Need help with zero trust tunnel setup

What is the name of the domain?

media.example.de

What is the error number?

502

What is the issue you’re encountering

Cloudflare not syncing TLS with nginx-proxy-manager correctly

What steps have you taken to resolve the issue?

I have the following setup:
Cloudflare as DNS for my domain example.de
Created a tunnel media.example.de
Running a debian with Ip 192.168.2.xx which has docker installed.
Cloudflare tunnel and npm (nginx-proxy-manager) running in docker
this is what I try to achieve: internet → cloudflare-tunnel → npm → application

Cloudflare-tunnel is working
npm is running
Domains both setup with the same name in npm and cloudflare

What I have tried:

  • using cloudflare origin-CA and uploading this to npm
  • generating let´s encrypt certificate for npm for the specific subdomain
  • changing SSL Mode from full-strict to full to flexible
  • using ssl from cloudflare to npm to application (with both CA variants)
  • using http from cloudflare to npm and then ssl to application (with both CA variants)

If I switch to full HTTP the connection from the internet works (which is oviously no option due to missing encryptin).

I am really lost and would appreciate your help Maybe someone can really guide me to get this setup running from scratch.

What are the steps to reproduce the issue?

see above

Do you have SSL on the origin or not? If not, then you’ve got two options to fix a possible issue with this:

  1. Make sure you’ve enabled noTLSVerify option for your public hostname on your configured cloudflared tunne and that your Website is bound to port 443 and “working” even with invalid SSL certificate over HTTPS at your local machine (not the best case)

  1. Generate and install Cloudflare Origin CA certificate onto your Nginx web server on the local machine → Origin CA certificates · Cloudflare SSL/TLS docs (recommended to solve your issues with errors you’re experiencing and to have end-to-end encryption)

Nevertheless, go here https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/configuration. Select Custom and not automatic. Reference, Introducing Automatic SSL/TLS: securing and simplifying origin connectivity. Double-check your SSL/TLS setting to make sure it’s set to Full (Strict).

Might be you’re serving and have bound to HTTP only, while HTTPS not working on your origin? :thinking: