[piaste]

It's not obvious to me from the blogpost where TLS termination happens in this scenario.

I would want it to happen on my local machine, so that (a) Cloudflare can't read my plaintext traffic, and (b) I can manage subdomain certificates more easily via Caddy.

Is that possible with the cheapo free tunnels or does Cloudflare want to handle the domain and TLS certificates, too?

[judge2020]

All this changes is how CF connects to the server. Like the rest of CF, outside of using Spectrum Enterprise (which enables TCP 443 tunneling), CF removes TLS at their servers and inspects the traffic so all of its caching/firewall/etc features can be applied. It does add it back when talking to a tunnel, so it’s non plaintext on the wire.

[piaste]

Thank you. Yes, I assumed that the tunnel was encrypted, but I was interested in using Cloudflare only as an untrusted reverse proxy / bastion server in front of my personal homeserver, no traffic inspection or caching or anything else.

Your comment and u/pedrogpimenta's give very different answers, I guess I'll need to verify for myself.

[anderspitman]

Cloudflare Tunnel doesn't offer an end-to-end encryption option. If this is a must for you, either my own boringproxy or remotemoe[0] both offer this. I'm sure at least a couple others on the list[1] do as well but you'd have to check them individually. If you find any that do please consider opening an issue so I can add that information to the list.

[0]: https://github.com/fasmide/remotemoe

[1]: https://github.com/anderspitman/awesome-tunneling

[pedrogpimenta]

You can do both or even no TLS if you want. It's easy to choose so on the domain preferences (it's only per domain, AFAIK)