Oh, looping back...

For anyone else who hits these problems and is using CloudFlare, DNS is probably your issue.

I had to add a specific A record in their control panel for the subdomain my pub is being served from, pointing directly to my origin server with "proxy status" set to "DNS only". This prevents the subdomain from redirecting to CloudFlare's servers and not actually hitting your pub directly.

Also switched over to ssb-daemon / ssb-cli (was only a couple of lines of config changes), seems to be working well!