CF Tunnels - Primary Domain - Security Headers

I’ve been using CF DNS for some years now but thought I’d give tunnels a shot in an effort to tighten up my local network security. After getting cloudflared running via docker compose I ran into a couple of issues and concerns.

  1. I was able to get all my subdomains working correctly with HTTP://<local_ip>:<port> but I could not get my primary domain to work with HTTP://<local_ip>:80. I was able to load the primary domain within my network, but not from external networks. My subdomains worked with both internal and external networks. Is there something I’m missing in regards to primary domains and cloudflare tunnels?
  2. I could not figure out how to get security headers like Content-Security-Policy, Permissions-Policy etc. I did see the HSTS settings in SSL/TLS > Edge Certificates, but that seems somewhat limiting. Is there any way to go about applying Security Headers in CF Tunnels?

I’m not sure if this is the correct way to go about it, but I got security headers working with some help from pihole local DNS. I set up each subdomain and the primary domain with local DNS CNAME records in pihole, and then added cloudflare tunnels using the https fqdn.

I also changed my primary domain from a pihole DNS record to a CNAME record, and that seems to have solved the issue with my primary domain not working from external networks. Seems like I shouldn’t need pihole DNS to make this work, so if there are other solutions I would love to hear them.