Why not just use the Cloudflare tunnel to connect directly to the services in question, rather than tunnel > npm > service, out of curiosity?

I’ve got a bunch of my services behind my tunnel, be it http or tcp services, and just point the tunnel to those services directly. Services I don’t want publicly accessible I put behind Cloudflare access which goes to my Keycloak instance for auth and then to the service if successful. Ended up getting rid of traefik as a reverse proxy entirely when I swapped to using Cloudflare tunnels.

What error messages are you getting in your tunnel’s error logs? You can view the live logs by going to Zero Trust -> Access -> Tunnels on your Cloudflare dashboard. Click on your tunnel’s name, then the connector ID, then “begin log stream”.

Or, from the command line, you can add the flag --logging DEBUG to your cloudflared application at start.

After enabling logging using either of these methods, try to load your site in your browser and see what error you’re getting.

Are you wanting to enable this setting in NPM so https addresses will work on your local network? I ask because the tunnel already encrypts the traffic outside your network. Changing your tunnel’s forwarding address from http://nginx:80 to https:nginx:443 only encrypts the traffic between the cloudflared and NPM daemons running on your computer. It really isn’t necessary since it’s internal to your server.

If that’s the reason why, did you install a certificate in NPM that’s specific for your domain?