Tunnel

Tunnel Setup 

The Tunnel feature of Tines provides a method to access your systems running on private networks from the Tines cloud environment, securely. Tunnel is deployed as a container service. Tunnel is available to paid pricing plans.

To enable the Tunnel feature, contact Tines support. Once enabled, visit https://<tenant-domain>/admin/tunnel to obtain the information needed for deploying the container.

Deploying Tunnel 

The Tunnel container can be run with Docker. Here we provide an example of configuration using docker compose . You can test your tunnel setup using docker run but we recommend managing this setup using docker compose or a similar orchestration tool.

docker run \
  --name tines-tunnel \
  --env TINES_TUNNEL_SECRET="secret" \
  tines/tines-tunnel:latest

First create the docker-compose.yml

version: '3.9'

services:
  tines_tunnel:
    image: tines-tunnel:latest  # Make sure to use the correct image name and tag
    ports:
      - "9000:9000"  # This maps the container's port 9000 to the host's port 9000
    environment:
      TUNNEL_METRICS_PORT: "9000"
      TINES_TUNNEL_SECRET: "secret"
    deploy:
      mode: replicated
      replicas: 1

💡Note

Next run the container using the following command

docker-compose up -d

The Tunnel service will utilize the routing and DNS services of the host it is deployed to.

Using Docker compose secrets:

If you wish to, Tines Tunnel supports the use of Docker secrets to store the Tines Tunnel secret.
Firstly, we need to save the TINES_TUNNEL_SECRET in a file:

echo "your tunnel secret" > tines_tunnel_secret.txt

Then, setup your docker-compose.yml like so:

version: "3.9"

services:
  tines_tunnel:
    image: tines/tines-tunnel:latest # Make sure to use the correct image name and tag
    ports:
      - "9000:9000"  # This maps the container's port 9000 to the host's port 9000
    secrets:
      - TINES_TUNNEL_SECRET
    environment:
      TUNNEL_METRICS_PORT: "9000"
    deploy:
      mode: replicated
      replicas: 1

secrets:
  TINES_TUNNEL_SECRET:
   file: "./tines_tunnel_secret.txt"

Configuration for High Availability:

In addition to the health check configuration via docker compose, you can configure a second instance of tines-tunnel on another server with the same secret & docker-compose. The steps for this are the same as above.

If you want to distribute traffic between the seperate server tunnels, you can set up a load balancer (e.g., Nginx, HAProxy) in front of these servers.

Using Tunnel 

HTTP Requests can be sent through the Tunnel by utilizing the "Use tunnel" parameter in the configuration of a HTTP Request Action.

💡Note

Connectivity Requirements 

Tunnel uses Cloudflare Tunnels and requires connectivity to Cloudflare to function properly.

Diagram of Tines Tunnel (docker container) and how it interacts between your systems.

An overview of how the tunnel interacts with your network.

No inbound connectivity to the container is required by Tines from the internet or elsewhere. The container will attempt to form a connection with the services below from its deployment location.

For more information, see Cloudflare's documentation here.

Tunnel Proxy and Firewall Rules 

If the outbound traffic from your system is controlled through a proxy, you can set the TUNNEL_PROXY_ADDRESS and TUNNEL_PROXY_PORT environment variables accordingly in the tunnel container to ensure that the tunnel configuration traffic passes through your proxy. However, not all traffic can pass through the proxy. Therefore, to ensure that cloudflared, which runs inside the Tines tunnel image, can connect to Cloudflare’s global network on port 7844, your firewall must allow outbound connections to the destinations on port 7844 via TCP to the IPs mentioned by Cloudflare here.

Health statuses 

Commonly encountered health statuses for Tunnel and any remediations. These health statuses indicate the health of the connection between the container and Cloudflare Edge. It doesn't indicate the health of the container itself.

Healthy 

The tunnel is active and serving traffic through four connections to the Cloudflare global network.

Degraded 

One or more tunnel containers are active and serving traffic, but at least one individual connection has failed. Further degradation in tunnel availability could risk the tunnel going down and failing to serve traffic.

We recommend restarting the tunnel container to resolve the issue. If the status continues to be in a degraded state after restart, please reach out to support with the debug logs. You can find the instructions on how to turn on debug logs for your tunnel container by visiting /admin/tunnel in your Tines tenant.

Inactive 

This usually happens when tunnels have been created, but have never been run. It should clear away after your first run.

Down 

One or more tunnel containers cannot serve traffic as it has no connections to the Cloudflare global network. Please ensure that the tunnel container is up and running.

Tunnel Permissions 

Tenant owners or users with the TUNNEL_MANAGE tenant permission can restrict which team(s) can use a tunnel from the link https://<tenant-domain>/admin/tunnel. The default for all existing and new tunnels is that any team can access them until an admin chooses otherwise.

To configure team access select the tunnel from the list after navigating to /admin/tunnel.

Select the teams which you would like to have access to the tunnel and click save.

Tunnel setup recommendations 

We recommend using 1 vCPU 1 GB ram on your private system.

Was this helpful?