Enable Cloudflare Tunnel to Direct Traffic to `https://localhost`

Similar to a recently closed issue https://community.cloudflare.com/t/how-to-configure-cloudflare-tunnel-for-https-traffic/391972 on this matter, I am unable to use Cloudflare Tunnel with the noTlsVerify option disabled. (I would like to disable this option.) When I turn the option off, I get an error from the sudo systemctl status cloudflared logs that looks like this:

error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: certificate is valid for *.DOMAIN.com, `DOMAIN.com`, not localhost"

The error suggests that the issue is certificate verification (which makes sense given that everything works fine with noTlsVerify enabled). However, on the Cloudflare Dashboard, I’ve only been able to create Origin Server Certificates for DOMAIN.com and *.DOMAIN.com (etc.). Is there a way to get Cloudflare to issue an Origin Server Certificate for localhost that Cloudflare Tunnel trusts?

Are we even expected to use HTTPS when directing traffic to localhost at all? Since the Zero Trust dashboard shows

For example, https://localhost:8001

I just assumed that it would be possible to connect to https://localhost without a problem. But it seems there’s more that I need to do. I just want to be able to direct traffic to https://localhost with noTlsVerify disabled. Any help?

The reason is the error is happening is that the HTTPS cert is for *.domain.com and cloudflared is connecting to localhost which doesn’t match.

The choice is yours in the end. Personally, I use HTTP to localhost because cloudflared handles all the SSL termination.

If you really want this, then you can add an option of originServerName: domain.com as these tells cloudflared to expect to get a certificate that has a different name than the server it is connecting to.
The docs

Okay awesome! That’s all super helpful! Thanks a ton! Setting originServerName did in fact work. (I think I’ll stick to https for the web app right now because I’m too lazy to undo all the work I did setting it up with https. xD )

Does this mean that I don’t need Authenticated Origin Pulls anymore? All inbound traffic is blocked off by the firewall. And if all communication is coming through Cloudflare Tunnel then I don’t really need Cloudflare to prevent a client certificate, do I?

Yeah, if you are using cloudflared then I wouldn’t worry about authenticated origin pulls because you know the connections have to come through cloudflared.

Perfect! Thanks!

@nick.chomey In case this answer helps you at all, just giving you a ping. Thanks for opening that question, it was just what I was looking for on Google. lol.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.