Monitor tunnels from outside
Hi! I'm using cloudflare tunnels to run my homelab but I want to monitor from outside (in case my conection goes off or rasp dies) I have tried tools like https://www.openstatus.dev but they not reach the page for example jonathan.com.ar
Is there a way to monitor my different aplications running there from outside?
OpenStatus
A better way to monitor your services. Don't let your down time ruin your day.
28 Replies
For HTTP apps/Public Hostnames, you can monitor them the same as you'd monitor any web server. It looks like you probably got hit by the fact you have Under Attack Mode on/are challenging every request, so the monitoring service was just seeing 403s?
The managed challenge is the one you say? thats at WAF
Under Attack is not enabled
What do you see under Security -> Events causing challenges?
The right side is openstatus
when you expand the managed challenge, which rule is doing it?
You mean this?
If you don't mean to be challenging every visitor coming to your site we could try to fix the rule causing it, or you could whitelist openstatus's IPs or give it a special header to bypass the challenges
What is the ssl rule matching on?
We could whitelist openstatus or remove the challenge, i'm okay with both I think
Well challenging everyone isn't exactly the best user experience lol, but it's up to you. The intent of that rule was to challenge everyone?
I tried searching for openstatus's IP List but couldn't find it, you would have to find it. Most monitoring solutions list all of their IPs so you can easily whitelist them (or go the header route)
No the was no intent at first I was just trying randoms things from WAF, this is outisde of the thread itself but what would you suggest me to challenge? only bots?
If you're talking about the bot fields you wouldn't want to challenge them, those are verified bots/ "the good ones"
The "known bots" are the good ones then? omg I was blocking them 
the challenge the connecton is okay with openstatus
the challenge the connecton is okay with openstatusyes those include google search index bot and such lol
As for this question though, it really depends on your situation.
There are certain community rules lists like https://gist.github.com/Le0Developer/4c68f9a878a4cc2db88755ae06191dbc if you want to preemptively try to block common "unwanted" requests like non-friendly bots which scan
Gist
My cloudflare firewall rules
My cloudflare firewall rules. GitHub Gist: instantly share code, notes, and snippets.
CF has built in automatic DDoS protection and such but it only really kicks in at a pretty high requests per second, its heavily sampled. Need to be getting hit pretty hard for it to start helping out, but it is there
imo until you have a problem (or if you know you will have issues, like running sites which attract attacks) I would just stick with the default stuff
Okay! I think this will work (now I check this gist) but I also learned something new today so I'll give this a success hahah.
offtopic: what a disaster myself 2-3 months running with known bots on block action hahaha thanks!
There is some common rules which aren't a bad idea like blocking ports other then 80/443 (custom expression:
not cf.edge.server_port in {80 443}). If you don't use those ports, CF has a few alt. ones open
also blocking wordpress/php stuff (ends_with(http.request.uri.path, ".php")) or (http.request.uri.path contains "wp-") if you don't use it. That one is included in the gist as wellYeah this one I've noticed that bots attack usually php stuff
mostly that's just getting rid of bs requests which wouldn't ever be legit. If you don't do it, not like you'd get hacked, but it would be requests wasting (your servers) cpu
Yes i'm my case my server is pretty limited in resources so i'm just trying to prevent wasting that
The port one is more important with tunnels since they respond on all CF ports/don't care about port ex: https://jonathan.com.ar:8443/
This one you mean? I'm going to try it now!
(also just worth mentioning Cloudflare Pages is an option, self-hosting is fun and if you want to self-host your own website just because it's cool I understand, but your site looks like it could be fully static, you could throw it on Cloudflare Pages for free and Pages has unlimited static requests)
Yes thats totally valid, right now is inside my own infra just for the luls of using it / learning hahah, it would even be better I don't have 99.9% uptime on my house 
is a rule but which kind of rule?
URI path?
is a rule but which kind of rule?
URI path?Custom Expression not via the builder, sorry I should have explained that, same for the ones via the gist
You can click Edit Expression in a Custom Rule
Now yesss
then you get a freeform text space to type your own out. It's based on wireshark filter language.
Some fields and operations, and items are not available in the Visual Editor, only the custom expression editor
Okie! I think is now for me time to play and find out whats the best for my case, but i'll will already implement this one that are "common" from the community (the ones you mentioned before are already deployed, thanks!)
and open status is working ok so the original question from the thread is already solved thanks for your time ❤️