mirror of
https://github.com/ksyasuda/dotfiles.git
synced 2026-03-21 18:11:27 -07:00
update skills
This commit is contained in:
168
.agents/skills/cloudflare-deploy/references/tunnel/networking.md
Normal file
168
.agents/skills/cloudflare-deploy/references/tunnel/networking.md
Normal file
@@ -0,0 +1,168 @@
|
||||
# Tunnel Networking
|
||||
|
||||
## Connectivity Requirements
|
||||
|
||||
### Outbound Ports
|
||||
|
||||
Cloudflared requires outbound access on:
|
||||
|
||||
| Port | Protocol | Purpose | Required |
|
||||
|------|----------|---------|----------|
|
||||
| 7844 | TCP/UDP | Primary tunnel protocol (QUIC) | Yes |
|
||||
| 443 | TCP | Fallback (HTTP/2) | Yes |
|
||||
|
||||
**Network path:**
|
||||
```
|
||||
cloudflared → edge.argotunnel.com:7844 (preferred)
|
||||
cloudflared → region.argotunnel.com:443 (fallback)
|
||||
```
|
||||
|
||||
### Firewall Rules
|
||||
|
||||
#### Minimal (Production)
|
||||
```bash
|
||||
# Outbound only
|
||||
ALLOW tcp/udp 7844 to *.argotunnel.com
|
||||
ALLOW tcp 443 to *.argotunnel.com
|
||||
```
|
||||
|
||||
#### Full (Recommended)
|
||||
```bash
|
||||
# Tunnel connectivity
|
||||
ALLOW tcp/udp 7844 to *.argotunnel.com
|
||||
ALLOW tcp 443 to *.argotunnel.com
|
||||
|
||||
# API access (for token-based tunnels)
|
||||
ALLOW tcp 443 to api.cloudflare.com
|
||||
|
||||
# Updates (optional)
|
||||
ALLOW tcp 443 to github.com
|
||||
ALLOW tcp 443 to objects.githubusercontent.com
|
||||
```
|
||||
|
||||
### IP Ranges
|
||||
|
||||
Cloudflare Anycast IPs (tunnel endpoints):
|
||||
```
|
||||
# IPv4
|
||||
198.41.192.0/24
|
||||
198.41.200.0/24
|
||||
|
||||
# IPv6
|
||||
2606:4700::/32
|
||||
```
|
||||
|
||||
**Note:** Use DNS resolution for `*.argotunnel.com` rather than hardcoding IPs. Cloudflare may add edge locations.
|
||||
|
||||
## Pre-Flight Check
|
||||
|
||||
Test connectivity before deploying:
|
||||
|
||||
```bash
|
||||
# Test DNS resolution
|
||||
dig edge.argotunnel.com +short
|
||||
|
||||
# Test port 7844 (QUIC/UDP)
|
||||
nc -zvu edge.argotunnel.com 7844
|
||||
|
||||
# Test port 443 (HTTP/2 fallback)
|
||||
nc -zv edge.argotunnel.com 443
|
||||
|
||||
# Test with cloudflared
|
||||
cloudflared tunnel --loglevel debug run my-tunnel
|
||||
# Look for "Registered tunnel connection"
|
||||
```
|
||||
|
||||
### Common Connectivity Errors
|
||||
|
||||
| Error | Cause | Solution |
|
||||
|-------|-------|----------|
|
||||
| "no such host" | DNS blocked | Allow port 53 UDP/TCP |
|
||||
| "context deadline exceeded" | Port 7844 blocked | Allow UDP/TCP 7844 |
|
||||
| "TLS handshake timeout" | Port 443 blocked | Allow TCP 443, disable SSL inspection |
|
||||
|
||||
## Protocol Selection
|
||||
|
||||
Cloudflared automatically selects protocol:
|
||||
|
||||
| Protocol | Port | Priority | Use Case |
|
||||
|----------|------|----------|----------|
|
||||
| QUIC | 7844 UDP | 1st (preferred) | Low latency, best performance |
|
||||
| HTTP/2 | 443 TCP | 2nd (fallback) | QUIC blocked by firewall |
|
||||
|
||||
**Force HTTP/2 fallback:**
|
||||
```bash
|
||||
cloudflared tunnel --protocol http2 run my-tunnel
|
||||
```
|
||||
|
||||
**Verify active protocol:**
|
||||
```bash
|
||||
cloudflared tunnel info my-tunnel
|
||||
# Shows "connections" with protocol type
|
||||
```
|
||||
|
||||
## Private Network Routing
|
||||
|
||||
### WARP Client Requirements
|
||||
|
||||
Users accessing private IPs via WARP need:
|
||||
|
||||
```bash
|
||||
# Outbound (WARP client)
|
||||
ALLOW udp 500,4500 to 162.159.*.* (IPsec)
|
||||
ALLOW udp 2408 to 162.159.*.* (WireGuard)
|
||||
ALLOW tcp 443 to *.cloudflareclient.com
|
||||
```
|
||||
|
||||
### Split Tunnel Configuration
|
||||
|
||||
Route only private networks through tunnel:
|
||||
|
||||
```yaml
|
||||
# warp-routing config
|
||||
warp-routing:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
```bash
|
||||
# Add specific routes
|
||||
cloudflared tunnel route ip add 10.0.0.0/8 my-tunnel
|
||||
cloudflared tunnel route ip add 172.16.0.0/12 my-tunnel
|
||||
cloudflared tunnel route ip add 192.168.0.0/16 my-tunnel
|
||||
```
|
||||
|
||||
WARP users can access these IPs without VPN.
|
||||
|
||||
## Network Diagnostics
|
||||
|
||||
### Connection Diagnostics
|
||||
|
||||
```bash
|
||||
# Check edge selection and connection health
|
||||
cloudflared tunnel info my-tunnel --output json | jq '.connections[]'
|
||||
|
||||
# Enable metrics endpoint
|
||||
cloudflared tunnel --metrics localhost:9090 run my-tunnel
|
||||
curl localhost:9090/metrics | grep cloudflared_tunnel
|
||||
|
||||
# Test latency
|
||||
curl -w "time_total: %{time_total}\n" -o /dev/null https://myapp.example.com
|
||||
```
|
||||
|
||||
## Corporate Network Considerations
|
||||
|
||||
Cloudflared honors proxy environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`).
|
||||
|
||||
If corporate proxy intercepts TLS, add corporate root CA to system trust store.
|
||||
|
||||
## Bandwidth and Rate Limits
|
||||
|
||||
| Limit | Value | Notes |
|
||||
|-------|-------|-------|
|
||||
| Request size | 100 MB | Single HTTP request |
|
||||
| Upload speed | No hard limit | Governed by network/plan |
|
||||
| Concurrent connections | 1000 per tunnel | Across all replicas |
|
||||
| Requests per second | No limit | Subject to DDoS detection |
|
||||
|
||||
**Large file transfers:**
|
||||
Use R2 or Workers with chunked uploads instead of streaming through tunnel.
|
||||
Reference in New Issue
Block a user