Load Balancer Monitor for Origin at ZeroTrust Tunnels


I’m trying to setup load balancing using Zero Trust tunnels for services hosted at private IP addresses.

Everything works find except Monitor: it sends some GUID value in Host header and Traefik instance can’t match router by Host rule. Yes, I tried to set correct Host header in Configure Request Header(s) - it’s not sent to origin, any other header is sent… I had to perform packet capture and decrypt tls traffic on my service machine to find it out.

ZeroTrust Tunnel, no Public Host Name, Private Network Subnet defined.
Load Balancer Origin configuration:

  • origin address: IP address of Traefik machine
  • Virtual Network: virtual network defined in tunnel configuration
  • host header: no (tried to specify it here - no changes)
    Monitor configuration:

Any ideas what’s going on? Is it a limitation of tunnels or some bug in Monitor?

Hi there, thanks for reaching out to the Cloudflare Community!

With Zero Trust Tunnels as the origin in a Load Balancer, you will need to specifically add a custom Host Header to the Advanced Health Check Settings. If you are specifying an Ingress field on the Tunnel then the Host header will need to match that.

That’s true… and I have done it. Host is specified in Advanced Health Check. But - it is used only for tls-sni and not actual Host http request header:

As you can see Host is tunnel id (or some other id) but not what I have specified.

If I do not specify Host in Advanced Health Check - I get TLS error because tls-sni won’t match certificate on origin, but Http request header remains the same (some id).