Cloudflare Tunnel via Docker with SWAG Nginx Reverse Proxy using Subdomains in Proxy Network on Unraid

Assumed audience: You need a domain managed in Cloudflare dashboard for any of this to work. I assume you do, and want to point to your Unraid NAS, with SWAG as the reverse proxy.

So this is a niche topic.

My Personal Back-Story and Context That You’ll Skip

I used the old cloudflare/cloudflared Docker container configuration with a local YAML file via aeleos’s Unraid plugin. It was a very simple file, being just:

$ cat /mnt/user/appdata/cloudflared/config.yaml
tunnel: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
credentials-file: /home/nonroot/.cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json
ingress:
  - service: https://swag:443
    originRequest:
      noTLSVerify: true

The cloudflared container runs in my Docker proxy network, so I can reference other containers by their name – here, swag. SWAG just works for me, no complaints there.

After some years, I had some weird latencies and resolution problems in 2025. The Cloudflare page informed me about cloudflared updates, but I couldn’t figure out how to get them, and make that info box go away. So I figured, maybe I should try the more modern Unraid-Cloudflared-Tunnel, picked by Unraid staff in May last year. It sure enough has more environment variables to set, so.

Problem is, the YAML file’s ingress rule doesn’t contain a Domain at all, and that’s just not possible with modern Cloudflare tunnel setups.

If you try all of this do note:

  • the Cloudflare info box will probably not go away unless you use their web config instead of the YAML config file, no matter how much you update the Docker container;
  • you can run multiple tunnel containers at the same time during this procedure – your DNS settings determine which one wins.

So it took me a couple hours of experiments, but eventually this Reddit comment showed that wildcard settings are the way to go, and this one further down reveals that you need two (2) tunnels, not just one. That’s what made my own experiments fail!

How to Roast the Damn Chicken

Ok, here’s the recipe. Here’s what to do if you want to host services for nextcloud.example.com and other subdomains on your Unraid NAS, and want to point example.com to your NAS via the tunnel.

  • Cloudflare: In your domain’s DNS settings, delete the entry for your domain if there is one. Otherwise, the Tunnel setup can’t create an entry and will fail.
  • Cloudflare: Zero Trust > Tunnel, create a new tunnel. Pick “Cloudflared”, not the other one. Name it anything; that’s for internal use. Create two public hostnames:
    1. Add public hostname configuration: domain example.com, empty subdomain, empty path. Point it to https://swag:443. That name is being resolved locally in the Docker proxy network. Enable “No TLS Verify” to have SWAG manage your public Let’s Encrypt certificates and not having to vend certs for the local hostnames. – This will add the DNS setting.
    2. Add another public hostname: subdomain *, domain example.com, empty path. Point to https://swag:443, too, and also enable “No TLS Verify”.
    3. Copy the tunnel token used for authenticating. That’s part of the “install a connector” command that you can copy; e.g. in the Docker tab, it’s at the very end:

      docker run cloudflare/cloudflared:latest tunnel –no-autoupdate run –token COPY_THIS_PART

  • Cloudflare: In your domain’s DNS settings, example.com should now have been added with a CNAME entry like XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.cfargotunnel.com. (If you want to enable your old tunnel, or another tunnel for this domain, you can replace the X’d identifier with the other tunnel’s ID. I did this back and forth for a while).

    Subdomains should be CNAME entries pointing to the root domain example.com, aka just aliases. SWAG will use these to resolve which service to map to each request.

  • Unraid: Install the plugin; search for “Unraid-Cloudflared-Tunnel”. Put the service in the same proxy network as SWAG (and all your local services). Paste the token into TUNNEL_TOKEN. You can leave all the other settings as-is.

That’s it.

Watch the Spaceinvader One video if you want to see how to set up a tunnel and copy settings over. Spaceinvader One maps pics.my-domain.uk and nextcloud.my-domain.uk, just two subdomains with different settings, not the whole domain. So do ignore that part.