Overview
Exposing self-hosted services to the internet usually means opening ports, managing dynamic DNS, and hardening firewalls. Cloudflare Tunnel (cloudflared) flips that model. Your server dials out to Cloudflare, creates an encrypted tunnel, and serves traffic from a Cloudflare edge without any inbound ports. Add Cloudflare Zero Trust Access on top, and you get identity‑aware filtering, one‑time PIN, and granular policies. This guide shows how to publish a web app from a Linux server using Cloudflare Tunnel and secure it with Zero Trust.
Prerequisites
- A Cloudflare account with your domain added and nameservers pointing to Cloudflare.
- A Linux host (Ubuntu/Debian examples below) running the service you want to expose (e.g., a dashboard on port 8080).
- Shell access with sudo privileges.
Step 1 — Install cloudflared
On Ubuntu/Debian, install the official package. The commands below add the repository, verify signatures, and install cloudflared.
# Add Cloudflare GPG key and repository
sudo mkdir -p /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare-main.gpg
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | \
sudo tee /etc/apt/sources.list.d/cloudflared.list
# Install cloudflared
sudo apt update
sudo apt install -y cloudflared
# Verify
cloudflared --version
On other distributions, you can use a static binary or Docker. The rest of the steps are identical.
Step 2 — Authenticate and create a named tunnel
Run an interactive login to authorize cloudflared with your Cloudflare account. Your browser will open and ask you to pick the domain.
cloudflared tunnel login
Create a tunnel with a friendly name. This command outputs a UUID and writes a credentials JSON file into ~/.cloudflared.
cloudflared tunnel create homelab-tunnel
Keep the UUID; you will need it in the configuration file.
Step 3 — Map a public hostname to your local service
Choose a subdomain such as app.example.com and route it to the tunnel. Cloudflared will create the necessary DNS record in Cloudflare automatically.
cloudflared tunnel route dns homelab-tunnel app.example.com
Now define the ingress rules that connect the hostname to your local service (for example, a web UI on http://localhost:8080). Create a config at ~/.cloudflared/config.yml:
tunnel: <your-tunnel-uuid>
credentials-file: /home/<your-user>/.cloudflared/<your-tunnel-uuid>.json
ingress:
- hostname: app.example.com
service: http://localhost:8080
- service: http_status:404
The final catch‑all rule returns a 404 for unmatched hostnames, which is safer than accidentally proxying everything.
Step 4 — Run cloudflared as a service
Install cloudflared as a system service so it survives reboots and restarts automatically.
# From within the directory containing ~/.cloudflared/config.yml
sudo cloudflared service install
# Start and enable on boot
sudo systemctl enable --now cloudflared
sudo systemctl status cloudflared
If you prefer foreground mode for testing, you can run: cloudflared tunnel run homelab-tunnel, then switch to the service after you confirm it works.
Step 5 — Secure the app with Cloudflare Zero Trust Access
With the tunnel working, the app is reachable at your hostname. Next, lock it behind identity-aware access.
1) In the Cloudflare dashboard, go to Zero Trust → Access → Authentication and add an identity provider (Google, Microsoft, GitHub, or email OTP). Keep One-time PIN enabled for easy onboarding.
2) Go to Zero Trust → Access → Applications → Add an application → Self-hosted. Enter:
- Application name: Homelab App
- Domain: app.example.com
- Session duration: e.g., 12 hours
3) Create a policy: Include only your email(s) or a Google Workspace group. Optionally add country restrictions, device posture checks, or require MFA. Save the app.
From now on, anyone visiting app.example.com must authenticate. Cloudflare enforces the policy before traffic touches your origin.
Optional hardening
- Run your local service on 127.0.0.1 so it is not exposed on the LAN. Update your app config to bind to localhost.
- Use mTLS origin authentication (Cloudflare Origin Cert) to ensure only your tunnel can reach the service.
- Split production and testing into separate tunnels with distinct hostnames and policies.
- Enable HTTP/2 or WebSockets if your app needs them; cloudflared supports both.
Troubleshooting tips
- Check logs: journalctl -u cloudflared -f shows real-time output from the service.
journalctl -u cloudflared -n 200 --no-pager
cloudflared tunnel list
cloudflared tunnel info homelab-tunnel
cloudflared tunnel ingress validate
- DNS not resolving? Confirm the CNAME record for app.example.com exists and points to your tunnel. Clear local DNS cache or wait a few minutes for propagation.
- 502/504 errors? Ensure the local app is listening and reachable at the service URL in config.yml. Try curl http://localhost:8080 from the server.
- Multiple apps? Add more hostname blocks under ingress and create matching Access apps.
Maintenance and updates
Keep cloudflared current to receive security patches and new features.
sudo apt update
sudo apt install --only-upgrade cloudflared
Back up ~/.cloudflared/ (credentials and config) and your systemd unit files if customized. If you rotate the tunnel credentials, update the credentials-file path accordingly and restart the service.
Wrap-up
Cloudflare Tunnel gives you a secure, low-friction way to publish internal services without opening ports or managing a reverse proxy on the perimeter. Pairing it with Zero Trust Access means your apps live behind identity, not just IP addresses, and you can layer device posture, MFA, and short sessions. In a few commands, you can make your home lab or small business apps safer and easier to reach from anywhere.
Comments
Post a Comment