Based on the origin documentation:
https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/#configure-the-tunnel
Important to set Additional application settings
/ TLS
/ Origin Server Name
to hostname of the origin request.
Because the first rule is more extensive than the second, so the correct order is as follows:
- rule HTTPS to TCP
- rule HTTPS to HTTPS