I have no choice but install the HA container version in my NAS system, hence it’s unable to install add-on by repository. Is it possible to do a manual installation? Or any other way to implement this cloudflare tunnel?
Read, just a couple of posts above yours, under this same thread.
Thank you. I’ll give Auth0 a try 
I installed the latest version of Cloudflared 2.0.5 in my HomeAssistant installation as a VM on a Synology Disk Station. Unfortunately, I always get an 400 error. I switched of the internal firewall of the DSM but no change. Any idea how to fix it? Thank you.
See Troubleshooting section of the documentation @ brenner-tobias/addon-cloudflared (github.com)
Or provide more information (setup, config, log, etc.) so that people could help.
Thank you very much for your reply. I checked the log and found that the HTTP integration is not set-up for reverse proxies. And I found the following thread which solved the problem: HTTP integration is not set-up for reverse proxies? - #4 by mahikeulbody
I added - 127.0.0.1 and - ::1 to read:
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
- 127.0.0.1
- ::1
and now it works. Thank you.
I would say so. A few weeks ago my domain started responding very very slowly and I couldnt work out what was causing it. I debugged all my internal stuff before realiisiing it was an issue at Cloudflare. Only yesterday after having a support ticket open for 3 weeks did they confirm they had “throtted by zone”. But i never had any email to inform me this was going to happen and there are no instructions on how to remove this restriction.
However, even if I could move the restriction i think i would get throtted again as im assuming the issue came from displaying my front door cam on my wall tablet as that was only integrated a few days before all these issues started.
Is there anyway to reroute the CCTV Streams (served by frigate) not though Cloudflare does anyone know??
1 Like
Zeroteir?
I have the add-on installed in HA, and then connect my phone to my zt network… and it’s like I’m at home on the local network
Hello All,
Outside of the basic setup to get it working (get a domain name, setup the config per the documents, add the proxy to configuration.yaml, authenticate at Cloudflare per the link in the log), the subsequent question becomes:
… What are the other things you would do to further secure your setup?
Do I enable Cloudflare Zero Trust also? What are the considerations? What should I do exactly?
Do I do WAF? What kinds of rules you guys are using? I see someone mentioned geo-ip blocks above, but what else?
Any switches in Cloudflare I should enable or disable?
Anything else I can do with this Cloudflared setup for better security?
Is there some other thread on this (above and beyond) topic already?
I am looking for tips and ideas and best practices.
And thanks in advance.
Figured I could start first:
Personally I am using super long, almost password-like, difficult to remember, strings for my HA subdomain. So something like:
eb1484a2-f628-4b32-a0b9-8d01df6ad7d7.mydomain.com
Not for everyone, sure, but I hope this fits the purpose of “further secure the setup”.
1 Like
I have this issue every month with this addon, having to recreate the tunnel. Does anyone know why?
1 Like
As it have been said before, I have password-like subdomain and domain name.
I have activated zero trust policies, enabling Google authentication for accessing the tunnel. You can also implement geographic access policy in zero trust.
For solving the problem with Google authentication and access with the companion app, I allow access without Google authentication from devices connected through warp to my cloudflare teams zone.
Everything of this is well documented in Cloudflare documentation, though it take a while to configure.
2 Likes
I keep getting this error, does anyone know how to fix it?
[09:38:48] INFO: Checking Add-on config…
[09:38:48] FATAL: ‘external_hostname’ is empty, please enter a valid String
My external hostname is not empty…
I do have the same error. 
additional_hosts: []
external_hostname: **.******.de
tunnel_name: homeassistant
tunnel_token: ''
even if i setup a remot tunnel and give the phrase in the tunnel_token option the same fatal error blocks the start of this addon.
Btw I did a backup yesterday due a system change? Is this the reason for this error?
I am having again the problem with the tunnel (I am not at home so I cannot read the log, but the tunnel appears as inactive on cloudflare), but I am not at home and I cannot restart the add-on.
Maybe could it be possible to implement a safeguard so, in case the add-on cannot connect to the tunnel, try to connect again every X minutes
In this way, for example, I could delete the tunnel in Cloudflare and the add-on would connect on the next restart.
The bug that leads to the erroneous log entry FATAL: ‘external_hostname’ is empty, please enter a valid String has been fixed in the latest version (v2.0.6).
The fix can be considered as a workaround as the the real problem, however, is that using Ubuntu in combination with Supervised Installation is actually not officially supported by Home Assistant.
Similar errors may occur again in the future.
Thank you for this addon! Working great! 
However, I would like to block access based on country. Can’t get it to work. I live in Sweden and try to create a gateway network policy rule in cloudflare zero trust blocking everything from Sweden (to verify) but I can still access HA. Anyone got it working that can give some guidance?
The policies are working fine for me. Have you add this via Access - Applications? If so please share the settings so we can have a look and try to help.
It worked, thanks for fixing it.
Can you explain your config a bit more? When I add a new application like you did with subdomain.domain.com/api and go to the url I get an 404: Not Found error.
The api path can’t be configured in the Cloudflared addon and also not as the HA external url, so there must be something else I am missing in my config.