Architecture Question: Tunnel Reverse Proxy

I don’t currently use Cloudflare but I am l am looking to implement a particular architecture (if possible):

Say I want to host web content with a web server that can only handle unencrypted HTTP 1.0 / 1.1 traffic. Say I also want to leverage Cloudflare and I want all traffic to and from the origin web server to be encrypted (no ‘flexible’ SSL setup). Is it possible for Cloudflare to tunnel this traffic to the origin server and automatically handle the decryption (inside, say cloudflared), then reverse-proxy this unencrypted data to a local (on the same server) web server? Basically this offloads the web server having to handle SSL.

I’m aware that I could use a third-party reverse-proxy to do this, but I was wondering if Cloudflare supports something like this ‘natively’.

Cloudflare does!

This is the most direct link.

Some docs, I went deep into the Tunnel section, but the whole section is interesting.


Thanks for the response.

I read through some of that documentation and I do not see a section that describes Cloudflare Tunnel being able to take in SSL traffic, decrypt it, then forward it. Did I miss it?

Just to be clear, I want:

Site Visitor (SSL) → Cloudflare (SSL) → Origin w/ cloudflared (SSL) which then decrypts SSL to HTTP → HTTP-only Web Server

I’m not fully sure there is a specific section… but I can tell you it works exactly like that.

You can even have SSL on the origin directly as well, with a valid (or, if you set the config that way, an invalid certificate).

Nice! I’ll check it out and try to post back here my results in the next week or so.

1 Like

Bumping this to give myself a little more time. I’m still planning on following up.

1 Like

I bumped the time for you :slight_smile:


I wanted to follow up now that I’ve had a chance to play around with it a bit.

TLDR: It does work the way matteo described, but it requires some configuration.

The docs are pretty good, but I followed this YT video which did a good job: Cloudflare Tunnel Setup Guide - Self-Hosting for EVERYONE - YouTube

  • Instead of pointing to a subdomain, I pointed to the domain itself
  • I configured SSL in the Cloudflare dashboard to be flexible, which means traffic is encrypted between clients and Cloudflare, but not to the origin. However, as I’m tunneling the traffic from Cloudflare to the origin, it is in fact encrypted, but it wouldn’t have been if I wasn’t using a tunnel.
  • My tunnel config file is simple and can be seen below. Note, this specifies to forward http traffic, as the traffic coming out of the tunnel is HTTP, not HTTPS (even though clients are connecting over HTTPS to Cloudflare).
tunnel: <tunnel id>
credentials-file: /home/ubuntu/.cloudflared/<tunnel id>.json

  - hostname: <host name>.com
    service: http://localhost:8089
  - service: http_status:404

That’s all it took. I’m marking this as the answer so the info is prominent, but thanks matteo for the guidance!


A couple of notes.

Tunnels now can be configured via the web GUI instead of using all the files as you did. Docs aren’t yet up-to-date as far as I know. It’s way easier to manage.

There is no need there, the Tunnel software handles the SSL on that side. That setting actually changes nothing here. The http service is handled locally, so no problems as well. Switch back to Full (Strict) which issues.


Thanks for the clarifications.

I’m not sure what you mean by this. Is there any particular reason to use Full (Strict)?

Usually this is the best practice even though your setup is using the Cloudflare Tunnel and changing the SSL mode doesn’t really affect how the SSL encryption/decryption works within the tunnel. But if you do happen to have a public IP for your website without using the tunnel, then Full (strict) mode will make a difference.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.