Using tunnels to terminate https in non-legacy tunnel

Hi, it seems this used to be possible in the “legacy” version of tunnels:

Now it seems tunnels are more “pass-thru” and I would need to terminate SSL myself (or use separate CF DNS)

is this the case? I’ve attached the old image for reference

What do you mean by pass-thru? That image is still valid.
The SSL connection is between Cloudflare and the cloudflared application. The cloudflared application would then establish an SSL connection to the service if you have HTTPS setup. It is also possible to have cloudflared use HTTP locally.

4 Likes

From what I can tell the browser client protocol and private service protocol have to match. So, if a private service is using HTTP, so does the browser. Yes, the pipe between cloudflare CDN and cloudflared is encrypted, but browser to CDN is not encrypted, unless the private service is terminating TLS itself. Thats what I’m referring to when I say this diagram only applies to “legacy tunnels” and this behavior (TLS termination) is no longer supported. See this diagram:

The protocol HTTP is used on the client-side connection to CF network. CF network → private service is encrypted, because it is a tunnel. Not because it is HTTPS.

Nevermind, it seems to be working now. I followed this tutorial:

https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/migrate-legacy-tunnels/

I must have misconfigured something when using the browser GUI, the CLI is much easier

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.