Introduction

A Cloudflare Tunnel 502 usually means Cloudflare can reach the tunnel edge, but the tunnel connector cannot successfully reach the local service behind it. That often points to a service binding problem, wrong local port, stopped connector, or hostname mapping error rather than a public DNS issue. The fix is to validate the chain from Cloudflare hostname to tunnel to local origin service.

Symptoms

  • A hostname behind Cloudflare Tunnel returns 502 Bad Gateway
  • The tunnel shows connected, but requests still fail
  • Local services work on the server directly while tunneled access breaks
  • Only one application or hostname behind the tunnel is affected
  • The issue started after changing local ports, ingress rules, or connector hosts

Common Causes

  • The tunnel ingress rule points to the wrong local service URL or port
  • The service behind the tunnel is stopped, moved, or listening on a different interface
  • The cloudflared connector is running, but it cannot reach the local origin process
  • Hostname routing in the tunnel config no longer matches the intended public hostname
  • TLS expectations between the tunnel connector and origin service are mismatched

Step-by-Step Fix

  1. Identify the exact hostname and local service that should be served through the tunnel.
  2. Confirm the tunnel connector is healthy and associated with the correct tunnel and account.
  3. Review the tunnel ingress configuration and verify the service target matches the actual local URL, port, and protocol.
  4. Test the origin service directly from the machine running cloudflared to make sure the app responds locally.
  5. Check whether the origin process is bound only to a different interface, port, or container network than the tunnel expects.
  6. Inspect connector logs for connection refused, timeout, TLS, or hostname-matching errors.
  7. Reload or restart the connector only after the service target and local application are aligned.
  8. Re-test the public hostname and confirm requests now traverse the tunnel successfully to the intended origin.
  9. Keep tunnel ingress definitions versioned and tied to service deployment changes so local port moves do not silently break public access.