Can't access web UI through Cloudflare Tunnel only for Chromium Browsers

billboq · October 21, 2025, 9:31pm

Hi everyone,

I’ve been struggling for weeks with a persistent issue connecting to my Home Assistant instance through Cloudflare Tunnel only on Chromium browsers. I’ve tried everything I could find on this forum and elsewhere, but the connection still fails when accessing from a Chromium web browser via my public domain.

Problem

When I log in through the public domain (e.g. https://ha.domain.com), Home Assistant throws an authentication error related to /auth/token.
This appears in the logs:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:136
integration: HTTP
Login attempt or request with invalid authentication from <public IP>.
Requested URL: '/auth/token'.

And in the browser console, I see:

POST https://ha.domain.com/auth/token 400 (Bad Request)

However:

The Android Home Assistant app works perfectly with the same public URL.
Accessing directly via local IP also works.
Only Chromium browser access via Cloudflare fails (it works fine in Firefox).

The weird thing is that it will once in a while works for no reason and after a cache clearing or a computer restart, it will failed to connect again!

I also have Websockets errors in web console even though Websocket is enabled in Cloudflare dashboard.

My configuration.yaml file

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 192.168.1.0/24
    - 192.168.2.0/24
    - 103.21.244.0/22 # Cloudflare IP ranges
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 104.16.0.0/13
    - 104.24.0.0/14
    - 108.162.192.0/18
    - 131.0.72.0/22
    - 141.101.64.0/18
    - 162.158.0.0/15
    - 172.64.0.0/13
    - 173.245.48.0/20
    - 188.114.96.0/20
    - 190.93.240.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17
    - 2400:cb00::/32
    - 2606:4700::/32
    - 2803:f800::/32
    - 2405:b500::/32
    - 2405:8100::/32
    - 2a06:98c0::/29
    - 2c0f:f248::/32

Things I’ve already tried

Switch from Cloudflare managed tunnel to HA Cloudflare Tunnel add-on.
Disable Cloudflare setting (Bot Fight Mode, Browser Integrity Check, etc).
Transform headers through Cloudflare.
Make the tunnel point to HTTP instead of HTTPS.
Purge cache in Cloudflare and on my browsers.

I’ve tried literally everything I could find — any new lead would be greatly appreciated.

Thanks.

Edwin_D · October 23, 2025, 8:52am

To rule out non-networking issues: Could your HA user by accident have the “Only local access” toggle turned on?

EDIT: also, if you use Cloudflared, the trusted proxy should be your local machine where cloudflared runs, not the cloudflare external servers. I just have this as a leftover from a successful test:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.123

If I recall I lifted this from an error in my logs saying an attempt from here was rejected, which hinted me to this configuration I did not have. But your logs seem to suggest authentication is the problem, not the networking bit. There would likely not be any authentication rejected if networking was not correct to get you that far.

billboq · October 24, 2025, 11:21pm

No, my user doesn’t have “Only local access” enabled. I can access via my public domain on Android or Firefox for example.
I know for trust proxies but I tried anyway. My tunnel is configured via the HA Cloudflare add-on so it is in the 172.30.33.0 IP range.