CloudFlared and HA Core (no add ons)

I feel like I’m so close and I’m just missing one setting. I’m behind a CGNAT and so I’m trying to get remote access to my HA Core dashboard. I’ve setup a host name on freenom. I’ve created a Cloudflare Zero Trust account. Built the tunnel on cloudflare, installed cloudflared on docker and my tunnel shows active on the cloudflare side.

Now when I go to the url, I get a 400 bad service request. I read that this was because I had to add a proxy to the HA yaml. So I added the proxy and now my message changed to 404:Not Found. So now I’m stuck. Anyone have any other advice?

Adding in my docker compose section for HA and Cloudflared:

  homeassistant:
    container_name: homeassistant
    image: lscr.io/linuxserver/homeassistant:latest
    network_mode: host
#    ports:
 #     - 8123:8123
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    labels:
       - com.centurylinklabs.watchtower.enable=true      
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${DOCKERCONFDIR}/homeassistant:/config
    restart: unless-stopped  
  
  tunnel:
    container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
        - TUNNEL_TOKEN="my actual token here"
networks:
  default:
    external:
      name: homeassistant

The lines added to my HA configuration yaml

http:
    use_x_forwarded_for: true
    trusted_proxies:
      - 172.19.0.0/16

Logs from Cloudflared

2022-12-16T16:41:43Z INF Starting tunnel tunnelID= ******

2022-12-16T16:41:43Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]

2022-12-16T16:41:43Z INF Version 2022.11.1

2022-12-16T16:41:43Z INF GOOS: linux, GOVersion: go1.19.3, GoArch: amd64

2022-12-16T16:41:43Z INF Settings: map[no-autoupdate:true]

2022-12-16T16:41:43Z INF Environmental variables map[TUNNEL_TOKEN:*****]

2022-12-16T16:41:43Z INF Generated Connector ID: *******

2022-12-16T16:41:43Z INF Will be fetching remotely managed configuration from Cloudflare API. Defaulting to protocol: quic

2022-12-16T16:41:43Z INF Initial protocol quic

2022-12-16T16:41:43Z INF ICMP proxy will use 172.19.0.3 as source for IPv4

2022-12-16T16:41:43Z INF ICMP proxy will use :: as source for IPv6

2022-12-16T16:41:43Z WRN The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network error="Group ID **** is not between ping group 1 to 0"

2022-12-16T16:41:43Z WRN ICMP proxy feature is disabled error="cannot create ICMPv4 proxy: Group ID **** is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied"

2022-12-16T16:41:43Z INF Starting metrics server on 127.0.0.1:38216/metrics

2022/12/16 16:41:43 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.

2022-12-16T16:41:43Z INF Connection ***** registered with protocol: quic connIndex=0 ip=**** location=SEA

2022-12-16T16:41:44Z INF Updated to new configuration config="{\"ingress\":[{\"hostname\":\"mydomainname.tk\",\"path\":\"HA\",\"service\":\"http://192.168.1.69:8123\"},{\"service\":\"http_status:404\"}],\"warp-routing\":{\"enabled\":false}}" version=1

2022-12-16T16:41:44Z INF Connection **** registered with protocol: quic connIndex=1 ip=*** location=LAX

2022-12-16T16:41:44Z INF Connection **** registered with protocol: quic connIndex=2 ip=**** location=SEA

2022-12-16T16:41:45Z INF Connection ****** registered with protocol: quic connIndex=3 ip=***** location=LAX

2022-12-16T16:46:02Z INF Updated to new configuration config="{\"warp-routing\":{\"enabled\":false},\"ingress\":[{\"path\":\"HA\",\"service\":\"http://192.168.1.69:8123\",\"hostname\":\"mydomainname.tk\",\"originRequest\":{}},{\"service\":\"http_status:404\"}]}" version=2

Ultimately, I end up here and I don’t know what else to do:

I had also posted this on Reddit. For anyone that is having the same issue, it ended up being that mydomain.tk/HA path won’t work. I had to modify it to be ha.mydomain.tk on the CloudFlare side.