Hapi Advanced: High-Speed Tunnel with Cloudflare Preferred IP
No public IP? Use Cloudflare preferred IP routing to build a faster tunnel.
Use case: Cloudflare Tunnel is configured, but access is slow or latency is high. Solution: use Cloudflare for SaaS plus a preferred IP service to avoid congested routes. Prerequisites: basic Hapi setup is complete, and you have two domains.
Video Tutorial
Recommended
No public IP? Cloudflare preferred IP high-speed tunnel - Bilibili
The video demonstrates the full configuration process. Watch it before configuration if possible.
What Problem Are You Solving?
Pain Points of Default Tunnel
When you directly bind a domain through Cloudflare Tunnel:
- Cloudflare Anycast IPs may route through distant regions
- Some carriers may apply QoS throttling, causing slow access
- Latency can reach hundreds of milliseconds and hurt the experience
Benefits of Preferred IP Routing
With this setup:
- Traffic is guided through more network-friendly edge nodes, such as Hong Kong or Singapore
- Access speed improves significantly, with latency often reduced to tens of milliseconds
- It can be done for free with Cloudflare enterprise-grade features
- Routing is more stable and can switch to a better route automatically
Speed Improvement
Preferred IP routing can noticeably reduce latency and make page loading smoother.
How It Works
Traffic Flow
When a user visits your domain, traffic flows like this:
User browser
↓
DNS lookup: hapi.justdo.xin
↓
CNAME -> cdn.ttdk.fun
↓
CNAME -> isp.qzz.io (preferred IP scheduler)
↓
Returns the best Cloudflare IP based on the user's carrier
↓
Cloudflare edge node, identified by Host header
↓
SaaS route: hapi.justdo.xin -> hapi.ttdk.fun
↓
Cloudflare Tunnel
↓
Your local server localhost:3006Note
isp.qzz.io acts as a community-maintained scheduler that selects a better Cloudflare route based on your network.
Core Concepts
- Preferred IP scheduler: isp.qzz.io tests and returns a faster Cloudflare CDN node for the current network
- Cloudflare for SaaS: Custom Hostnames separate the user-facing domain from the tunnel domain
- Chained DNS resolution: CNAME chains guide requests to the preferred IP while preserving correct Cloudflare domain recognition
About the Scheduler
isp.qzz.io is a community-maintained Cloudflare preferred IP scheduling service. You can visit it for more information and usage notes.
Configuration Steps
Preparation
Prepare:
- Primary domain: the user-facing address, such as
hapi.justdo.xin - Secondary domain: used to host the Cloudflare Tunnel, such as
ttdk.fun - Both domains must be managed by Cloudflare
Important
- The primary and secondary domains cannot be the same domain
- The secondary domain must be owned by you
- Both domains must be managed on Cloudflare
Step 1: Configure Cloudflare Tunnel on the Secondary Domain
On the secondary domain, such as ttdk.fun, configure the tunnel:
- Sign in to Cloudflare and choose the secondary domain
- Go to Zero Trust -> Access -> Tunnels
- Create a tunnel and install cloudflared
- Configure the public hostname:
- Subdomain:
hapi - Domain:
ttdk.fun - Service:
http://localhost:3006
- Subdomain:
After this, hapi.ttdk.fun should be able to access your Hapi service.
Step 2: Enable Cloudflare for SaaS on the Secondary Domain
On the secondary domain, such as ttdk.fun, enable SaaS:
- Open the Cloudflare dashboard
- Choose
ttdk.fun - Go to SSL/TLS -> Custom Hostnames
- Click Add Custom Hostname
- Fill in:
- Custom Hostname:
hapi.justdo.xin - Wildcard: unchecked
- Custom Hostname:
- Click Add Custom Hostname
Tip
Cloudflare generates 2 TXT verification records. Keep them for the next step.
Step 3: Configure DNS on the Primary Domain
In the primary domain's DNS settings, such as justdo.xin, add these records.
3.1 Add SSL Verification Records
Copy the 2 TXT records generated in step 2:
| Type | Name | Content | Proxy status |
|---|---|---|---|
| TXT | _acme-challenge.hapi | xxxxxxxxxx, copied from SaaS page | DNS only |
| TXT | _acme-challenge.hapi | yyyyyyyyyy, copied from SaaS page | DNS only |
3.2 Add CNAME Records
| Type | Name | Target | Proxy status |
|---|---|---|---|
| CNAME | cdn | isp.qzz.io | DNS only |
| CNAME | hapi | cdn.justdo.xin | DNS only |
Key Point
Proxy must be disabled for these records. If Cloudflare proxy is enabled, the DNS resolution chain breaks and preferred IP routing will not work.
Step 4: Configure Fallback Origin on the Secondary Domain
In the DNS settings for ttdk.fun:
| Type | Name | Target | Proxy status |
|---|---|---|---|
| CNAME | hapi | [your-tunnel-id].cfargotunnel.com | Proxied |
Tip
This record is usually generated automatically when creating the tunnel. Make sure it is proxied.
Step 5: Wait for SSL Certificate Activation
- Return to SSL/TLS -> Custom Hostnames for the secondary domain
- Check the status of
hapi.justdo.xin - Wait a few minutes until it becomes Active
Be Patient
Certificate issuance usually takes 5 to 15 minutes. If it is still pending after 30 minutes, check whether TXT records were added correctly.
Verify Configuration
Access Test
Open https://hapi.justdo.xin in a browser.
If Hapi opens normally, configuration succeeded.
Speed Test
Compare with ping or another speed test tool.
Before optimization:
ping hapi.ttdk.fun
# Latency is often 200-500msAfter optimization:
ping hapi.justdo.xin
# Latency is often 20-100msRole Summary
| Role | Example domain | Purpose |
|---|---|---|
| Primary domain | hapi.justdo.xin | Final user-facing address |
| Secondary domain | hapi.ttdk.fun | Fallback origin that carries the tunnel |
| Preferred IP scheduler | isp.qzz.io | Returns a better Cloudflare path |
| Intermediate domain | cdn.justdo.xin | Points the primary domain to the preferred IP pool |
Troubleshooting
SSL certificate remains Pending
Possible causes:
- TXT records are wrong or not propagated
- DNS propagation is not complete
Solutions:
- Use a DNS checker to verify TXT records
- Wait for global DNS propagation, up to 24 hours
- Re-add the Custom Hostname
526 Error
Possible causes:
- The
hapirecord on the secondary domain is not proxied - Tunnel is not configured correctly
Solutions:
- Ensure the
hapi.ttdk.funrecord is proxied - Check whether the tunnel is running normally
Access Is Still Slow
Possible causes:
- CNAME records on the primary domain are proxied
- DNS resolution chain is broken
Solutions:
- Ensure
hapi.justdo.xinandcdn.justdo.xinare DNS-only - Use
nslookupto check whether the DNS chain is complete
Advanced Optimization
Self-Host a Preferred IP Service
For maximum stability:
- Use CloudflareSpeedTest locally
- Choose the best IP manually
- Create your own preferred-IP domain instead of
isp.qzz.io
Multi-Carrier Optimization
Configure different preferred paths for carriers:
- China Telecom users:
cdn-ct.yourdomain.com - China Unicom users:
cdn-cu.yourdomain.com - China Mobile users:
cdn-cm.yourdomain.com
Use intelligent DNS or GeoDNS to return different CNAME records by carrier.
Resources
- Cloudflare for SaaS docs
- Cloudflare Tunnel docs
- isp.qzz.io - preferred IP scheduler
- Video tutorial: Cloudflare preferred IP setup
Security Notes
- Do not leak your tunnel token
- Check Custom Hostnames configuration regularly
- isp.qzz.io is community-maintained and not official. You can self-host instead
- Use Cloudflare Access to restrict access sources where appropriate
Summary
With this setup:
- You spend no additional money
- You use Cloudflare for SaaS capabilities
- You can reduce tunnel latency from hundreds of milliseconds to a near-direct-access experience
- You build a high-speed tunnel path
Next step: after configuration, access your Hapi service from anywhere with lower latency.