New Add-On: Cloudflared

I am on the same boat,
seems they have temporary suspended the new domains

As is the way of such things, it is now working without much intervention on my end. I, too, had suspected a networking error. I changed my pfSense firewall settings from Pure NAT to NAT + Proxy. But I had tried that before posting my question.

I was able to get back to the issue this morning. Tried ping from the SSH add-on and was able to ping my Unraid server as well as the port that the particular application uses. Put an alternate host back into the Cloudflared add-on config. Failed to connect; add-on log said unable to reach host. The difference this time was that I was at least getting a gateway error, which to me meant that the tunnel was working but the request was not getting forwarded correctly.

So I changed the host from https to http, and it was able to connect. Next, I removed the alternate host and tried again to connect using Nginx. Got a “too many redirects” error, which I had been seeing yesterday. So I changed the proxy host config in Nginx and turned off “Force SSL”. I am now able to connect through Nginx. Again, I had toggled the Force SSL on/off several times yesterday when trying to resolve.

Thanks for your prompt response and for pointing me in the right direction.

1 Like

Thank you for programming this add-on. It works very well and the setup is, following your instructions, very easy. And I can sleep easier, knowing that no ports are opened.

I have one question about the NGINX proxy part. Does it add more security if I set this up? Is the traffic from Cloudflare then routed through the nginx proxy before reaching HA?

Thanks for using the Add-On. The NPM option is only relevant, if you want to use Nginx Proxy Manager as reverse proxy for additional hosts (e.g. a Diskstation, a web server or your router at home) and prefer the GUI of NPM to set those hosts up. Otherwise, I suggest to use the possibility of defining additional hosts directly in the add-on. Both those settings do not affect the connection to home assistant.

If no additional hosts are needed, you can just ignore those settings. There is no gain in security for the connection to HA.

Hello Tobias, I am trying to install your add-on but I am stuck. I went to Addon store and added your repository. It is shown under “Add-on Repositorys verwalten”. What is the next step? Where do I find any options to configure it?

Thanks for the clarification.

I suggest reading the docs Home Assistant Add-ons. But you can only configure a add-on after you installed it. You don’t have to worrie about installing add-ons, because they will no be active until you start them. After you installed an add-on you can access the info, documentation, configuration and log in the HA add-on panel.

The step I was missing was to delete cookies in order for the add-on to show. No instruction told me about this step so I guess I was just stupid

I see. For me a simple reload of the page is sufficient.

I’m very intrigued by this add-on. I didn’t actually realize cloudflare offered this service and I would much rather use it then open ports on my network.

That being said my setup is a bit complex. I have a reverse proxy setup but I use Caddy 2 not Nginx Proxy Manager. And I would prefer not to replace it in my setup with the hosts option of this addon for a few reasons:

  1. I have two separate routing trees. One is external and everything is subdomains of my public domain, other is internal and everything is subdomains of a LAN-only domain. I would like to keep them together
  2. I have a pretty complex caddyfile making use of a lot of its features such as access filtering, adding/removing response headers, detailed logging (especially around external access), etc. Things that cloudflared understandably doesn’t support because its purpose is to be the tunnel, not a full featured reverse proxy

So I was wondering if perhaps you could you share some details about what a cloudflared config file looks like when generated by this addon? Like perhaps a sample file or two? I was hoping to iterate locally with cloudflared directly to get something working on my network. Since I’m worried it may be a little tricky based on this post on the Caddy forums. Then I can hopefully turn that into a PR for this addon with Caddy 2 support.

I realize I could install the addon and toy around with it to see the generated configs but this step in the documentation made me pretty nervous:

Any existing DNS entries with your desired external hostname and additional hosts will be overridden at Cloudflare.

I put in a lot of time and effort getting my setup working the way I wanted with internal and external access so I don’t want things blown away.

That’s a fair request. I will think about how to incorporate that in the add-on and track the request in this issue.

@CentralCommand The development of the new option is done. Feel free to check out the add-on GitHub repo or the edge repository where it is already included and let me know what you think and if that solves your problem.
I will release it to the stable repository within the next days.

1 Like

I just released v0.4.0 with the option to add a catch all service, e.g. for external reverse proxies in the stable repository.
Let me know if there are any issues with it.

It seems that it brick all connections… I can’t connect to any subdomains except the one that was created in beginning.

I read the information on GitHub but don’t know what to add extra to leave it as it is before the update


I added this line:

additional_hosts: []

restart cloudflared-addon and now its working again

When use additional_hosts: [] to forward subdomains, will it use the SSL of cloud flare when I use https:// to goto the page?

EDIT AGAIN: Tried it and seems to work also. And also looks like its much faster without NPM in between

That’s great to hear and sorry, that the configuration had to be adapted. It should have added the additional_hosts array a couple of releases ago, so not sure why this was not present in your config.

Did you have any ‘additional_hosts’ in your config before updating?

Regarding SSL: You are automatically using SSL for all your subdomains at Cloudflare. So the connection is encrypted from the visitor to cloudflare and through the tunnel to your HA instance. After that, it depends on which protocol you are using to forward to the next service. You can use https and this connection will also be encrypted or you use http, which will mean that the connection from HA to that service (usually a local connection within your network) will not be encrypted.
The good thing about Cloudflare is, that the client in the end does not see any difference, since from his point of view, the Cloudflare server is responding to his request and this connection is encrypted end-to-end. Also, since some services do not offer https, this is a pretty nice way of still using https for all internet facing connections and therefor highly reducing any security concerns about it.
This is something that every reverse proxy is offering, the only difference is, that the Cloudflare proxy sits “in the internet” and then gets what he needs to serve the requests through the secure tunnel.


I add now all my old NPM hosts into the additional_hosts of Cloudflare. Shutdown the NPM and did some tests with my mobile phone on provider network (so im not on the internal network)

Found 1 thing to remove a error. It was remove the line

internal_ha_port: '8123'

Last question. Some services I used in NPM had a custom location

location: /
Scheme: http
Forward Hostname / IP: 192.168.100.x
Forward Port: xxx

Is this also possible to add in the additional_hosts part of cloud flare?

ok, the ‘internal_ha_port’ option also used to be part of the config but is not needed anymore. I am considering adding a check for it in the config that removes it automatically.

Regarding the location: Unfortunately, this is not (yet) possible with Cloudflared. You can only define the hostname and port of the service, but not a individual location. I raised an issue for that, let’s see.

Nevertheless, when looking into the topic I found that you could define a path for the hostname to listen on. This means, that you cannot only define specific hostnames (e.g., but also specific paths under them (e.g. and and route them to different services. I will look into also offering that in my add-on, see this issue.

1 Like

I read also something about using of web socket. This will be automatically used when needed.
Radarr, Sonarr and Bazarr normaly complain they can’t start the starterr service to get realtime information. But it seems to working correctly with cloud flare.

Ill keep you inform. Its much faster without NPM… and you have to add 1 time all the subdomains and you’re done… Add a new one is same speed restart cloud flare and you’re done… Even easier, because cloud flare check if subdomain is in DNS, if not it will add this. With NPM you must add subdomain before you can create a SSL and add the domain.

1 Like

So for the configuration.yaml file is the trusted proxy left alone or do we put in our ha static ip?