Cloudflare Tunnel

Links

dash.cloudflare.com one.dash.cloudflare.com

Installing the service

Ubuntu

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && 

sudo dpkg -i cloudflared.deb && 

sudo cloudflared service install [TUNNEL KEY]

Red Hat

curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm && 

sudo yum localinstall -y cloudflared.rpm && 

sudo cloudflared service install [TUNNEL KEY]

Docker

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token [TUNNEL KEY]

Docker Compose

version: "3.8"

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel run
    network_mode: host
    environment:
      - "TUNNEL_TOKEN=[TUNNEL KEY]"
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

Cloudflare as a Docker Sidecar

Cloudflare can serve ports from other docker containers without actually exposing the container ports on the host device. See the compose example below:

version: "3.8"

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflare-tun
    restart: unless-stopped
    command: tunnel run
    networks:
        - cloudflared
    environment:
      - "TUNNEL_TOKEN=[TUNNEL KEY]"
      placement:
        constraints: [node.platform.os == linux]
  [some service]:
    image: [repo]/[image]:[tag]
    container_name: [container name]
    restart: unless-stopped
    networks:
        - cloudflared

networks:
  cloudflared:
    driver: bridge

In the cloudflare dashboard, expose the hostname of the container through the tunnel: http://[container name]:[port] via the tunnel. Reminder: some services may be running over https, and this will require a slightly tweaked configuration in the cloudflare dashboard.

Configuring SSH Access

Use the following format in .ssh/config to allow hosts to be accessed over a Cloudflare tunnel

Host [HOSTNAME]
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

Access

Cloudflare Docs

1. Application - adds a white list based authentication to subdomains under the application; allows for tailored management of access to sites, as well as cookie expiration management: Overview, Policies, Authentication, Settings
2. Access Groups - allows you to build tailored access groups of white listed identities
3. Service Auths
4. Tags

Networks

Tunnels

Cloudflare Docs Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s global network. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.

Routes

Cloudflare Docs With Cloudflare Zero Trust, you can connect private networks and the services running in those networks to Cloudflare’s global network. This involves installing a connector on the private network, and then setting up routes which define the IP addresses available in that environment. Unlike public hostname routes, private network routes can expose both HTTP and non-HTTP resources.