
      OCIS_LOG_LEVEL: debug
      PROXY_TRANSPORT_TLS_KEY: "/ocis.domain.tld.key"
      PROXY_TRANSPORT_TLS_CERT: "/ocis.domain.tld.crt"
    volumes:
      - /opt/owncloud/ocis-config/ocis.yaml:/etc/ocis/ocis.yaml
      - /opt/owncloud/ocis-config/ocis.domain.tld.key:/ocis.domain.tld.key
      - /opt/owncloud/ocis-config/ocis.domain.tld.crt:/ocis.domain.tld.crt
      - /opt/owncloud/ocis-data:/var/lib/ocis
    ports:
      - 9200:9200
    restart: always # or on-failure / unless-stopped
    logging:
      driver: local

But then I still had trouble:

2023-03-30T12:03:04Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for ocis.domain.tld, not localhost" connIndex=1 dest=https://ocis.domain.tld/themes/owncloud/theme.json ip=198.41.200.113 type=http
2023-03-30T12:03:05Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for ocis.domain.tld, not localhost" cfRay=<someRayID>-FRA originService=https://localhost:9200

So I adjusted the cloudflared config.yaml like so:

tunnel: <tunnelID>
credentials-file: /home/erik/.cloudflared/<tunnelID>.json
originRequest: 
  noTLSVerify: true

ingress:
  - service: https://localhost:9200

And then it started working, perhaps that’s a workaround that could work for you?

Thanks, the suggestion with the manual certificates worked, even without the last config adjustment.

Hello Thanks for your job, it helped me a lot. I added Authelia for OIDC via Cloudflare. That work perfect for access to OCIS via browser but KO for client desktop ans IOS… If you have any ideas? Have a good day Fred