Caddy with Cloudflare Tunnel

This is a basic guide to using Cloudflared Tunnel with Caddy on FreeBSD.


  1. Have a domain registered with Clouflare.
  2. Have a working Caddy instance with valid certs.
  3. A tunnel created at (under Access → Tunnels).

With internal HTTP

Depending on how you configured Caddy, things will change slightly. If you are serving your website over HTTP only, you will only need to set the “Service” option under “Public Hostname Page” to HTTP with the URL localhost (see below image). It should then work.

The Caddyfile should then read:

:80 {
	(site block contents)


With internal HTTPS

If you are using a self-signed, standalone or DNS-validated HTTPS certificate, you will need to change two options within Cloudflare tunnel settings:

  1. Change the “Origin Server Name” to the domain Caddy is expecting.

  2. Change the “HTTP Host Header” to the same domain name.

If you are using a self-signed certificate, you also need to enable the option “No TLS Verify”

When using a self-signed, standalone, or DNS-validated HTTPS certificate, the Caddyfile will be: {
	(site block contents)

Once the tunnel is configured, run:

pkg install cloudflared

Then configure it to run automatically at startup by adding its command to /etc/rc.local:

echo "/usr/local/bin/cloudflared tunnel run --token YOUR-TOKEN >/dev/null 2>/dev/null &" > /etc/rc.local

Then restart your jail/OS etc…
The tunnel should start working and you should be able to access your service externally.

You can alternately use:

cloudflared tunnel run --token <your token>

for a one time run.

Please make sure your DNS is resolving properly as well. For use cases where a DNS-validated certificate is used, you might configure to have DNS resolved internally to a local jail IP, with external access enabled through the tunnel.

Cloudflare has tunnel install instructions for Docker and other things, but not FreeBSD, So only FreeBSD is included here.