Expose to clearnet using Cloudflare Argo Tunnel (btcpayserver#667)

* added env variable for Cloudflare tunnel and docker fragment

* Persist cloudfare tunnel token

* Use cross platform docker image

* Rename fragment

* Add docs

* Additional docs

* Update doc

* Update doc

* Update doc

Co-authored-by: nicolas.dorier <[email protected]>

README.md

@@ -98,7 +98,7 @@ Check out this video if you're interested in learning more about setting up [BTC
 * `BTCPAY_ADDITIONAL_HOSTS`: Optional, specify additional domains to your BTCPayServer with https support if enabled. (eg. example2.com,example3.com)
 * `REVERSEPROXY_HTTP_PORT`: The public port the reverse proxy binds to for HTTP traffic (default: 80)
 * `REVERSEPROXY_HTTPS_PORT`: The public port the reverse proxy binds to for HTTPS traffic (default: 443)
-* `REVERSEPROXY_DEFAULT_HOST`: Optional, if using a reverse proxy nginx, specify which website should be presented if the server is accessed by its IP.
+* `REVERSEPROXY_DEFAULT_HOST`: Optional, if using a reverse proxy nginx, specify which website should be presented if the server is accessed by its IP or by an unrecognized domain name.
 * `NOREVERSEPROXY_HTTP_PORT`: Optional, if not using a reverse proxy, specify which port should be opened for HTTP traffic. (default: 80)
 * `NBITCOIN_NETWORK`: The type of network to use (eg. `mainnet`, `testnet`, or `regtest`. Default: `mainnet`)
 * `LIGHTNING_ALIAS`: An alias for your lightning network node, if used
@@ -127,6 +127,8 @@ Additionally, there are specific environment variables for some addons:
 * If Bitcoin Wallet Tracker is activated with [opt-add-bwt](docker-compose-generator/docker-fragments/opt-add-bwt.yml),  you can use `BWT_XPUB`/`BWT_XPUB_*` (to set your XPUB/YPUB/ZPUB), `BWT_DESCRIPTOR`/`BWT_DESCRIPTOR_*` (for script descriptors), `BWT_RESCAN_SINCE` (set to the wallet creation date in YYYY-MM-DD to speed up the rescan), `BWT_BITCOIND_WALLET` and `BWT_GAP_LIMIT`.
 * `LND_WTCLIENT_SWEEP_FEE`: If LND watchtower is activated with [opt-lnd-wtclient](docker-compose-generator/docker-fragments/opt-lnd-wtclient.yml), you can use `LND_WTCLIENT_SWEEP_FEE` to change the sweep fee used in constructing the justice transaction (default is 10 sat/byte)
 * `FIREFLY_HOST`: If fireflyiii is activated with [opt-add-fireflyiii](docker-compose-generator/docker-fragments/opt-add-fireflyiii.yml), the hostname of your fireflyiii website (eg. `firefly.example.com`)
+* `CLOUDFLARE_TUNNEL_TOKEN`: Used to expose your instance to clearnet with a Cloudflare Argo Tunnel (if cloudflare tunnel is activated with [opt-add-cloudflare](docker-compose-generator/docker-fragments/opt-add-cloudflare.yml), for setup instructions [see documentation](docs/cloudflare-tunnel.md))
+
 # Tooling
 
 A wide variety of useful scripts are available once BTCPay is installed:
@@ -189,6 +191,7 @@ Available `BTCPAYGEN_ADDITIONAL_FRAGMENTS` currently are:
 * [opt-add-joinmarket](docker-compose-generator/docker-fragments/opt-add-joinmarket.yml) ([See the documentation](docs/joinmarket.md))
 * [opt-add-helipad](docker-compose-generator/docker-fragments/opt-add-helipad.yml) for [Podcastindex.org Helipad](https://github.com/Podcastindex-org/helipad). Requires LND.
 * [opt-add-nostr-relay](docker-compose-generator/docker-fragments/opt-add-nostr-relay.yml) for [Nostr Relay](https://github.com/kukks/Nnostr).
+* [opt-add-cloudflare](docker-compose-generator/docker-fragments/opt-add-cloudflare.yml) to expose your local server on clearnet painlessly ([see documentation](docs/cloudflare-tunnel.md)).
 
 You can also create your own [custom fragments](#how-can-i-customize-the-generated-docker-compose-file).
 
@@ -350,6 +353,7 @@ We are trying to update our dependencies to run on `arm32v7` and `x64` boards. H
 | nginx | 1.16.0 | [✔️](https://raw.githubusercontent.com/nginxinc/docker-nginx/1.16.0/stable/stretch/Dockerfile) | [✔️](https://raw.githubusercontent.com/nginxinc/docker-nginx/1.16.0/stable/stretch/Dockerfile) | [✔️](https://raw.githubusercontent.com/nginxinc/docker-nginx/1.16.0/stable/stretch/Dockerfile) | [Github](https://github.com/nginxinc/docker-nginx) - [DockerHub](https://hub.docker.com/_/nginx) |
 | btcpayserver/docker-gen | 0.7.8 | [✔️](https://raw.githubusercontent.com/btcpayserver/docker-gen/v0.7.8/linuxamd64.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/docker-gen/v0.7.8/linuxarm32v7.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/docker-gen/v0.7.8/linuxarm64v8.Dockerfile) | [Github](https://github.com/btcpayserver/docker-gen) - [DockerHub](https://hub.docker.com/r/btcpayserver/docker-gen) |
 | btcpayserver/btctransmuter | 0.0.59 | [✔️](https://raw.githubusercontent.com/btcpayserver/btctransmuter/v0.0.59/Dockerfiles/amd64.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/btctransmuter/v0.0.59/Dockerfiles/arm32v7.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/btctransmuter/v0.0.59/Dockerfiles/arm64v8.Dockerfile) | [Github](https://github.com/btcpayserver/btctransmuter) - [DockerHub](https://hub.docker.com/r/btcpayserver/btctransmuter) |
+| btcpayserver/cloudflared | 2022.6.3 | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/Cloudflared/2022.6.3/Cloudflared/2022.6.3/linuxamd64.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/Cloudflared/2022.6.3/Cloudflared/2022.6.3/linuxarm32v7.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/Cloudflared/2022.6.3/Cloudflared/2022.6.3/linuxarm64v8.Dockerfile) | [Github](https://github.com/btcpayserver/dockerfile-deps) - [DockerHub](https://hub.docker.com/r/btcpayserver/cloudflared) |
 | btcpayserver/btcpayserver-configurator | 0.0.21 | [✔️](https://raw.githubusercontent.com/btcpayserver/btcpayserver-configurator/v0.0.21/Dockerfiles/amd64.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/btcpayserver-configurator/v0.0.21/Dockerfiles/arm32v7.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/btcpayserver-configurator/v0.0.21/Dockerfiles/arm64v8.Dockerfile) | [Github](https://github.com/btcpayserver/btcpayserver-configurator) - [DockerHub](https://hub.docker.com/r/btcpayserver/btcpayserver-configurator) |
 | btcpayserver/eps | 0.2.2 | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/EPS/0.2.2/EPS/0.2.2/linuxamd64.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/EPS/0.2.2/EPS/0.2.2/linuxarm32v7.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/EPS/0.2.2/EPS/0.2.2/linuxarm64v8.Dockerfile) | [Github](https://github.com/btcpayserver/dockerfile-deps) - [DockerHub](https://hub.docker.com/r/btcpayserver/eps) |
 | btcpayserver/joinmarket | 0.9.5 | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/JoinMarket/0.9.5/JoinMarket/0.9.5/linuxamd64.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/JoinMarket/0.9.5/JoinMarket/0.9.5/linuxarm32v7.Dockerfile) | [✔️](https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/JoinMarket/0.9.5/JoinMarket/0.9.5/linuxarm64v8.Dockerfile) | [Github](https://github.com/btcpayserver/dockerfile-deps) - [DockerHub](https://hub.docker.com/r/btcpayserver/joinmarket) |

btcpay-setup.sh

@@ -109,6 +109,7 @@ Add-on specific variables:
     TOR_RELAY_EMAIL: If tor relay is activated with opt-add-tor-relay, the email for Tor to contact you regarding your relay
     CHATWOOT_HOST: If chatwoot is activated with opt-add-chatwoot, the hostname of your chatwoot website (eg. store.example.com)
     FIREFLY_HOST: If fireflyiii is activated with opt-add-fireflyiii, the hostname of your libre patron website (eg. firefly.example.com)
+    CLOUDFLARE_TUNNEL_TOKEN: Used to expose your instance to clearnet with a Cloudflare Argo Tunnel
 END
 }
 START=""
@@ -204,6 +205,7 @@ fi
 : "${REVERSEPROXY_HTTPS_PORT:=443}"
 : "${BTCPAY_ENABLE_SSH:=false}"
 : "${PIHOLE_SERVERIP:=}"
+: "${CLOUDFLARE_TUNNEL_TOKEN:=}"
 
 OLD_BTCPAY_DOCKER_COMPOSE="$BTCPAY_DOCKER_COMPOSE"
 ORIGINAL_DIRECTORY="$(pwd)"

contrib/DockerFileBuildHelper/Program.cs

@@ -246,6 +246,14 @@ private DockerInfo GetDockerInfo(Image image)
                     dockerInfo.GitRef = $"EPS/{image.Tag}";
                     dockerInfo.SupportedByUs = true;
                     break;
+                case "cloudflared":
+                    dockerInfo.DockerFilePath = $"Cloudflared/{NoRevision(image.Tag)}/linuxamd64.Dockerfile";
+                    dockerInfo.DockerFilePathARM32v7 = $"Cloudflared/{NoRevision(image.Tag)}/linuxarm32v7.Dockerfile";
+                    dockerInfo.DockerFilePathARM64v8 = $"Cloudflared/{NoRevision(image.Tag)}/linuxarm64v8.Dockerfile";
+                    dockerInfo.GitLink = "https://github.com/btcpayserver/dockerfile-deps";
+                    dockerInfo.GitRef = $"Cloudflared/{image.Tag}";
+                    dockerInfo.SupportedByUs = true;
+                    break;
                 case "joinmarket":
                     dockerInfo.DockerFilePath = $"JoinMarket/{NoRevision(image.Tag)}/linuxamd64.Dockerfile";
                     dockerInfo.DockerFilePathARM32v7 = $"JoinMarket/{NoRevision(image.Tag)}/linuxarm32v7.Dockerfile";

contrib/build-all-images.sh

@@ -663,6 +663,22 @@ docker build -f "$DOCKERFILE" -t "redis:5.0.2-alpine" .
 cd - && cd ..
 
 
+# Build cloudflared
+# https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/Cloudflared/2022.6.3/Cloudflared/2022.6.3/linuxamd64.Dockerfile
+DOCKERFILE="Cloudflared/2022.6.3/linuxamd64.Dockerfile"
+# https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/Cloudflared/2022.6.3/Cloudflared/2022.6.3/linuxarm32v7.Dockerfile
+[[ "$(uname -m)" == "armv7l" ]] && DOCKERFILE="Cloudflared/2022.6.3/linuxarm32v7.Dockerfile"
+# https://raw.githubusercontent.com/btcpayserver/dockerfile-deps/Cloudflared/2022.6.3/Cloudflared/2022.6.3/linuxarm64v8.Dockerfile
+[[ "$(uname -m)" == "aarch64" ]] && DOCKERFILE="Cloudflared/2022.6.3/linuxarm64v8.Dockerfile"
+echo "Building btcpayserver/cloudflared:2022.6.3"
+git clone https://github.com/btcpayserver/dockerfile-deps cloudflared
+cd cloudflared
+git checkout Cloudflared/2022.6.3
+cd "$(dirname $DOCKERFILE)"
+docker build -f "$DOCKERFILE" -t "btcpayserver/cloudflared:2022.6.3" .
+cd - && cd ..
+
+
 # Build btcpayserver-configurator
 # https://raw.githubusercontent.com/btcpayserver/btcpayserver-configurator/v0.0.21/Dockerfiles/amd64.Dockerfile
 DOCKERFILE="Dockerfiles/amd64.Dockerfile"
@@ -717,7 +733,7 @@ DOCKERFILE="Dockerfile"
 echo "Building fireflyiii/core:latest"
 git clone https://dev.azure.com/Firefly-III/_git/MainImage core
 cd core
-git checkout
+git checkout 
 cd "$(dirname $DOCKERFILE)"
 docker build -f "$DOCKERFILE" -t "fireflyiii/core:latest" .
 cd - && cd ..
@@ -1135,3 +1151,5 @@ git checkout master
 cd "$(dirname $DOCKERFILE)"
 docker build -f "$DOCKERFILE" -t "romanornr/docker-viacoin:0.15.2" .
 cd - && cd ..
+
+

docker-compose-generator/docker-fragments/opt-add-cloudflared.yml

@@ -0,0 +1,9 @@
+version: "3"
+
+services:
+  cloudflared:
+    container_name: 'cloudflared-tunnel'
+    image: btcpayserver/cloudflared:2022.6.3
+    network_mode: host
+    command: 'tunnel --no-autoupdate run --token ${CLOUDFLARE_TUNNEL_TOKEN}'
+    restart: 'on-failure'

docs/cloudflare-tunnel.md

@@ -0,0 +1,67 @@
+# Cloudflare tunnel support
+
+Your server is on a local network, and you want to expose it on the internet (clearnet)?
+
+While there is many solutions at your disposal, this one is by far the less costly and easiest.
+
+Traditionally, the solution to this problem is either:
+* Configure correctly your firewall and your internet router (NAT) to accept incoming traffic
+* Use Tor
+* Setup a SSH reverse tunnel to a public VPS
+
+The challenge with the first solution si that there is no unified way to do it. Every local network have their own way to do.
+On top of it, it may not even work: internet server providers may block incoming traffic, or they might use dynamic IPs, meaning you need to setup a [dyndns service](https://docs.btcpayserver.org/Deployment/DynamicDNS/) to update the DNS record automatically when the IP change.
+
+The challenges with the second solution are that Tor has very high latency, so your server will feel sluggish and unreliable and you would need a Tor enabled browser to access it. (such as Brave or Tor Browser)
+
+The third solution is technically challenging and isn't free, as you need to pay for a VPS.
+
+Cloudflare tunnel offer an alternative to those solutions without the downsides.
+With cloudflare tunnel, you will enjoy low latency access to your server, on clearnet and WITHOUT the need to configure your firewall, internet router, dynamic dns and on any internet service provider. For free.
+
+You still need to configure the tunnel correctly, and this documentation will guide you through it.
+
+## How to use?
+
+First we are going to create the tunnel on Cloudflare.
+
+1. You need to [create an account on Cloudflare](https://cloudflare.com/).
+2. Enable Cloudflare for your domain name. For namecheap, [follow this tutorial](https://www.namecheap.com/support/knowledgebase/article.aspx/9607/2210/how-to-set-up-dns-records-for-your-domain-in-cloudflare-account/).
+3. After the DNS changes are propagated, go to [Zero Trust](https://dash.teams.cloudflare.com/) option on the left menu, go to `access`, then click `tunnels`.
+4. Click `create tunnel` button, give it a name
+5. In `Choose your environment`, click on docker and copy your token, you will need it later (the string after `--token`, as shown in the following screenshot)
+![](./img/Cloudflare-Tunnel-Token.png)
+6. Click on the `Next` button
+7. Enter your subdomain, select your domain in the list. Then in `Service` select `HTTP` and enter `localhost`.
+8. In your the SSH session of your server, add cloudflare tunnel by running the following script. (replace `<YOUR_TOKEN_HERE>` by what you copied in step `5.`, and also replace `<YOUR_DOMAIN_HERE>` with the domain you entered in steps `7.`)
+```bash
+BTCPAY_HOST="<YOUR_DOMAIN_HERE>"
+[[ "$REVERSEPROXY_DEFAULT_HOST" ]] && REVERSEPROXY_DEFAULT_HOST="$BTCPAY_HOST"
+CLOUDFLARE_TUNNEL_TOKEN="<YOUR_TOKEN_HERE>"
+BTCPAYGEN_ADDITIONAL_FRAGMENTS="$BTCPAYGEN_ADDITIONAL_FRAGMENTS;opt-add-cloudflared"
+BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https"
+. btcpay-setup.sh -i
+```
+
+Now you should be able to access your server from internet! (If you get an nginx error 503, check below)
+
+## Recommended additional step
+
+In [cloudflare dashboard](https://dash.cloudflare.com), navigate to your websites, go to `Edge Certificates` and check `Always Use HTTPS`. This will make sure that any request to your website use HTTPS.
+![](./img/Cloudflare-Always-Https.png)
+
+## Known error
+
+### Error 503
+
+An error 503 means that the tunnel is working and cloudflare correctly set up, the HTTP request is reaching your server, but the server's reverse proxy doesn't know which downstream container should receive the request.
+
+This command will instruct to forward any requests from your domain to your BTCPay Server container. It also instructs to forward any HTTP requests with an unrecognized domain name to your BTCPay Server container.
+
+```bash
+BTCPAY_HOST="<YOUR_DOMAIN_HERE>"
+REVERSEPROXY_DEFAULT_HOST="<YOUR_DOMAIN_HERE>"
+. btcpay-setup.sh -i
+```
+
+`REVERSEPROXY_DEFAULT_HOST` will make sure that you can still access your server from the local network with an ip or a local domain name.

helpers.sh

@@ -113,7 +113,8 @@ FIREFLY_HOST=$FIREFLY_HOST
 LIT_PASSWD=$LIT_PASSWD
 TALLYCOIN_APIKEY=$TALLYCOIN_APIKEY
 TALLYCOIN_PASSWD=$TALLYCOIN_PASSWD
-TALLYCOIN_PASSWD_CLEARTEXT=$TALLYCOIN_PASSWD_CLEARTEXT" > $BTCPAY_ENV_FILE
+TALLYCOIN_PASSWD_CLEARTEXT=$TALLYCOIN_PASSWD_CLEARTEXT
+CLOUDFLARE_TUNNEL_TOKEN=$CLOUDFLARE_TUNNEL_TOKEN" > $BTCPAY_ENV_FILE
 
 env | grep ^BWT_ >> $BTCPAY_ENV_FILE || true
 }