[Bug]: Terminal won't connect for server behind cloudflare tunnel - v4.0.0-beta.360

[Schmedu]

Error Message and Logs

I have running two servers, one behind a cloudflare tunnel. The latter won't connect via the in-browser terminal.

Terminal window pops up for <1 second and shows error message: "command line line 0: invalid quotes" and then disappears. Here is a screenshot of the error message:

Steps to Reproduce

1. add server
2. setup cloudflare tunnel
3. set up firewall that blocks SSH port
4. install any service / app
5. go to 'Terminal'
6. connect to cloudflare tunnel server or a container within that server

Example Repository URL

No response

Coolify Version

v4.0.0-beta.360

Are you using Coolify Cloud?

Yes (Coolify Cloud)

Operating System and Version (self-hosted)

Ubuntu 24.04.1 LTS

Additional Information

I can only access the 'coolify-proxy' container within that server via the in-browser terminal, nothing else.

[Schmedu]

This is related to #3656

[SerjoA]

i actually stumbled upon the same issue but when i switched to safari instead of chrome - the terminal worked for me
this issue happened to me with previous laravel applications which used web sockets - as soon as i switched browsers it worked.

[Schmedu]

@SerjoA that does not work for me

[zenigma99]

I encountered the same issue. I tried with different browsers and got this error in the console:

Cloudflare tunnel WebSocket connection to wss://coolify.example.com/terminal/ws failed: cannot parse response.

I've mitigated it temporarily by switching to Tailscale, but I had to recompile the default Caddy proxy to work with Cloudflare DNS, differently I couldn't get an HTTPS on my domains with Tailscale. By default, the proxy used by Coolify requires an A record to issue a certificate.

With Tailscale, I needed to use a CNAME record instead. Unfortunately, Coolify doesn't issue a certificate when using a CNAME record.

To resolve this, I've compiled a custom Caddy image with Cloudflare DNS support and changed the default proxy to work with Cloudflare DNS. This allows me to use Tailscale, and now the terminal works fine.

Here's the Dockerfile I used to build the custom Caddy proxy:

ARG CADDY_VERSION=2.8.4

# Use the Caddy builder image to build the custom binary
FROM caddy:${CADDY_VERSION}-builder AS builder

# Build Caddy with the specified plugins
RUN xcaddy build \
    --with github.com/lucaslorentz/caddy-docker-proxy/v2 \
    --with github.com/caddy-dns/cloudflare

# Use the Caddy base image for the final version
FROM caddy:${CADDY_VERSION}-alpine

# Copy the custom Caddy binary from the builder
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

# Execution command
CMD ["caddy", "docker-proxy"]

After creating the custom Caddy image, I made the following additional changes to fully implement the solution:

Changed the default proxy image:
I replaced the default Caddy proxy image used by Coolify with the custom one.

Created a new dynamic Caddy configuration file:
I added a new dynamic Caddy file with the following content:

      (cloudflare) {
          tls {
              dns cloudflare gAO-YOUR_CLOUDFLARE_API_KEY_HERE
              resolvers 8.8.8.8
          }
      }

Then, for each application or deployment that needs to use this setup, I added the following label to the Docker Compose file:

      labels:
        - caddy_0.import=cloudflare

This label tells Caddy to import and use the 'cloudflare' snippet we defined earlier.

With these changes in place, everything works automatically. Caddy now uses Cloudflare DNS for SSL certificate issuance, which is compatible with the CNAME records required by Tailscale. This setup resolves the initial WebSocket connection issues and allows for seamless integration of Tailscale with Coolify.

By using this Cloudflare DNS-based solution for certificate validation, you can close all incoming ports in your firewall, including 80 and 443, eliminating the need for direct server access for the Caddy challenge and significantly enhancing your server's security while still obtaining valid SSL certificates.

Lastly, it's crucial to remember that you will need to enable the Caddy labels feature in Coolify's proxy settings. In the Coolify dashboard, navigate to the proxy settings and make sure to tick the box that allows Caddy to use labels.