🔧 Cloudflare Tunnel: Why It Needs Proxy (And Why It Doesn't)
📋 The Confusion
When setting up Cloudflare Tunnel in China, I encountered a confusing situation:
- ❌ Tunnel wouldn't connect without proxy
- ✅ Once connected, traffic works without proxy
- ❌ Clash proxying Cloudflare traffic broke everything
🎯 Cloudflare Has TWO Parts
Part 1: Cloudflare API (Connection)
What It Does: Tunnel connects to Cloudflare's edge network, establishes secure tunnel, authenticates with Cloudflare
Needs Proxy? ✅ YES!
Why: GFW blocks api.cloudflare.com and Cloudflare's edge IPs.
[Service] Environment="HTTP_PROXY=http://192.168.51.2:7890" Environment="HTTPS_PROXY=http://192.168.51.2:7890"
Part 2: Cloudflare CDN (Traffic)
What It Does: Users access your site through Cloudflare, traffic flows through established tunnel
Needs Proxy? ❌ NO!
Why: Traffic is already routed through the tunnel. No need for proxy!
🐛 The Problem I Faced
Symptoms:
- ✅ Domain works in private browser tab
- ❌ Domain fails in regular tab
- ✅ Works when Clash is disabled
- ❌ 502 errors with Clash enabled
Root Cause: Clash was proxying Cloudflare traffic, creating a routing loop!
✅ The Solution
Add Cloudflare to Clash DIRECT List:
rules: - DOMAIN,henryjin8s.xyz,DIRECT - DOMAIN,www.henryjin8s.xyz,DIRECT - DOMAIN-SUFFIX,cloudflare.com,DIRECT - DOMAIN-SUFFIX,cloudflare.net,DIRECT
📊 Correct Configuration
| Aspect | Connection | Traffic |
|---|---|---|
| What | Tunnel connects to Cloudflare | Users access your site |
| Needs Proxy? | ✅ YES (GFW blocks API) | ❌ NO (already routed) |
| Configuration | cloudflared service | Clash rules |
💡 Lessons Learned
- Cloudflare API needs proxy (blocked by GFW)
- Cloudflare traffic doesn't need proxy (already routed)
- Don't proxy tunneled traffic (creates routing loop)
- Add Cloudflare to DIRECT list in Clash
- Browser cache causes confusion (clear it!)