F5F Stay Refreshed Power Users Networks Using nginx with forced SSL can lead to endless redirects.

Using nginx with forced SSL can lead to endless redirects.

Using nginx with forced SSL can lead to endless redirects.

M
masterpet09
Member
Find
111
02-24-2026, 12:46 PM
#1
Hi all, I'm struggling with my Cloudflare Tunnel setup on TrueNAS SCALE and need assistance. Here's my setup: TrueNAS SCALE : Running NGINX Proxy Manager (NPM) and services. NPM : Configured at 192.168.1.100:30020 (admin), 30021 (HTTP), 30022 (HTTPS). Services : Jellyfin ( 192.168.1.100:8096 ) and TrueNAS GUI ( 192.168.1.100:80 ). Cloudflare Tunnel : Status Healthy , UDP 7844 open. Tunnel routes to http://192.168.1.100:30021 . DNS : CNAMEs for domain and wildcard subdomain to <tunnel-id>.cfargotunnel.com , Proxied. SSL : Valid Let’s Encrypt wildcard certificate in NPM. Also tried making certs for each subdomain and that still had the same issue. Cloudflare : SSL/TLS mode Full (strict) , Always Use HTTPS and HSTS enabled. Issues : Tunnel Tests Fail : curl -v http://<tunnel-id>.cfargotunnel.com and curl -v https://<tunnel-id>.cfargotunnel.com fail or hang. Direct test ( curl -v --resolve <tunnel-id>.cfargotunnel.com:443:192.168.1.100 http://192.168.1.100:30021 ) returns 404 , so NPM is reachable locally. Redirect Loop : Enabling Force SSL in NPM causes a 301 loop on the subdomains . Disabling Force SSL allows connections to go through . root domain is accessible but has no proxy hosts it's setup to return a 404. Tunnel DNS Port : Set to 8053 in cloudflared config, but no DNS server runs on this port. Should this be unset or set to 53? Tried : Verified tunnel routes to http://192.168.1.100:30021 . Disabled Always Use HTTPS temporarily. Using Optimum 6E router (cannot configure NAT loopback/MTU). Questions : Is the 8053 DNS port inside the cloudflared app config causing tunnel failures? Should it be 0 or 53? Why do tunnel curl tests fail despite a Healthy status? How do I fix the 301 loop with Force SSL to secure my setup? Please share any advice! I can provide sanitized cloudflared or NPM logs or curl outputs if needed. I'm also pretty new to this network stuff. Thanks!
Reply
Reply
M
masterpet09
02-24-2026, 12:46 PM #1

Hi all, I'm struggling with my Cloudflare Tunnel setup on TrueNAS SCALE and need assistance. Here's my setup: TrueNAS SCALE : Running NGINX Proxy Manager (NPM) and services. NPM : Configured at 192.168.1.100:30020 (admin), 30021 (HTTP), 30022 (HTTPS). Services : Jellyfin ( 192.168.1.100:8096 ) and TrueNAS GUI ( 192.168.1.100:80 ). Cloudflare Tunnel : Status Healthy , UDP 7844 open. Tunnel routes to http://192.168.1.100:30021 . DNS : CNAMEs for domain and wildcard subdomain to <tunnel-id>.cfargotunnel.com , Proxied. SSL : Valid Let’s Encrypt wildcard certificate in NPM. Also tried making certs for each subdomain and that still had the same issue. Cloudflare : SSL/TLS mode Full (strict) , Always Use HTTPS and HSTS enabled. Issues : Tunnel Tests Fail : curl -v http://<tunnel-id>.cfargotunnel.com and curl -v https://<tunnel-id>.cfargotunnel.com fail or hang. Direct test ( curl -v --resolve <tunnel-id>.cfargotunnel.com:443:192.168.1.100 http://192.168.1.100:30021 ) returns 404 , so NPM is reachable locally. Redirect Loop : Enabling Force SSL in NPM causes a 301 loop on the subdomains . Disabling Force SSL allows connections to go through . root domain is accessible but has no proxy hosts it's setup to return a 404. Tunnel DNS Port : Set to 8053 in cloudflared config, but no DNS server runs on this port. Should this be unset or set to 53? Tried : Verified tunnel routes to http://192.168.1.100:30021 . Disabled Always Use HTTPS temporarily. Using Optimum 6E router (cannot configure NAT loopback/MTU). Questions : Is the 8053 DNS port inside the cloudflared app config causing tunnel failures? Should it be 0 or 53? Why do tunnel curl tests fail despite a Healthy status? How do I fix the 301 loop with Force SSL to secure my setup? Please share any advice! I can provide sanitized cloudflared or NPM logs or curl outputs if needed. I'm also pretty new to this network stuff. Thanks!

Reply
Reply
G
Gladiador70
Senior Member
Find
698
02-26-2026, 11:14 AM
#2
Some aspects are clear: Port 8053 in cloudflared isn’t required unless you’re using a local DNS resolver. Usually you should disable or leave it at the default 53 if you really need DNS. Consider dropping it. A healthy tunnel status only confirms Cloudflared is linked to Cloud flare, but doesn’t ensure your backend NPM is working correctly—so failed cURL attempts are normal if SSL/redirects aren’t aligned. The 301 redirect often occurs when both NPM and Cloudflare enforce SSL. Choose one side: if Cloudflare is set to Full Strict + Always Use HTTPS, turn off Force SSL in NPM and rely on the certificates there. Start by removing the DNS port configuration, keep SSL enforcement only in Cloudflare, and retest cURL. If the issue persists, provide your NPM proxy host settings (excluding private info).
Reply
Reply
G
Gladiador70
02-26-2026, 11:14 AM #2

Some aspects are clear: Port 8053 in cloudflared isn’t required unless you’re using a local DNS resolver. Usually you should disable or leave it at the default 53 if you really need DNS. Consider dropping it. A healthy tunnel status only confirms Cloudflared is linked to Cloud flare, but doesn’t ensure your backend NPM is working correctly—so failed cURL attempts are normal if SSL/redirects aren’t aligned. The 301 redirect often occurs when both NPM and Cloudflare enforce SSL. Choose one side: if Cloudflare is set to Full Strict + Always Use HTTPS, turn off Force SSL in NPM and rely on the certificates there. Start by removing the DNS port configuration, keep SSL enforcement only in Cloudflare, and retest cURL. If the issue persists, provide your NPM proxy host settings (excluding private info).

Reply
Reply