Skip to content

Cloudflare edge

Cloudflare sits in front of most *.saxobroko.com sites — SSL, WAF (block no aus), Access login for SaxDocs, and Pages for docs. Use this when the error mentions Cloudflare, 403, certificate, or Access.

CFL-001: Page shows Cloudflare error 1000 or 1016

Symptoms: Cloudflare-branded error page with a number like 1000, 1016, or "DNS resolution error." Likely cause: DNS record missing, wrong target, or domain not on Cloudflare correctly — edge cannot find origin/tunnel. Fix: 1. Note the exact error number and hostname. 2. Check Cloudflare DNS for that subdomain — see DNS & domains (DNS-015). 3. For homelab hosts, confirm CNAME to tunnel exists. 4. Wait five minutes after DNS fix — edge updates faster than global DNS cache. Still broken? See Common Issues.

CFL-002: Error 502 Bad Gateway or 504 Gateway Timeout

Symptoms: Cloudflare page says bad gateway or timeout; site worked before. Likely cause: cloudflared or the app on TrueNAS is down — Cloudflare reached the edge but not your home origin. Fix: 1. Test https://192.168.2.203 on home LAN. 2. Restart cloudflared — Restart cloudflared. 3. Restart the specific Docker app if only one subdomain fails. 4. Check status.saxobroko.com. Still broken? See Cloudflare tunnel (TUN-001).

CFL-003: Error 403 — blocked outside Australia

Symptoms: Cloudflare block page when opening stream, dash, vault, etc. from overseas or some VPNs. Likely cause: block no aus WAF rule — homelab URLs are Australia-only by design. Fix: 1. Confirm you are testing from Australia without a non-AU VPN exit. 2. Understand this is expected for homelab hosts — not a bug to "fix" while travelling unless Saxon approves. 3. Public sites (docs, status, weather, blog) should work globally — if those 403, different issue (CFL-004). 4. Do not disable block no aus casually — security risk. Still broken? See WAF rules.

CFL-004: docs.saxobroko.com 403 but I am in Australia

Symptoms: SaxDocs blocked with 403 despite being in AU; homelab URLs may work or not. Likely cause: docs should be excluded from block no aus — misconfiguration, wrong hostname, or Bot Fight / Access issue instead of geo block. Fix: 1. Confirm URL is exactly docs.saxobroko.com. 2. Check WAF skip rules for docs — WAF rules. 3. Try incognito — stale Access cookie can confuse. 4. See CFL-020 for Access login loop. Still broken? See Open docs site.

CFL-005: What is block no aus in plain English?

Symptoms: Documentation mentions block no aus; you need a simple explanation. Likely cause: Custom WAF rule: if visitor is not from Australia, Cloudflare blocks access to most homelab subdomains. Fix: 1. Protects Jellyfin, arr, dash, vault, dsm, etc. from random global internet. 2. Does not apply to intentionally public sites — see Public sites. 3. auth and docs have special exclusions for login worldwide. 4. New tunnel hostname must be added to the rule — WAF checklist. Still broken?* See What is Cloudflare.

CFL-006: I added a new subdomain — still 403 from Australia

Symptoms: New app URL returns 403 even on home AU internet. Likely cause: Hostname not yet in localnet full strict ssl or WAF allow path; or wrong rule action blocking everyone. Fix: 1. Add hostname to localnet full strict ssl configuration rule. 2. Confirm hostname is in tunnel config (not legacy DNS). 3. Review WAF custom rules for accidental "block all" on that host. 4. Wait two minutes and test incognito. Still broken? See DNS-039 and WAF rules.

CFL-007: SSL handshake failed or ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Symptoms: Browser cannot establish secure connection to a saxobroko.com subdomain. Likely cause: SSL mode mismatch on tunnel host — needs Full (strict) via localnet full strict ssl rule. Fix: 1. Cloudflare → RulesConfiguration ruleslocalnet full strict ssl. 2. Append (http.host eq "brokenhost.saxobroko.com") to expression if missing. 3. Ensure DNS record is proxied (orange cloud). 4. Retest after five minutes. Still broken? See CFL-010.

CFL-008: Too many redirects on login page

Symptoms: Browser says redirect loop when opening dash or docs. Likely cause: Access + Authentik misconfiguration, or HTTP/HTTPS mismatch on tunnel origin URL. Fix: 1. Try incognito window — clear cookies for saxobroko.com. 2. Confirm tunnel service URL uses correct scheme (http vs https) for internal app. 3. For docs/dash, see Authentik troubleshooting. 4. Do not put auth.saxobroko.com behind Access (login loop). Still broken? See Login troubleshooting.

CFL-009: Cloudflare Access login page never appears for docs

Symptoms: docs loads public content without login, or shows wrong page — expected Access gate missing. Likely cause: Access application misconfigured or bypass rule too broad — SaxDocs should use Access + Authentik. Fix: 1. Zero Trust → AccessApplications → verify docs.saxobroko.com app exists. 2. Confirm identity provider is Authentik OIDC — Authentik. 3. Test incognito from AU. 4. See Disable Access temporarily only if Saxon authorised emergency access. Still broken? See Open docs site.

CFL-010: Certificate expired or not trusted on homelab subdomain

Symptoms: Browser warns certificate invalid for stream.saxobroko.com or similar proxied host. Likely cause: Rare on proxied Cloudflare hosts — usually DNS-only (grey cloud) or origin cert issue on misconfigured host. Fix: 1. Cloudflare DNS → confirm record is proxied orange. 2. Add host to localnet full strict ssl. 3. Universal SSL at Cloudflare edge should auto-cover saxobroko.com — check SSL/TLSEdge certificates active. 4. If grey-clouded, re-enable proxy unless Saxon exception. Still broken? See WAF rules.

CFL-011: Bot Fight Mode broke Cloudflare Access login

Symptoms: JS challenge or bot check instead of Authentik login; Access handshake fails. Likely cause: Bot Fight Mode must stay OFF — it cannot be bypassed for Access OIDC. Fix: 1. Cloudflare → Security → disable Bot Fight Mode for saxobroko.com zone. 2. Also check Zero Trust → SettingsNetwork if enabled there. 3. Retest docs/dash login in incognito. 4. Leave Bot Fight off if using Access + Authentik. Still broken? See Authentik.

CFL-012: Under Attack Mode accidentally enabled

Symptoms: Every visitor sees interstitial "Checking your browser" even in Australia on trusted devices. Likely cause: I'm Under Attack Mode enabled zone-wide — overkill for homelab. Fix: 1. Cloudflare dashboard → Overview or Security → set to Low or Essentially off unless active attack. 2. Retest homelab URLs. 3. Document why it was enabled before turning off. 4. Prefer block no aus for geo restriction instead. Still broken? See WAF rules.

CFL-013: Cloudflare challenge loop — keeps asking to verify human

Symptoms: Repeated CAPTCHA or JS challenge; never reaches app. Likely cause: Bot Fight, high security level, or VPN IP flagged — overlaps with CFL-011. Fix: 1. Disable Bot Fight Mode (CFL-011). 2. Disable VPN and retry from clean AU home connection. 3. Lower security level temporarily for test only. 4. Check WAF custom rules for "managed challenge" on that host. Still broken? See Cloudflare account access.

CFL-014: How do I log into Cloudflare dashboard safely?

Symptoms: Need to change WAF or DNS; unsure login steps with YubiKey. Likely cause: Cloudflare account protected with hardware 2FA — credentials in Vaultwarden. Fix: 1. Follow Cloudflare account access. 2. Have YubiKey ready — desk YubiKey. 3. Select saxobroko.com zone after login. 4. Never paste API keys into tickets or SaxDocs. Still broken? See YubiKey.

CFL-015: WAF rule blocked me by mistake in Australia

Symptoms: 403 from AU IP on homelab URL that should work. Likely cause: Overly broad custom WAF rule, country detection glitch, or corporate VPN exit outside AU. Fix: 1. Disable VPN completely and retry on home NBN. 2. Cloudflare → SecurityEvents — find block reason for your request. 3. Adjust rule only if false positive confirmed — do not delete block no aus entirely. 4. Note rule ID and timestamp for Saxon. Still broken? See Common Issues.

CFL-016: Security Events show thousands of blocks — is that bad?

Symptoms: Cloudflare analytics show many blocked requests; worry homelab is under attack. Likely cause: Normal internet background noise — bots scan every domain; block no aus blocks most non-AU probes. Fix: 1. No action needed if services work for you in AU. 2. Review events for targeted spikes only if services degrade. 3. Do not enable Under Attack Mode for noise alone (CFL-012). 4. Focus on actual user-visible outages. Still broken? See Monitoring.

CFL-017: auth.saxobroko.com must not use Cloudflare Access

Symptoms: Login loop when Authentik itself is behind Access. Likely cause: auth is the identity provider — putting it behind Access creates chicken-and-egg loop. Fix: 1. Zero Trust → Access → ensure no Access app on auth.saxobroko.com. 2. Keep geo exclusions so OIDC callbacks work worldwide — WAF. 3. Protect individual apps (dash, docs) with Access instead. 4. See Authentik. Still broken? See CFL-008.

CFL-018: dash.saxobroko.com asks for Authentik login every time

Symptoms: Homepage dashboard requires full login repeatedly; session does not stick. Likely cause: Browser blocking cookies, incognito use, or Access session duration set short — may be intentional security. Fix: 1. Use normal (not private) browser window if household policy allows. 2. Allow cookies for *.saxobroko.com. 3. Complete Authentik + YubiKey login once per session — Login troubleshooting. 4. Do not disable Access without Saxon. Still broken? See Homepage for beginners.

CFL-019: vault.saxobroko.com blocked by WAF when travelling

Symptoms: Cannot reach password vault abroad — 403 Cloudflare page. Likely cause: Vaultwarden is homelab host under block no aus — AU-only by design. Fix: 1. Expected abroad unless Saxon added exception — plan ahead with offline vault cache on phone. 2. Bitwarden apps may still serve cached vault if already logged in — test before trip. 3. Do not weaken geo block for convenience without risk acceptance. 4. auth and docs differ — see WAF exclusions list. Still broken? See Open Vaultwarden.

CFL-020: Authentik login page shows but YubiKey step fails

Symptoms: Cloudflare Access redirects to Authentik; WebAuthn/YubiKey prompt errors. Likely cause: Wrong YubiKey, browser permission, or Bot Fight interfering — not DNS. Fix: 1. Use supported browser (Chrome/Firefox recent). 2. Confirm Bot Fight off (CFL-011). 3. Try portable YubiKey procedure — portable YubiKey. 4. Fall back to documented backup auth if Saxon configured. Still broken? See What is 2FA.

CFL-021: Zero Trust vs regular Cloudflare dashboard — which to use?

Symptoms: Confusion between orange Cloudflare site menu and Zero Trust for tunnels/Access. Likely cause: Websites → saxobroko.com for DNS/WAF/SSL; Zero Trust for Tunnels, Access apps, cloudflared tokens. Fix: 1. DNS/WAF/ssl → standard dashboard. 2. Tunnel hostname edits → Zero Trust → Networks → Tunnels. 3. Access login apps → Zero Trust → Access → Applications. 4. Same account login with YubiKey for both. Still broken? See Cloudflare.

CFL-022: Page Rules or Redirect Rules conflict

Symptoms: Unexpected redirect from one subdomain to another; old marketing redirect breaks app. Likely cause: Legacy Redirect Rules or Page Rules still active from earlier site layout. Fix: 1. Cloudflare → RulesRedirect Rules and Page Rules — list all. 2. Match failing hostname — disable suspect rule temporarily. 3. Test incognito. 4. Document change before permanent delete. Still broken? See DNS & domains.

CFL-023: Always Use HTTPS breaks internal HTTP origin

Symptoms: Redirect errors for tunnel pointing at http://192.168.2.203:PORT. Likely cause: Edge Always Use HTTPS is fine — origin can stay HTTP behind tunnel; issue usually wrong internal URL scheme in tunnel config. Fix: 1. Tunnel public hostname → service type HTTP to internal port unless app requires HTTPS locally. 2. Do not disable Always Use HTTPS zone-wide without reason. 3. Fix tunnel mapping — TUN-012. 4. Retest after cloudflared restart. Still broken? See cloudflared.

CFL-024: Cloudflare caching broke dynamic app (Sonarr/Radarr)

Symptoms: Stale UI or API weirdness on arr apps through public URL. Likely cause: Cloudflare caching dynamic admin UIs — should bypass cache for homelab apps. Fix: 1. Cloudflare → CachingConfiguration — consider standard cache for homelab (often fine at default). 2. Add Cache Rule bypass for admin subdomains if Saxon documented. 3. Hard refresh browser Ctrl+Shift+R. 4. Prefer LAN IP for heavy admin work when home. Still broken?* See arr stack.

CFL-025: WebSockets fail through Cloudflare (real-time apps)

Symptoms: Live features hang; Jellyfin or other apps fail on public URL but LAN OK. Likely cause: Tunnel supports WebSockets by default — failure often origin app or timeout not WAF. Fix: 1. Confirm cloudflared running latest on TrueNAS. 2. Test same feature on LAN direct IP. 3. Check Cloudflare Network → WebSockets enabled (default on). 4. See Cloudflare tunnel (TUN-030). Still broken? See Media won't play.

CFL-026: Rate limiting blocked my home IP

Symptoms: 429 or block after many refreshes during troubleshooting. Likely cause: Temporary Cloudflare rate limit or WAF throttle from rapid testing. Fix: 1. Stop hammering refresh for five minutes. 2. Check Security Events for rate limit rule. 3. Test from phone on mobile data (different IP) once. 4. Saxon can allowlist home IP if recurring — rare for homelab. Still broken? See CFL-015.

CFL-027: saxobroko.com apex homepage works — homelab subdomains do not

Symptoms: Main personal site on Pages loads; tunnel subdomains fail. Likely cause: Pages and tunnel are separate paths — apex OK does not imply cloudflared OK. Fix: 1. Run TUN-001 tunnel checklist. 2. Do not conflate Pages deploy status with TrueNAS health. 3. Check status.saxobroko.com for homelab monitors. 4. LAN test 192.168.2.203. Still broken? See Network general (NET-016).

CFL-028: Cloudflare Pages build failed for docs.saxobroko.com

Symptoms: SaxDocs shows old content or deploy error email from Cloudflare Pages. Likely cause: GitHub push failed CI, MkDocs build error, or Pages project disconnected — unrelated to TrueNAS tunnel. Fix: 1. Cloudflare → Workers & Pages → SaxDocs project → Deployments → read build log. 2. Fix GitHub/MkDocs error if you have repo access — see SaxDocs FAQ when available. 3. Successful deploy auto-updates docs — no tunnel restart needed. 4. Custom domain must stay bound to project (DNS-012). Still broken? See Open docs site.

CFL-029: docs shows Access login but Authentik error after

Symptoms: Cloudflare Access gate passes; Authentik returns error or invalid client. Likely cause: OIDC client misconfiguration between Access and Authentik — not Pages build. Fix: 1. Verify Authentik provider URLs match auth.saxobroko.com. 2. Confirm Bot Fight off (CFL-011). 3. See Authentik app providers. 4. Do not change auth DNS while debugging. Still broken? See Authentik.

CFL-030: Difference between Pages SSL and tunnel SSL

Symptoms: Confusion why docs SSL "just works" but new tunnel host needs extra rule. Likely cause: Pages terminates SSL at edge automatically; tunnel origins need Full (strict) config rule for homelab hostnames. Fix: 1. docs → Pages custom domain — no localnet rule needed on origin. 2. stream/dash/etc. → add to localnet full strict ssl. 3. Both show valid browser padlock when correct. 4. Read WAF rules. Still broken? See CFL-007.

CFL-031: Temporary disable geo block for debugging

Symptoms: Saxon authorised short test without block no aus while abroad. Likely cause: Emergency debugging only — must re-enable after. Fix: 1. Follow Disable Access temporarily pattern for WAF — edit block no aus rule action or add skip with expiry note. 2. Document start/end time in private notes. 3. Re-enable AU block immediately after test. 4. Never leave homelab open globally by accident. Still broken? See WAF rules.

CFL-032: Cloudflare API token needed for automation

Symptoms: Script or CI asks for API token; you only have dashboard login. Likely cause: Tokens stored in Vaultwarden separately — not same as password login. Fix: 1. Search Vaultwarden for Cloudflare API — use existing token if documented. 2. Do not create new tokens without Saxon — old integrations may break. 3. Never commit tokens to GitHub or SaxDocs. 4. Rotate if accidentally exposed. Still broken? See GitHub if Saxon dies.

CFL-033: Email obfuscation or Cloudflare Email Routing

Symptoms: Questions about email addresses on saxobroko.com vs homelab outages. Likely cause: Email routing is separate from tunnel/WAF — outage unrelated unless MX records deleted. Fix: 1. Homelab down does not stop email unless MX broken (DNS-017). 2. Check MX records before blaming tunnel. 3. See registrar/Cloudflare email settings if mail-specific issue. 4. Focus CFL FAQs on web apps unless mail explicitly fails. Still broken? See DNS-017.

CFL-034: weather.saxobroko.com and status.saxobroko.com — Cloudflare role?

Symptoms: Unsure if WAF rules on saxobroko.com zone affect external status/weather hosts. Likely cause: DNS names in zone may still pass through Cloudflare proxy depending on record — often public not homelab geo blocked. Fix: 1. Read Public sites and Monitoring. 2. These are not TrueNAS tunnel apps — different failure modes. 3. Use status to diagnose homelab — not vice versa. 4. 403 abroad on status would be unusual — investigate separately. Still broken? See Check status page.

CFL-035: Deployed SaxDocs change not visible on docs.saxobroko.com

Symptoms: Git push succeeded; live site shows old FAQ or missing page. Likely cause: Pages deploy lag, browser cache, or build from wrong branch. Fix: 1. Cloudflare Pages → latest deployment → confirm Success timestamp. 2. Hard refresh or incognito. 3. Confirm production branch matches GitHub default. 4. Access login may cache redirects — clear cookies if navigation broken only. Still broken? See CFL-028.

CFL-036: Mixed content warnings on public site

Symptoms: Browser blocks HTTP assets on HTTPS saxobroko.com page. Likely cause: Old embedded http:// links in markdown or homepage — not tunnel issue. Fix: 1. Fix source content to use https:// links. 2. Redeploy Pages project. 3. Homelab apps should always be accessed via https:// public URLs. 4. Not fixed by UniFi changes. Still broken? See Public sites.

CFL-037: Cloudflare Access policy — who can log into docs?

Symptoms: Family member denied Access to SaxDocs though they have Authentik account. Likely cause: Access policy email/group list does not include them — separate from Authentik user existing. Fix: 1. Zero Trust → Access → Applications → docs app → Policies. 2. Add user email or group per Saxon's handover plan. 3. Also ensure Authentik user exists — Add Authentik user. 4. Test incognito with their account. Still broken? See Handover.

CFL-038: Firewall rule on Cloudflare blocked API webhook

Symptoms: External service cannot callback to homelab URL; 403 in Cloudflare logs. Likely cause: block no aus blocks non-AU webhook sources — integration must use AU endpoint or exemption. Fix: 1. Identify webhook source country in Security Events. 2. Saxon may add WAF skip for specific path/host — not DIY for beginners. 3. Prefer LAN-only integrations where possible. 4. Document which apps need global webhooks. Still broken? See WAF rules.

CFL-039: Cloudflare outage — all saxobroko.com down globally

Symptoms: Cloudflare status page reports incident; every proxied site fails together. Likely cause: Rare Cloudflare edge/platform outage — homelab LAN may still work locally. Fix: 1. Check cloudflarestatus.com. 2. Use LAN IPs at home (192.168.2.203) while waiting. 3. Do not reboot TrueNAS repeatedly for Cloudflare-side outage. 4. Retry public URLs when Cloudflare clears incident. Still broken? See External Cloudflare when site down.

CFL-040: HSTS or certificate pinning confusion

Symptoms: Browser refuses to let you bypass cert warning on test subdomain. Likely cause: Valid Cloudflare certs should not trigger this — if they do, fix SSL config not bypass HSTS. Fix: 1. Fix root SSL issue (CFL-010) — do not hack browser exceptions for production hosts. 2. Enable HSTS only when stable — Saxon managed. 3. Test with curl -I https://host if comfortable or ask Saxon. 4. Use incognito for clean test. Still broken? See CFL-007.

CFL-041: New family member needs Access to dash and docs

Symptoms: Ryan or family needs login to homepage and SaxDocs from their phone. Likely cause: Needs Authentik account + Access policy + YubiKey/handover credentials per Saxon's plan. Fix: 1. Create Authentik user — Add user guide. 2. Add to Cloudflare Access policies for dash and docs apps. 3. Train on Vaultwarden and YubiKey if issued. 4. Test from their device on AU network. Still broken? See Handover who gets what.

CFL-042: Checked Cloudflare edge — still broken

Symptoms: WAF, SSL, Access, Pages all seem fine; user-visible error persists. Likely cause: Problem is tunnel or app layer below Cloudflare — escalate with error code and timestamp. Fix: 1. Collect: exact URL, error code (403/502/525), AU or abroad, LAN works Y/N. 2. Run Cloudflare tunnel (TUN-040) full checklist. 3. Restart cloudflared once — not ten times. 4. See Common Issues before destructive changes. Still broken? See FAQ overview.