Contents
- Preface
- Demand Analysis
- Solution
- Deploying the "wudihome" tunnel connector using Docker
- Regularly detect the accessibility of the home data center
- How can I enable Tencent Cloud's WordPress to use the access method configured in the "wudihome" tunnel?
- Automatically enable the connector when a home data center is detected to be offline
- Advanced Requirements (New)
- Afterword
Preface
In the previous article, I used Cloudflare Tunnel to implement "load balancing," "active-active" and "automatic redundancy" functions for a multi-node WordPress site. However, this approach is not suitable for me because my requirement is that when my home data center is functioning normally, all access traffic should go through the main WordPress site in the home data center, and only when the home data center experiences a power outage or network failure should it automatically go through the WordPress site in the disaster recovery center (Tencent Cloud server).
Demand Analysis
Currently I have 2 different tunnle:
As the names suggest, "tencentcloud" connects to Tencent Cloud servers and has several separate domain names (duplicate domain names cannot exist in different tunnels), while "wudihome" connects to my home data center.”blog.tangwudi.com“"It's right here in this tunnel. So, there's already a tunnel running on the Tencent Cloud server. The first problem we need to solve is how to run both the 'tencentcloud' tunnel and the 'wudihome' tunnel on the Tencent Cloud server."
In another article (see:Cloudflare tutorial series for home data centers (Part 9) Introduction to common Zero Trust functions and multi-scenario usage tutorialsAs mentioned earlier, only one connector under the same tunnel can run in the same location, but connectors from different tunnels can run. In other words, Tencent Cloud servers can run two tunnel connectors simultaneously. The only thing to note is that different deployment methods are required. For example, I deployed "tencentcloud" as a service, so "wudihome" must be deployed in a different way. Here, I used Docker.
The difficulty lies in the fact that, under normal circumstances, requests to access the blog only go through the connector of the "wudihome" tunnel to the home data center. Only when the home data center has a problem will it automatically switch to the connector to Tencent Cloud. In other words, under normal circumstances, the connector of the "wudihome" tunnel on the Tencent Cloud server is closed. Otherwise, access requests would also go through the Tencent Cloud server to access the WordPress site, which conflicts with my needs.
Solution
Deploying the "wudihome" tunnel connector using Docker
To fully realize my needs, I first need to deploy the connector in Docker mode on the Tencent Cloud server. The command is similar to the following:
docker run --name cloudflare -d --restart=always \ cloudflare/cloudflared:latest tunnel run --token xxxxxxxxxx #token replaced with your own
Then use the commanddocker stop cloudflareTo disconnect this connector, when you need it in the future, just rundocker start cloudflareYou can enable the connector.
Regularly detect the accessibility of the home data center
Then I need a way to quickly detect whether the home network is normal. At this time, I have to rely on Tailscale: directly use the Tailscale address of the WordPress main site (macmini) as the detection target (assuming it is 100.100.100.100).
Note: Why not ping the wan port's IPv4 public network address directly? Actually, it is possible, but because the telecom's IPv4 public network addresses are dynamic public network IPs, they change every few days. When they change, it is hard to say how long it will take to use the wan port's dynamic domain name detection (the influence of DNS cache). Tailscale's fixed private IP will quickly adjust according to the changes of the public network IP to maintain reachability, so it will definitely recover faster than pinging the wan port's public network IP.
Then, I just need to write a script and run it at a scheduled time (for example, 3 minutes), so I can detect when my home data center is disconnected from the Internet within 3 minutes.
How can I enable Tencent Cloud's WordPress to use the access method configured in the "wudihome" tunnel?
This question is also very important, in the article (Cloudflare tutorial series for home data centers (Part 9) Introduction to common Zero Trust functions and multi-scenario usage tutorialsAs I mentioned earlier, configuring "active-active," "mutual redundancy," and "load balancing" features for multiple sites in a single-tunnel, multi-connector environment requires correctly configuring the mapping between domain names and applications. Generally, the connector needs to be deployed directly on the same host as the WordPress site, as this ensures consistent performance.http://localhost:80way to access.
However, my situation is different now because my home data center topology is quite unique. In the public hostname, my...”blog.tangwudi.com“"It points to port 50080 of my WAF:"
Tencent Cloud definitely cannot have this IP, so what can I do? It is actually very easy to do, just use the loopback address. Just add a loopback interface on the Tencent Cloud server, and then configure the IP address to be the same as the IP of my home data center waf (then the Tencent Cloud server will think that 192.168.1.1 is also its own address, and will accept the request packet with the target address as this address, otherwise it will be directly discarded). Just run the following command:
ifconfig lo:1 192.168.1.1/32 up # Assume that 192.168.1.1 is my waf address
When it is not needed, just run the following command:
ifconfig lo:1 down
Here I want to complain about Alibaba Cloud Debian 12. By default, nmcli is used. The /etc/network/interfaces file that I am most used to is gone. I originally wanted to add a loopback interface once and for all, but I couldn’t figure out how to do it after studying it for a long time. You know, what I hate most is spending a lot of time studying how to add interfaces and how to change IP addresses, which are operations that do not require any technical skills. I remember that some previous version of Ubuntu also suddenly cancelled this, which made me very uncomfortable, and then I switched to Debian~~.
Now that we have an IP, what should we do with port 50080? It is also simple. Just create a website blog.tangwudi.com:50080 and then use a reverse proxy to point to it.http://localhost:80That's it. I'm being lazy here and just use the pagoda panel to do it:
Add a reverse proxy:
Automatically enable the connector when a home data center is detected to be offline
Now there is only one step left: how to automatically start the connector and add the loobpack address when the home data center is detected to be disconnected from the Internet. This is achieved by shell scripts:
#!/bin/bash # Define the target IP address: TARGET_IP="100.100.100.100" # Define the Cloudflare process name: CLOUDFLARE_PROCESS_NAME="cloudflare" # Define the log file path: LOG_FILE="/root/log/runcloudflare.log" # Perform a ping test: if ping -c 1 TARGET_IP &> /dev/null; then # If pinging # is successful, count the number of processes containing the keyword "Cloudflare" PROCESS_COUNT=(pgrep -f CLOUDFLARE_PROCESS_NAME | wc -l) if [`PROCESS_COUNT -eq 1 ]; then #` If the number of processes equals 1, stop the Cloudflare container and close the network interface. `docker stop` CLOUDFLARE_PROCESS_NAME ifconfig lo:1 down echo ""(date) - Stopped cloudflare container" >> LOG_FILE fi else # If ping fails, count the number of processes containing the keyword "Cloudflare" PROCESS_COUNT=(pgrep -f CLOUDFLARE_PROCESS_NAME | wc -l) if [`PROCESS_COUNT -lt 1 ]; then #` If the number of processes is less than 1, start the Cloudflare container and enable the network interface. `docker start` CLOUDFLARE_PROCESS_NAME ifconfig lo:1 192.168.1.1/32 up echo ""(date) - Started cloudflare container" >> $LOG_FILE fi fi
The logic is simple: if the ping is successful and Cloudflared is running, it means the home data center was down before but is now up again, so disable the connector for the "wudihome" tunnel and disable the loopback interface; if the ping fails, it means the home data center is currently down, so enable the connector and enable the loopback interface.
In order to clarify the format and ideas of this script, I also spent a day studying the basics of bash shell.
Finally, just set this script to run every 3 minutes. Whether to use cron or other methods depends on your habits. Because I have the pagoda panel, I am lazy again:
Advanced Requirements (New)
Because I conducted the experiment on a newly built server on Alibaba Cloud, which wasn't running any tunnels, the script from the previous section worked directly. However, it wasn't suitable when I switched to a Tencent Cloud server, as Tencent Cloud already had a Tencent Cloud tunnel running. Therefore, I needed to further check the number of processes named "cloudflared". If it was 2 (or greater than 1), it meant that both tunnels were running (indicating the main site had gone down, causing a failover). Otherwise, if it was 1, it was normal. So, the script was modified as follows:
#!/bin/bash # Define the target IP address: TARGET_IP="100.100.100.100" # Define the Cloudflare process name: CLOUDFLARE_PROCESS_NAME="cloudflare" # Define the log file path: LOG_FILE="/root/log/runcloudflare.log" # Perform a ping test: if ping -c 10 TARGET_IP &> /dev/null; then # If pinging # is successful, count the number of processes containing the keyword "Cloudflare" PROCESS_COUNT=(pgrep -f CLOUDFLARE_PROCESS_NAME | wc -l) if [`PROCESS_COUNT -gt 1 ]; then #` If the number of processes is greater than 1, stop the Cloudflare container and close the network interface. `docker stop` CLOUDFLARE_PROCESS_NAME ifconfig lo:1 down echo ""(date) - Stopped cloudflare container" >> LOG_FILE fi else # If ping fails, count the number of processes containing the keyword "Cloudflare" PROCESS_COUNT=(pgrep -f CLOUDFLARE_PROCESS_NAME | wc -l) if [`PROCESS_COUNT -eq 1 ]; then #` If the number of processes equals 1, start the Cloudflare container and enable the network interface. `docker start` CLOUDFLARE_PROCESS_NAME ifconfig lo:1 192.168.1.1/32 up echo ""(date) - Started cloudflare container" >> $LOG_FILE fi fi
In fact, if more tunnels are running on the same host, you can also modify the above script directly as an example. You just need to consider how many are normal and how many are abnormal. However, there is a premise that the tunnel process runs normally. If some are disconnected, the above judgment logic will have problems.
Afterword
Because this is relatively simple, I will not provide the verification process. Anyway, just temporarily disconnect tailscale on the macmini, and then observe whether the scheduled script on Tencent Cloud can start the cloudflare container and correctly enable the lo:1 interface and set the IP; then restore tailscale on the macmini, and observe whether the scheduled script on Tencent Cloud can disable the cloudflare container and disable lo:1.
Note: The solution in this article and the idea of "using Cloueflare tunnel to build a multi-active redundant site for traffic load balancing of dynamic blogs" are actually two different solutions (see article:Cloudflare tutorial series for home data centers (Part 9) Introduction to common Zero Trust functions and multi-scenario usage tutorialsThe multiple scenario descriptions in the text correspond to "local data center + same-city disaster recovery data center" and "local + same-city dual-active data center," respectively. Both of these solutions are based on...Home Data Center Series WordPress Multi-node "semi-automatic" and "nearly" real-time synchronization solution.
I have always wanted to write this series, but I didn’t have enough knowledge before. Now I have finally completed it, and it can be regarded as a wish come true. However, I guess not many people will be interested in these three articles.