I maintain a list[0] of solutions to this problem. Cloudflare Tunnel is what I currently recommend to most people. IMO it's the easiest way to expose services publicly on the internet. For example a website or shared Plex server.<p>Main downsides to Cloudflare Tunnel are no e2ee (Cloudflare decrypts all your traffic) and technically anything other than basic HTML websites (ie media streaming) is against their free ToS, though I haven't heard of that being enforced in practice.<p>If you're the only one ever using your services then I'd recommend Tailscale instead, which sets up a VPN using WireGuard along with slick auto p2p setup (NAT traversal, relays, etc).<p>[0]: <a href="https://github.com/anderspitman/awesome-tunneling" rel="nofollow">https://github.com/anderspitman/awesome-tunneling</a>
> But what if you could host a web service with no ports exposed? Well, you can! Cloudflare Tunnel makes a persistent outbound connection (a tunnel!) between your server and Cloudflare's nearest datacenter. All the traffic to your domain flows through this outgoing tunnel and connects to your server through the protection of Cloudflare. This also has the benefit of being seamlessly encrypted, so you don't have to worry about a thing when it comes to the security of your web service.<p>Well, a port is exposed, it's just exposed on Cloudflare's reverse proxies. And I think this is probably a dramatic overstatement of the security that Cloudflare provides...
If you have $3-5/month to spare on a VPS, a similar but self hosted solution can be achieved- Tunnel/VPN and reverse proxy- using Wireguard and Caddy.<p>Caddy in particular is extremely easy to configure, with the bonus that HTTPS/Lets Encrypt has never been free'er. Wireguard configuration is also gloriously minimal but admittedly, potentially tricky to get right the first time.<p>It's just good to consider alternatives to Cloudfare's network dominance, if you can afford it.
I just set up a Cloudflare Tunnel this weekend to my homelab. I was able to connect it up with a container within minutes. I also was able to set up their zero trust offering and had route based RBAC against two domains w/ Google OAuth2 login. I have my reservations about CloudFlare with regard to centralizing the web, but this tunnel is fantastic and saved me quite a bit of trouble with messing with my RouterOs config and nginx.
A word of warning wrt hard-relying your service on Cloudflare. They have hidden undocumented limits. When we hit those, they dropped ~10% of our traffic without warning and they did not respond to our support requests with anything other than platitudes, despite us being on their business plan. After ghosting us for 2 weeks they tried to upsell us to the Enterprise plan for more leeway on said undocumented limits (all the while not providing any insights as to what limits we were hitting, nor how).<p>I don't think they were malicious, I suspect growing pains, but it very much didn't match their stellar reputation.<p>After that experience we made sure not to rely on them for anything that we couldn't instantly turn off or switch away from. I'd run a blog behind cloudflare without worries but not sure anymore about nontrivial high-traffic applications.
Cloudflare Tunnel will spin up a free tunnel for you even without a Cloudflare account. If you run `brew install cloudflare/cloudflare/cloudflared` and then `cloudflared tunnel --url <a href="http://localhost:8080" rel="nofollow">http://localhost:8080</a>` you will get a URL you can use to reach that local port from the Internet.<p>I use it to share in-progress work with co-workers, test webhooks, etc.<p>Edit: fixed command thanks to comment below :)
I would rather use ngrok for these things: <a href="https://ngrok.com/" rel="nofollow">https://ngrok.com/</a><p>The reason why is because Alan is awesome.
Easy to expose ssh server too. Use the .ssh/config ProxyCommand at the client. Cloudflare handles the authentication with the default OTP emailed.<p>They explain towards the end of this tutorial <a href="https://developers.cloudflare.com/cloudflare-one/tutorials/ssh#connect-from-a-client-machine" rel="nofollow">https://developers.cloudflare.com/cloudflare-one/tutorials/s...</a>
This is great, I've always found information about how to do this kind of thing to be pretty confusing and not well described. Thanks for adding some more helpful material to the web.<p>I wrote up a guide [0] for using Nginx on a standard digital ocean droplet, but had I known about cloudflared at the time I think I would have tried that (tailscale was also something I thought about).<p>There was another recent article about cloudflared I remember seeing (maybe not on HN?), there's not very much good stuff like this about self-hosting. A lot people online just say "use X" without explaining anything helpful.<p>[0]: <a href="https://zalberico.com/essay/2020/06/06/urbit-on-the-cloud.html" rel="nofollow">https://zalberico.com/essay/2020/06/06/urbit-on-the-cloud.ht...</a>
Some issues (and solutions) that I ran into: <a href="https://www.maxcantor.com/blog/2021-10-15-ngrok-to-cloudflare" rel="nofollow">https://www.maxcantor.com/blog/2021-10-15-ngrok-to-cloudflar...</a>
It's not obvious to me from the blogpost where TLS termination happens in this scenario.<p>I would want it to happen on my local machine, so that (a) Cloudflare can't read my plaintext traffic, and (b) I can manage subdomain certificates more easily via Caddy.<p>Is that possible with the cheapo free tunnels or does Cloudflare want to handle the domain and TLS certificates, too?
Quick word of warning: I found it striking that even Cloudflare's Teams product, which supports Tunnels as a feature, does not make Tunnels private (e.g., by enforcing authentication, or restricting who can reach an exposed tunnel to your organization) by default. Anyone on the Internet with the Cloudflare Warp client can reach a Tunnel configured with default settings, a quirk that is not called out in their official documentation.
You can also put authentication in front of cloudflare argo tunnels, so you can securely expose internally hosted applications to the internet. A zero trust or BeyondCorp model is usally way easier than VPNs etc. It is a really nice alternative to hosting Buzzfeed SSO or Pomerium too.
A little off topic, but does anyone know the best way to run software on an unused Android phone? For some reason this seems harder than it used to be. My goal is to run Home assistant on it, and I am struggling with issues on Termux right now. There must be a better way.
If only there was a straightforward way to manage the credentials used by cloudflared for tunnels, bind them to specific websites, and revoke them.<p>In principle, there is no reason at all to use TLS inside the tunnel — the tunnel itself is authenticated and encrypted. Unfortunately, cloudflare tunnels feel a bit like a cute 20% project that was never quite finished and is barely integrated with the rest of cloudflare’s offering.<p>Hey jgc et all, if you’re reading this, maybe the cloudflare console UI could have a pane for managing tunnels. And the pane for managing website origin servers could let you choose between the traditional cloudflare-initiated connection and a tunnel, and the tunnel mode could give some controls for how the origin server is protected, whether connections load balance across multiple tunnels, etc. And maybe even really open-source the tunnel client for real, because it would be quite nice to have the actual origin server connect via a plugin instead of a separate daemon.<p>In other words, the hard part of this offering is done. Do the boring bits so it can be even better than the primary offering.
I use this to expose services running in Kubernetes clusters and have Cloudflare tunnel pointing at my Kube gateways.<p>It makes a ton of things like cluster failover much simpler than they otherwise would be.
One place where this would shine is running compute intensive tasks (especially the ones that involve GPU) that are usually queued. Instead of throwing too much money to the cloud providers, setup this tunnel on your unused/even new machine and throw tasks at it.
Does anyone have experience with software you can self-host a dial-out tunnel to achieve the same? I'm looking into a similar setup (connecting from an internal site to a private cloud, rather than to the Internet) and would prefer not to write the software myself if I can avoid it: network programming is tricky; network programming with failover, doubly so.<p>It's a real system with various security and compliance concerns; Cloudflare and dev-focused services like Inlet or simple SSH forwarding are unfortunately not going to work.
I am keeping an eye on this offering. In a B2B setting, this is a compelling way to expose certain sensitive services to the public web without forcing our customers to make complex/problematic firewall changes. Not everyone is sitting on a fat stack of public IPv4s they can just point at their infra. Many of the businesses we work with can't even accurately describe their own technology circumstances.<p>Reducing the conversation to "Can that server ping google?" would make my life 1000% easier.
I've been running caddy (with the cloudflare addon) to serve local services on a https url.<p>I then set my local dns(Adguard home) to redirect my url to it's lan url. Additionally, I run cloudflare tunnel to expose these services on the internet.<p>This allows me to use the url for internal services both at home or through the internet while having proper auth through cloudflare access when accessed over the internet. It was been working great for me so far
I've just spent a few hours trying to use Cloudflare Tunnels to connect to my machine through SSH after reading this post. Unfortunately, I then found that SSH keys are not supported: <a href="https://github.com/cloudflare/cloudflared/issues/319" rel="nofollow">https://github.com/cloudflare/cloudflared/issues/319</a> so I cannot disable Password authentication.
> No port forward headache, no complex configuration.<p>That's on page 10 of 12 on the print preview... It has another service running though, I find that adds a lot of complexity to the setup, but as usual, this has pros and cons.<p>Don't get me wrong, it's a good tutorial but I'm not sure I find port forwarding more complex - but I would argue that that strengths of this setup are different.
There is no mention of prices on that page, does anyone know how much it costs? Is it included on their free tier, or it is a "free" added service for customers who already pay for other services? If so, I'm curious what would be the cost of the minimum package to get this working.
I used v2ray+nginx on a linode instance to expose NAT-ed port. I have tried cloudflared before but it seems to not able to proxy the cockpit GUI well.
And the credentials (for the whole domain) will have to stay with the device, that make me a little nervous.
Another one for the alternatives list is Kilo[1]<p>It's a wireguard based kubernetes network overlay. I use it to access private services in my homelab cluster from my laptop, phone, etc.<p>[1] <a href="https://kilo.squat.ai" rel="nofollow">https://kilo.squat.ai</a>
This appears to be similar to Azure AD Application Proxy. If it is they're one step ahead of MS because their App Proxy Connector clobbers MSAL auth tokens and they can't be bothered to fix the issue a year later.
I do this for our services, it works great and we can easily put SSO in front of them with CF Access. I publish a Docker container that you can use as a sidecar for your Compose deployments:<p><a href="https://gitlab.com/stavros/docker-cloudflared" rel="nofollow">https://gitlab.com/stavros/docker-cloudflared</a><p>I use this with Harbormaster (<a href="https://gitlab.com/stavros/harbormaster" rel="nofollow">https://gitlab.com/stavros/harbormaster</a>) so I can expose containerized stuff without ever forwarding any ports outside of Docker.
An alternative to using <i>cloudflared</i> is using TLS client certificates to authenticate that requests to your origin server come from Cloudflare [1]. This is not quite as airtight as Cloudflare Tunnel because you expose a port for TLS but it comes close.<p>[1]: <a href="https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up" rel="nofollow">https://developers.cloudflare.com/ssl/origin-configuration/a...</a> "Set up authenticate origin pulls"
How does this compare to ngrok and can we combine them to host sites from our own servers behind a dynamic IP given by our ISP? Could be great for developers showing off their sites for instance.
I spent way too much time trying to get cloudlfared working for team RBAC/MFA SSH solution. Ended up going with Teleport instead.<p>I really wanted to love CF Teams but is lacking some polish IMO.
Nice little write-up. Appreciate the hints on setting up a systemd service. That said, with the service being a system service, I'd probably prefer moving the credentials file:<p>> credentials-file: /home/ubuntu/.cloudflared/ed5bfe1 (...)<p>To either /root, or (more likely) /etc/cloudflared/ and making it readable to root, or a system user especially for cloudflared.<p>I like to think that my services will run regardless of the state of my /home filesystem.
Does anyone know if you can use a Cloudflare tunnel on a single subdomain without using Cloudflare on everything else?<p>It seemed like I had to run everything on the domain through Cloudflare when I looked into this in the past. That might be fine in the end, but I just wanted to try tunnels out first without committing to anything else.<p>Edit: thanks, everyone! This was just going to be a tiny web site for hobby purposes at first.
I just started using Cloudflare Tunnel this weekend to expose a service hosted at home. I love that I don't have to open any ports up, that my home IP isn't exposed, and that I don't need to worry about maintaining my own reverse proxy to host multiple sites on the standard ports.<p>I know there's other ways to do this, but Tunnel made it extremely easy.
Debugging Cloudflare Tunnel is PITA. We are using it in production, and have most random outages that leave us guessing what triggered it. The errors are vague to say the least, and there is not much in terms of existing community. Otherwise, it is easy to setup and works great when it does.
I'm a little confused about hostname routing. You set up a config file with hostname values like either of the two below:<p><pre><code> ingress:
- hostname: myapp1.examples.com
service: http://localhost:8080
- hostname: myapp2.example.com
service: http://localhost:8081
- service: http_status:404
ingress:
- service: http://localhost:80
</code></pre>
Then later you explicitly route to a subdomain for the simple case (the second one above):<p><pre><code> $ cloudflared tunnel route dns mytunnel test.example.com
</code></pre>
Now you're on a subdomain, how would I handle this routing case for the more complex case from above?