Dashboard WebSocket connections fail through Cloudflare Tunnel after recent security patch

[nomadtechiemike]

Summary

After a recent Hermes Agent security/WebSocket change, the dashboard works correctly over direct LAN access, but chat fails when accessed through Cloudflare Tunnel.

The dashboard loads, but WebSocket connections fail for:

• /api/ws
• /api/events
• /api/pty

The browser shows:

events feed disconnected — tool calls may not appear

and console errors like:

```text
WebSocket connection to 'wss://<redacted-domain>/api/ws?token=...' failed
WebSocket connection to 'wss://<redacted-domain>/api/events?token=...' failed
WebSocket connection to 'wss://<redacted-domain>/api/pty?token=...' failed

Hermes Agent: v0.14.0
Python: 3.11.15
OpenAI SDK: 2.24.0
Server OS: Debian/Linux
cloudflared: 2026.3.0
Access method: Cloudflare Tunnel
Dashboard port: 9119
Gateway port: 8642

What works

Direct LAN access works:

http://<server-lan-ip>:9119

Chat works using the server IP.

What fails

Cloudflare Tunnel access fails:

https://<redacted-domain>

The dashboard loads, but chat/event sockets fail.

Cloudflare Tunnel config
ingress:
  - hostname: <redacted-domain>
    service: http://127.0.0.1:9119
  - service: http_status:404

Also tested:

service: ws://127.0.0.1:9119

but the same WebSocket errors occurred.

Commands used to start Hermes

Gateway:

hermes gateway run --replace

Dashboard:

hermes dashboard --host 0.0.0.0 --port 9119 --no-open --tui --insecure
Local socket/API checks

The dashboard and gateway listen correctly:

127.0.0.1:8642
0.0.0.0:9119

The issue appears only when the dashboard is reached through Cloudflare Tunnel.

Suspected cause

This appears related to the recent security/WebSocket hardening change. Before that change, the same Cloudflare Tunnel setup worked.

It looks like Hermes may now reject or mishandle WebSocket connections when proxied through Cloudflare Tunnel, even though the dashboard itself loads.

Expected behaviour

Cloudflare Tunnel should be able to proxy the dashboard, including WebSocket routes:

/api/ws
/api/events
/api/pty
Actual behaviour

The static dashboard loads, but chat fails because the WebSocket/event connections fail.

Request

Could the WebSocket security check support trusted reverse proxy / Cloudflare Tunnel setups, or provide a config option to allow proxied dashboard WebSocket connections when --insecure is explicitly used or provide a way of using cloudflared tunnel socket access

[alt-glitch]

Related: PR #20615 (support dashboard websockets behind cloudflared) and PR #32614 (allow websocket clients for public binds) both address this. The root cause is the loopback-only WS restriction from merged #30741 (security hardening) which doesn't account for reverse proxy / tunnel deployments. Also related to the saturated reverse-proxy host allowlist cluster (#20136, #25173, #27113, #28578, #28954, #32362).