Issue with Cloudflare Tunnel and Home Assistant: “A request from a reverse proxy…” + “400: Bad Request”

Configuration
1

:wrench: Setup

I’m running Home Assistant in a Docker container on my Synology NAS (DSM 7.x). Additionally, I have Cloudflared running in a separate Docker container on the same NAS to expose Home Assistant securely via a Cloudflare Tunnel, without any port forwarding.

Other services like EVCC, Paperless, Grafana, Mosquitto, etc. are also running in Docker and are fully accessible both internally and externally. Even the Synology itself is reachable via HTTPS without issues.

:closed_lock_with_key: Goal

I want to securely access Home Assistant via a custom subdomain (e.g. https://ha.exampledomain.tld) using Cloudflare Tunnel. The tunnel is active, DNS is correctly configured, and the connection technically works — but Home Assistant blocks the request with the following error:

“A request from a reverse proxy was received from 192.168.x.x, but your HTTP integration is not set to use trusted_proxies .”

Additionally, when accessing the subdomain via browser, I get:

“400: Bad Request”

:brain: Error Behavior

  • The error only occurs when accessing Home Assistant via the Cloudflare subdomain
  • Local access via IP or internal hostname works fine
  • The “400 Bad Request” is triggered by Home Assistant when:
    • The request comes from a proxy
    • But the proxy IP is not listed in trusted_proxies
    • Or the required headers (X-Forwarded-For, X-Forwarded-Proto) are missing or malformed

:white_check_mark: Steps Already Taken

  1. Cloudflared is running in host network mode (network_mode: host)
  2. Tunnel is started using a token: cloudflared tunnel run --token ...
  3. In the Cloudflare Zero Trust dashboard:
  • Public hostname: ha.exampledomain.tld
  • Private IP: 192.168.x.x:8123
  • Proxy type: http
  • HTTP Host Header: ha.exampledomain.tld
  1. In Home Assistant’s configuration.yaml:

yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 192.168.x.x  # Synology IP
  1. Home Assistant has been restarted multiple times
  2. Access via https://ha.exampledomain.tld technically works, but the warning and 400 error persist

:question:Questions

  • Does Cloudflared need additional configuration to properly set X-Forwarded-For?
  • Are there known issues when both Cloudflared and Home Assistant run in host network mode?
  • Would moving Home Assistant to a bridge network help with proxy detection?
  • Is there a way to debug the actual headers Home Assistant receives?
2

Hello Christian,

Did you restart Home Assistant after editing that http YAML file? That is sometimes missed.
You night want to try 192.168.x.0/24 for the trusted_proxy to get it going, then shrink it to just the synology box IP once you have it headed your direction.

1 Like
3

Thanks for the support. As is often the case, the problem is in front of the computer. I always changed the file correctly and restarted the Docker container, but only the root user had rights to the YAML, and the text editor on Synology never gave me an error message saying that it couldn’t write the file. Anyway, I have now extended the permissions to my users, and the write operation worked. After a restart and the correct settings on my Diskstation, access from the Internet now also works.