DNS Prohibited IP Only on port 80 behind Cloudflared Docker Tunnel

TL;DR: Everything worked before changing the internal IP address to a different server. I updated the settings on my cloudflared tunnel to reflect the new IP. One service on port 81 works perfectly fine, anything on port 80 on the SAME Tunnel, and SAME IP gives the Cloudflare DNS 1000 error.

Full Details:

So I have been using cloudflared tunnels for my home network for a few months with no problem at all. This weekend, I decided to move my docker apps to a different server on the same network (From 10.0.0.242 to 10.0.0.232). I went into the Cloudflared Tunnel settings and updated all of my subdomains to the new IP.

All of my apps have their own subdomain and are running behind Nginx.

Here is what I can’t seem to figure out. Nginx uses 2 ports (81 and 80). One for the Admin interface (81) and one to publicly serve the content/apps (80).

I created the first hostname on my tunnel as ‘nginx’ and pointed it to 10.0.0.232
If I open a browser and go to domain:81 (the admin Interface), it IS working as intended!

I added a 2nd hostname to my tunnel:
changedetection pointing to the same IP (10.0.0.232:80). On my home network going to the site via the ip (with or without the :80), it works perfectly fine!

Now if I go to the domain by name (with or without the :80 added), I get an error page from Cloudflared:


Error 1000 Ray ID: 83f3e81dac15381e • 2024-01-02 15:06:34 UTC
DNS points to prohibited IP
What happened?
You’ve requested a page on a website (‘domain’) that is on the Cloudflare network. Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare’s system.

What can I do?
If you are the owner of this website:
you should login to Cloudflare and change the DNS A records for ‘domain’ to resolve to a different IP address.


I looked at the DNS page on Cloudflare as it recommends, and both nginx and changedetection domains are pointing to the same tunnel address.

Just for the heck of it, and not really sure where this thought came from, but I decided to delete the changedetection subdomain, and I changed the nginx domain to point to port 80 instead of 81 just to see what happens, and after I did that I now get the same Prohibited IP error. I changed it back to port 81, and the admin interface works again.

I recreated the changedetection domain and pointed it to its real port (10.0.0.232:5000), and that works just fine as well! I change the port back to port 80, (I really want to use it behind nginx) and it stops working and again gives the error above?

So even though the Cloudflare error says it’s pointing to an prohibited IP, it seems the IP is fine, it just doesn’t like port 80? Has anyone had this issue before or know what I should try to fix this? I am stumped.

I am a homelab user, just doing this as a hobby and learning as I go along, so any advice you can “dumb down” would be appreciated!