Publish an existing reverse proxy using HTTPS with SNI

I have an existing Traefik reverse proxy configuration for my Docker Swarm that works well. I simply want to put Cloudflare Tunnel between it and the internet so that I don’t have to open a firewall port to publish the Traefik instance to the internet.

No matter the configuration I try from the Zero Trust portal, whether I specify the expected origin name/certificate, the Host Header it should send, or anything; I just get an SSL error in the browser on attempting to connect to the remote URL. This seems to be because (as shown by the Traefik traffic logs) the Cloudflare Tunnel agent is simply connecting to port 443 with no SNI/host header!

Is there any way I can get this to work without having to duplicate my reverse proxy configuration in Cloudflare?

Ah, nevermind. Its not cloudflared nor the origin that were having SNI/HTTPS issues - it was that I was trying to publish on a deeper subdomain in my free Cloudflare account, which is only covered by Universal Certificate, which only provides TLS names for subdomains of the root domain, nothing deeper. (eg, I can only published *.domain.tld, not *.sub.domain.tld)

This FAQ post helped me to understand this, but I can’t link to it
/Cloudflare-one/faq/teams-troubleshooting#tunnel-connections-fail-with-ssl-error

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.