How to configure CloudFlare Tunnel for HTTPS traffic?

I used the Zero Trust GUI to create a tunnel with my Ubuntu 20.04 VPS server for a particular domain name that is registered with Cloudflare. I have tried all sorts of things in the Service field for HTTPS, to no avail.

HTTPS://443, 127.0.0.1:443, domain.com:443, 0.0.0.0:443, serverip:443, and more.

Sometimes I get a blank, black page when I visit the domain, sometimes I get just an error screen.

The OpenLiteSpeed webserver is working fine - other domains that have their DNS with Cloudflare (proxied and not proxied) load.

What should I be putting in this field? Do I need to configure the Additional application settings (TLS, HTTP Settings, Connection) as well?

Thanks!

Something like this works for me

Interesting. Maybe the 443 port part is my problem. I’ll try the various IPs without the port and report back. Thanks!

I seem to have solved this by enabling No TLS Verify in the GUI. It seems to work with these services

localhost:443
0.0.0.0:443
127.0.0.1:443

But, I assume that not using TLS Verify is inferior, so how might I get this to work with it? Do I need to configure the Origin Server Name and Certificate Authority Pool?

Thanks!

It also seems to work without the :443 in the service. So, yeah, it is the TLS Verify that is the issue. I hope to figure out how to use that though…

The port, if it’s 443, it’s redundant. By default an HTTPS request goes there. The TLS verify is for the origin, if you have a cert not valid for the hostname you are trying to connect from, that will avoid the error.

Thanks!

The TLS verify is for the origin, if you have a cert not valid for the hostname you are trying to connect from, that will avoid the error.
I dont quite understand what this means though. What can I do to create this cert?

The cert you need to create yourself, it should be valid for the hostname you are connecting from (imagine the service is https://example.com, if the cert if for example-2.com it won’t work). If the certificate is self-signed or valid for another hostname, you enable the no TLS verify setting. Otherwise you don’t as it’s more secure.