Traefik + cloudflared with full strict tunnel on docker

I have a VM which run multiple containers all linked to one docker network.

  • Traefik (as reverse proxy & load balancer)
  • cloudflared as tunnel
  • whoami (for testing purposes)
  • and some containers like photoprism, nextcloud, node-red,...

I generated an origin cert via Cloudflare which has been added to Traefik.
In Cloudflare, I have a subdomain which points via the tunnel to (ip from the VM). This causes an unsecure connection (IP SAN applied -> I don't think this is possible on a private ip?). When I disable TLS verification on Cloudflare, it works. However, I am trying to set this up properly. Next,I tried pointing my domain towards https://localhost. the cloudflared service running in a container cannot reach any other services as these are located other containers.

I was thinking, what if I run the cloudflared service within the Traefik container, I believe I can reach Traefik via localhost?

Do you have any advice on how to achieve a secure tunnel with cert verification? Or is this not realistic when self-hosting?