Tech Guide
Cloudflare Tunnel Setup for Self-Hosted Services
CloudflareNetworking
Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only connection from your network to Cloudflare’s edge, eliminating the need to expose ports.
Why Use Tunnels
- No inbound firewall rules required
- DDoS protection at the edge
- Quick failover across multiple connectors
- Unified access control with Cloudflare Zero Trust
Installation and Configuration
Install the Cloudflare connector (cloudflared) on your internal network:
curl -L --output cloudflared.tgz https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.tgz
tar -xzf cloudflared.tgz
sudo ./cloudflared service install
Authenticate and create a tunnel:
cloudflared tunnel login
cloudflared tunnel create my-tunnel
Configure Routes
Map internal services to public hostnames in ~/.cloudflare-warp/config.yml:
tunnel: my-tunnel
credentials-file: /root/.cloudflare-warp/my-tunnel-credentials.json
ingress:
- hostname: app.example.com
service: http://internal-app:8080
- hostname: dashboard.example.com
service: http://internal-dashboard:3000
- service: http_status:404
Zero Trust Integration
Use Cloudflare Access to enforce authentication:
- MFA requirement
- Device posture checks
- IP restrictions
- Time-based access rules
Tunnel traffic is encrypted end-to-end and resistant to inspection.