Caddy Reverse Proxy only works with cloudflare proxy on, but not with DNS only

1. Output of caddy version: v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

a. System environment:

OS: Ubuntu Server 22.04.1 LTS
Running on Docker. Managing with Portainer. But also have access to the command line.

b. Command:

caddy run --config /etc/caddy/Caddyfile --adapter caddyfile

c. Service/unit/compose file:


version: "3.7"
    #image: caddy:latest
    image: slothcroissant/caddy-cloudflaredns:latest
    container_name: caddy
    restart: unless-stopped
      - "80:80"
      - "443:443"
      - /home/docker/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /home/docker/caddy/data:/data
      - /home/docker/caddy:/config
      - TLD= domain.tld
      - CLOUDFLARE_API_TOKEN= [snip]
      - DOMAIN=
      - TZ= US/Michigan
      - ACME_AGREE= true

d. My complete Caddy config:

	acme_dns cloudflare [snip]

subdomain.domain.tld {

sub2.domain.tld {

3. The problem I’m having:

I want to use caddy as reverse proxy and cloudflare as DNS only. When I turn proxy in cloudflare on, I am able to connect to my websites, but if I set it to DNS only, it doesn’t work.

4. Error messages and/or full log output:

logs. No errors. Just normal

5. What I already tried:

I’ve tried following a dozen different tutorials. Changing every detail I can. I have no idea why it isn’t working. Online people tend to have the opposite problem as me. It works for them with DNS only but stops working when they turn proxy on.

6. Links to relevant resources:

There’s a very important piece of the puzzle here and that’s the fact you have cloudflared in the mix.

Cloudflare Tunnels work through Cloudflare’s backend infrastructure - there’s some magic that takes the traffic and routes it through to a configured tunnel connector.

While you’re routing a subdomain through a tunnel, you should find that in the Cloudflare dashboard, the DNS record for this is a CNAME with a value of [tunnel-ID] If you turn Cloudflare proxying off for this record, and allow Cloudflare to present it as a regular CNAME, then clients will make DNS lookups to [tunnel-ID] and will find no authoritative answer - no IP address, nothing to connect to. This will naturally break client access (at least, for those who haven’t cached a previous good DNS resolution).

To make use of Cloudflare tunnels, you must leave the Cloudflare proxy on, because that allows Cloudflare to respond to DNS requests for your subdomain with their own edge IP addresses, which allow for clients to connect to them and be routed to your tunnel connector as configured.

If you want to take your subdomain off a Cloudflare tunnel, you should remove the tunnel, delete the CNAME, and replace it with a new CNAME or A record that points directly to your origin server instead of an address.

1 Like

I’m using a tunnel because port forwarding does not work on my router. So, I guess in my case, it’s not possible to use cloudlfare without its proxy. In that case, I think you can close this topic. I’ll have to find another way to open my services to the internet. Thank You for your time. If you have any suggestions, I am open to them.

That’s unfortunate!

Is there any reason you need the tunnels but don’t want the proxy? They’re inseparable; a service can’t really transport your traffic to you without, by definition, reverse-proxying it back through the tunnel.

If the issue is with Cloudflare itself, you could look into other solutions.

In terms of tunneling services, aimed at self-hosted options, I’d recommend looking at this resource: GitHub - anderspitman/awesome-tunneling: List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.

As an alternative to “tunnels”, per se, you could also just use a plain old VPN or global area network, like Wireguard or ZeroTier or Tailscale. Point your domains at a VPS; connect your server via VPN; have Caddy on your VPS reverse-proxy to your services hosted on your server.

(Definitely click that link above; it covers all your options in pretty great detail!)

1 Like

I want to host jellyfin and photoprism. Both of those have video content which is against Cloudflare TOS. So I wanted to reverse proxy it myself so I could still use their DNS. I will look into those options. Thanks!

I’ll throw in my 2 cents as I recently struggled through this and found a solution.

This can easily be solved by leaving your domain ( in the Caddyfile, but the tunnel MUST have the same domain ( in both the Origin Server Name and the HTTP Header options. Redirect can be set to HTTPS://localhost.

SSL in cloudflare should be set to strict.

This works for DNS Validated certs and HTTP certs acquired through port forwarding.

If using a self signed cert you only need to turn off NoTLSVerify in the tunnel and it should work.

If using no cert then just set to HTTP://localhost and it should work.

The key for DNS Validated domains is setting the Origin Server Name and HTTP Header to the domain that caddy is configured with.

When using no cert you just need to set it to HTTP://localhost.

This topic was automatically closed after 30 days. New replies are no longer allowed.