Using YaCy with Cloudflare Tunnel

YaCy YaCy Peer-to-Peer
1

I am having difficulty configuring YaCy to participate in the greater pool. My ISP blocks all useful inbound ports, and for privacy reasons, I use a public VPN at the router level for outbound traffic to prevent them from tracking and selling my information. To work around this, I have set up Cloudflare Tunnel to route traffic inbound from my domain (protobit.io) to my services running in Hashicorp Nomad. This has been working well for everything else I’ve stood up thus far, but YaCy is not able to participate in the peer to peer pool. I’m pretty sure something in YaCy itself is missing some relevant configuration, but I cannot find the place to set it.

Here is the outbound network path:

YaCy -> Podman container -> Nomad bridge network -> Host network -> router -> VPN

Inbound path:

Cloudflare DNS -> Cloudflare Tunnel (in Nomad) -> router DNS -> Traefik (in Nomad) -> YaCy SSL port.

Theoretically, with YaCy peer traffic all going over HTTP(S), it should work as well as the other services with this config. I have done my best to configure YaCy to announce to the world my public DNS name and port/protocol, but it seems to have ignored some of this config.

Due to the forum preventing new users from doing helpful things like post multiple screenshots, configs, or even links; I have a public share with all that here: [yacy - Nextcloud]

03 - Server Access Settings.png shows the only place I could find in the settings / docs where you can specify the public hostname and port. 02 - System Status.png makes it look as though the public hostname is only partially applied due to Host: []:80 and the Public Address not showing https:// or port 443. I tried to set the port to 443 on the Basic Configuration page, but pressing Save just resets it back to 80. I was not able to find anywhere else to set the hostname/address so that the field on the system status screen would show the public hostname.

The rest of my configs are in the share, and the instance is publicly reachable at https://yacy.protobit.io, so you can see that general connectivity via the tunnel is working.

The only thing I can think of that might be odd in this config is that I’m having Cloudflare Tunnel force all clients to come in via HTTPS, which then is plain HTTP to Traefik within my network. However, I have Traefik connecting to YaCy’s HTTPS port, ignoring the self-signed cert, in an effort to make the application believe that all traffic is HTTPS. Using HTTPS between cloudflared and Traefik would be problematic, as there would not be a way for me to get valid certs without considerable expense or pain with LetsEncrypt. Apart from this, I don’t really see how this is significantly different from having YaCy behind any other reverse proxy where the outside ports and hostname don’t match internal, which I believe is a supported config.

I’m hoping that there’s some config I’ve overlooked to announce to the other instances that they can reach mine via the tunnel with the public DNS over HTTPS, but I’m at a complete loss as to where that might be. None of the entries in System Administration -> Advanced Config seemed to apply beyond what I’ve already done. Would any of the fine folks in here be willing to lend a hand in helping get the config fixed?

2

A second search through Github shows what could be the same issue experienced by a few others: Incoming YaCy connection doesn't follow HTTPS redirection correctly. · Issue #684 · yacy/yacy_search_server · GitHub

3

I tried ChatGPT here is the result.

It sounds like YaCy is not properly announcing the correct public address and port due to some internal limitations with its configuration settings. Given your setup with Cloudflare Tunnel, Nomad, and Traefik, there are a few key areas to check and configure to make sure your instance is properly discoverable by the YaCy peer-to-peer network.

Steps to Fix YaCy Public Address Announcement

:one: Manually Set the Public Address in yacy.conf

Since YaCy does not seem to properly apply the public hostname and port from the UI, you may need to manually configure it in the config file.

  • Edit the DATA/SETTINGS/yacy.conf file (inside your Podman container or mapped volume)
  • Look for these settings (or add them if they don’t exist):

ini

serverPort=443
serverProtocol=https
serverHost=yacy.protobit.io
publicAddress=https://yacy.protobit.io:443
  • Restart YaCy after making changes:

nginx

systemctl restart yacy

:two: Force Peer-to-Peer Communication Over HTTPS

YaCy normally communicates with other peers over HTTP, but since Cloudflare Tunnel is enforcing HTTPS, make sure the following setting is enabled in yacy.conf:

ini

peerPingResponse=true
useSSL=true
  • This forces YaCy to announce and interact with peers using HTTPS.

:three: Check if YaCy is Listening on the Correct Port

Run:

perl

CopyEdit

netstat -tulnp | grep 443

This ensures that YaCy is actually listening on port 443 inside the container.

If it’s still showing port 80, you might need to set it manually using:

ini

serverPortOverride=443

:four: Allow Cloudflare Tunnel to Forward WebSockets

YaCy uses WebSockets for some P2P communication. Ensure that Cloudflare Tunnel isn’t blocking WebSocket connections by setting --warp-routing enable in the cloudflared config.

:five: Ensure Peers Can See Your Instance

  • Check https://yacy.protobit.io/Status.html
  • If it still shows Host: []:80, then the manual config changes didn’t apply.
  • Try adding serverHost to yacy.conf, as mentioned above.

Testing If It’s Working

After making changes, test by:

  1. Restarting YaCy.
  2. Visiting https://yacy.protobit.io/Status.html and checking if the public address is correct.
  3. Trying to fetch peers by running:
https://yacy.protobit.io/Network.xml

If peers still don’t recognize your instance, they might be rejecting it due to the port mismatch or misconfigured announcements.

Final Thoughts

Your setup is complex, but manually setting the public address in yacy.conf should resolve most issues. Let me know if you need further troubleshooting!

4

@roamn

This did not succeed. Entering the following values in yacy.conf while YaCy is shut down, followed by starting it do not persist, and it re-enters the previously described state:

peerPingResponse=true
publicAddress=https://yacy.protobit.io:443
serverHost=yacy.protobit.io
serverPort=443
serverPortOverride=443
serverProtocol=https
useSSL=true

Entering those one-at-a-time into System Administration -> Advanced Properties also does not persist after a restart and YaCy returns to its previous unable-to-peer state.

Those configuration options have either been removed, must be set by some other mechanism, or, most likely, were entirely hallucinated by ChatGPT. This serves as a useful reminder that LLMs are inherently untrustworthy.

Anyone else have an idea?

5

the real config settings are described here

6

I think using different port is not implemented :cry:

I have similar issue. I’m putting YaCy behind Nginx (no Cloudflare).

I have configured that http://yacy.example.org redirects to https://yacy.example.org

I’ve set System Administration => Server Access Settings

staticIP=yacy.example.org
publicPort=443

image
image970×1022 85.4 KB

There is no access to port 8090.

But if I look at Status page there I still see wrong port 8090

image
image666×706 50.7 KB

And if I look at https://yacy.example.org/p2p/seeds.json there I see wrong port again

image
image662×576 25.8 KB

Basically I want only HTTPS access on port 443 with domain yacy.example.org and nothing else.