CloudFlared and HA Core (no add ons)

I feel like I’m so close and I’m just missing one setting. I’m behind a CGNAT and so I’m trying to get remote access to my HA Core dashboard. I’ve setup a host name on freenom. I’ve created a Cloudflare Zero Trust account. Built the tunnel on cloudflare, installed cloudflared on docker and my tunnel shows active on the cloudflare side.

Now when I go to the url, I get a 400 bad service request. I read that this was because I had to add a proxy to the HA yaml. So I added the proxy and now my message changed to 404:Not Found. So now I’m stuck. Anyone have any other advice?

Adding in my docker compose section for HA and Cloudflared:

    container_name: homeassistant
    network_mode: host
#    ports:
 #     - 8123:8123
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
       - com.centurylinklabs.watchtower.enable=true      
      - /etc/localtime:/etc/localtime:ro
      - ${DOCKERCONFDIR}/homeassistant:/config
    restart: unless-stopped  
    container_name: cloudflared-tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
        - TUNNEL_TOKEN="my actual token here"
      name: homeassistant

The lines added to my HA configuration yaml

    use_x_forwarded_for: true

Logs from Cloudflared

2022-12-16T16:41:43Z INF Starting tunnel tunnelID= ******

2022-12-16T16:41:43Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]

2022-12-16T16:41:43Z INF Version 2022.11.1

2022-12-16T16:41:43Z INF GOOS: linux, GOVersion: go1.19.3, GoArch: amd64

2022-12-16T16:41:43Z INF Settings: map[no-autoupdate:true]

2022-12-16T16:41:43Z INF Environmental variables map[TUNNEL_TOKEN:*****]

2022-12-16T16:41:43Z INF Generated Connector ID: *******

2022-12-16T16:41:43Z INF Will be fetching remotely managed configuration from Cloudflare API. Defaulting to protocol: quic

2022-12-16T16:41:43Z INF Initial protocol quic

2022-12-16T16:41:43Z INF ICMP proxy will use as source for IPv4

2022-12-16T16:41:43Z INF ICMP proxy will use :: as source for IPv6

2022-12-16T16:41:43Z WRN The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network error="Group ID **** is not between ping group 1 to 0"

2022-12-16T16:41:43Z WRN ICMP proxy feature is disabled error="cannot create ICMPv4 proxy: Group ID **** is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied"

2022-12-16T16:41:43Z INF Starting metrics server on

2022/12/16 16:41:43 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See for details.

2022-12-16T16:41:43Z INF Connection ***** registered with protocol: quic connIndex=0 ip=**** location=SEA

2022-12-16T16:41:44Z INF Updated to new configuration config="{\"ingress\":[{\"hostname\":\"\",\"path\":\"HA\",\"service\":\"\"},{\"service\":\"http_status:404\"}],\"warp-routing\":{\"enabled\":false}}" version=1

2022-12-16T16:41:44Z INF Connection **** registered with protocol: quic connIndex=1 ip=*** location=LAX

2022-12-16T16:41:44Z INF Connection **** registered with protocol: quic connIndex=2 ip=**** location=SEA

2022-12-16T16:41:45Z INF Connection ****** registered with protocol: quic connIndex=3 ip=***** location=LAX

2022-12-16T16:46:02Z INF Updated to new configuration config="{\"warp-routing\":{\"enabled\":false},\"ingress\":[{\"path\":\"HA\",\"service\":\"\",\"hostname\":\"\",\"originRequest\":{}},{\"service\":\"http_status:404\"}]}" version=2

Ultimately, I end up here and I don’t know what else to do:

I had also posted this on Reddit. For anyone that is having the same issue, it ended up being that path won’t work. I had to modify it to be on the CloudFlare side.