Another thought: if it works when you run the command manually, but not in the add-on, its possible you are using two different keys.
An additional thing to look at: the add-on uses the config file form of the command, you can try emulating it to find the problem. Here’s what it looks like in the code:
cloudflared --origincert=${certificate} tunnel --config=/config/cf-argo/config.yml run
I run Home Assistant container on a Debian VM and have it working with Cloudflare Tunnel (used to be Argo). I moved to this a few months back after some of the older non-Cloudflare maintained containers stopped working properly without workarounds.
Here are some basic instructions on how I got it working. There are probably easier ways, but throwing this out there in case it points someone in the right direction. This does not cover setting up Cloudflare Teams / Access rules. It only gets the tunnel working.
Install
On any computer, install cloudflared, login (to get a cert.pem file), and create a tunnel (to get a .json). This only needs to happen once and you can use the login (cert.pem) to manage your tunnels (create/delete). The tunnel file and a config are really the only files you need on your Docker machine.
Pay attention to where your .json file lives. You will have to move it to your server. It will look something like this:
12345678-1234-1234-1234-123456789012.json
On your Docker host, make a folder for the docker container, in my case this is /srv/docker/cftunnel
Move your tunnel json there and create a config.yml.
Inside /srv/docker/cftunnel:
config.yml
tunnel: 12345678-1234-1234-1234-123456789012
credentials-file: /etc/cloudflared/12345678-1234-1234-1234-123456789012.json
ingress:
- hostname: "homeassistant.mydomain.com"
service: http://<machine ip>:8123
- service: http_status:404
Note: Dont use the docker container name in place of local ip. Since Home Assistant container usually runs in host mode, you have to specify the local machine ip. Also note that Cloudflare tunnel will not route to a host outside of the local machine, so it has to be installed on the same machine as Home Assistant.
docker-compose.yaml entry - I call mine cftunnel
cftunnel:
container_name: cftunnel
hostname: cftunnel
image: cloudflare/cloudflared
restart: unless-stopped
volumes:
- /srv/docker/cftunnel:/etc/cloudflared
command: tunnel --config /etc/cloudflared/config.yml run 12345678-1234-1234-1234-123456789012
Start your container with docker-compose up -d. Check log output to make sure it started correctly.
Final step, make a CNAME entry on Cloudflare to point to the tunnel.
There are multiple ways to do this:
LINK
Access your Home Assistant instance from https://homeassistant.mydomain.com
This doesnt make dynamic tunnels like some of the other containers out there, but you do have a lot of flexibility in the config.yml to create additional ingress rules for other services on the same machine if you like (SEE HERE). Anything on a different machine requires a new tunnel (and associated .json file).
I followed your tutorial but I have 400: Bad Request, this seems related to HA when accessed from a external http/https address. Do you had the same problem?
This HA log:
A request from a reverse proxy was received from 172.19.0.2, but your HTTP integration is not set-up for reverse proxies
10:03:31 – (ERROR) HTTP
Solved adding in configuration.yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.19.0.2
@Tony2k sorry didn’t see this, that setting is part of the instructions.
Closing this down now.
GitHub - brenner-tobias/addon-cloudflared: Connect remotely to your Home Assistant instance without opening any ports using Cloudflared. has come a long way and is way better to use: