Reference cloudflare tunnel notlsverify
name: Cloudflare tunnel: self-signed HTTPS origins need noTLSVerify description: finn.justinsforge.com and portainer.justinsforge.com ingress entries require noTLSVerify: true because their origins use self-signed certs type: reference
Proxmox web UI (finn.justinsforge.com, origin https://192.168.86.75:8006) and Portainer (portainer.justinsforge.com, origin on the same host) serve HTTPS with self-signed certificates. Cloudflared rejects these by default, producing 502 Bad Gateway.
Fix already applied: noTLSVerify: true added to both ingress entries in the media-server tunnel config. Both now reach origin (returning 302 to Access login).
How to apply: Any future tunnel ingress pointing at a Proxmox node, self-hosted Portainer, or other self-signed HTTPS origin needs noTLSVerify: true. Without it, cloudflared will 502 silently. Check the origin scheme before assuming a new 502 is a routing or firewall problem.
[auto-memory session e0097de0-7e40-40e5-8991-c9d652aef72a, confidence 0.70, mode staged]