How to set up a Syncthing relay server behind a CDN?

I have built a syncthing discovery server and a relay server for personal use. I want to hide the IP of the server, and after testing I found that the discovery server works well behind the CDN (Syncthing Discovery Server — Syncthing v1 documentation), but the relay server does not. The official documentation does not suggest any way to achieve this, and even if I build the relay server in the same way as the discovery server (nginx reverse proxy, using port 443 externally), it is still not accessible via the domain name. The server starts with the “-debug” parameter, but there is no output, and the client log shows “failed: remote error: tls: handshake failure”. So I guess the client may only connect to the CDN server, but not to the source server at all. Is this because the protocol is private? Is it true that the relay server is not accessible via the domain name when using a CDN? If I must use the relay server behind the CDN, what should be done? Thanks!

While the discovery server uses HTTPS, the relay server does not. That means any HTTPS (reverse) proxy will not work with a relay server. A TCP proxy could probably work though. TLS should also be terminated at the relay server, not at the proxy.

Okay. I tried all day yesterday and basically guessed the general reason.

According to what you said, it really can’t be realized. Thank you :slight_smile:

Well this really depends on what you’re trying to do exactly. Since you mentioned an nginx reverse proxy - nginx can do TCP proxying (via the stream module). I’ve never tried operating a relay server in this way, but if done right I don’t see why it wouldn’t work.

Well, what I want to achieve is to build Relay servers behind the CDN and access them through the domain name, like this relay://… .

Although the official documentation has this presentation (Relaying — Syncthing v1 documentation), I guess the reason it can be done in this way is that it doesn’t use a CDN.

Just as I asked, after using CDN, with the relay option enabled on the client side and setting only my relay server in Sync Protocol Listen Addresses, the server logs have no connection records, while the client logs show errors. I guess if I remove the CDN and resolve the domain directly to the source server, nginx should work fine. But I want to use CDN, so I don’t know how to do it.

“the CDN” is really vague - it’s just a general term for a certain type of network topology. It may well be possible to put a relay server behind something like that (for example, if the CDN proxy can do raw TCP proxying without terminating TLS) or maybe not - this all depends on it’s capabilites. This is not something that is generally impossible, but highly depends on network features. If all your CDN can do is HTTP(S), then it will likely never work.

Well, the CDN I’m using is Cloudflare (free plan), I’m using it for the first time (and Syncthing for the first time too) and I’m not sure if it can do TCP proxy. :disappointed_relieved:

Putting discovery behind a CDN is a bit silly, as there is no C (from CDN) in the discovery server, so caching makes no sense. Also discovery server needs to see the IP addresses of the devices reporting itself, which the CDN probably hides, hence I am surprised it even works in a sensible way. Not sure why you are trying to do this.

You cannot use Cloudflare for relays (baring in mind I last used Cloudflare a few years ago, and their product offering might have changed).

1 Like

Cloudflare does have a feature that just proxies on the TCP level. They call it Cloudflare Spectrum and it’s an enterprise only feature - not designed for the average customer.

For the discovery server Audrius is right, the discovers server needs the real client’s IP address (and port). Cloudflare probably exposes at least the IP in some HTTP header that you can use.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.