Cloudflare
Cloudflare Tunnels are used to securely tunnel and encrypt your internal applications and make them available to the wider web without the need to expose your IP address or open any ports on routers/firewalls.
This guide will demonstrate the route taken to protect a site behind Cloudflare’s proxy. It presumes you have a domain already configured to use Cloudflare. Other areas of the guide will not include in-depth technical details.
This method of reverse proxying and authentication removes, in most cases, the need for applications such as Traefik and Authelia, taking these services off your hardware and moving them into the cloud.
Getting started
In Cloudflare, head over to Zero Trust in the left-hand navigation. You will need to enrol your account. Cloudflare may ask for billing information or other details if they are not already on your account.
Creating a tunnel
Once enrolled into Zero Trust, under Access click on Tunnels. Here we connect Cloudflare to our server to establish a secure connection. This transports all data securely to Cloudflare without the need to expose ports or IP addresses.
Click on Create a Tunnel and give it a recognisable name.
Next, there are a couple of options you can use to set up the connection, depending on what you have running. In this case I have selected Docker.
SSH into your server that is running Docker. Copy the entire command; this is important as it includes the token needed to authenticate. Before running the command in your terminal, you can pass -d as a flag so the container runs detached. This is recommended because, if you do not run the container detached, it will run within the active shell and as soon as you disconnect the tunnel will stop.
The beginning of your command should look like this:
docker run -d cloudflare/cloudflared ...
Docker compose
If you are using Docker Compose, you can set up your .yaml like this:
version: '3'
services:
cloudflared:
container_name: cloudflared
image: cloudflare/cloudflared
restart: unless-stopped
command: tunnel run
environment:
- TUNNEL_TOKEN=LONG_TOKEN HERE
networks:
default:
name: proxy
external: trueMake sure you are in the same directory as the docker-compose.yml file, and now we want to start up the container by running the following:
docker-compose up -dOnce running, you will see your connection show up under Connectors. You can proceed to the next page.
Set up proxies
In this example, I will use Portainer through the tunnel. First, set up the subdomain, selecting the domain on which you wish to create this reverse proxy.
Select the service type you wish to tunnel e.g., HTTP or HTTPS and enter your local IP address and port of the service.
!!! info If the container is on the same Docker network you can use container hostnames such as portainer:9000.
Your service is now set up and should be accessible via https://portainer.DOMAIN.com.
To add more, simply open the Tunnels page again and Configure your tunnel under the Public Hostname header.
Application authentication
Using application authentication on your newly proxied sites means you can control who can and cannot access them. In this case, I have connected Google to Cloudflare. This lets me authenticate with my Google account before I can access my site. Connecting an authentication provider will not be covered in this guide. However, if you wish to look further you can find these settings under Settings > Authentication at the bottom of your navigation bar on the Zero Trust dashboard.
Under Access you will find Applications. Here you can create a new application that will sit on top of the route you defined in your tunnel earlier.
Ensure you select Self-Hosted as the application type. Enter a suitable name for the application. Fill in the subdomain of your route and the domain it is on.
Next, create the policies that you want for this application. Ensure you give the policy a name and state whether you want this rule to allow or deny.
With Google previously set up as an authentication method, set this as an Include. These define how you wish to authenticate. There are also other selectors such as IP ranges or emails that are not covered here.
Add a Require next. As we have included Google as our login method, we can now specify the email addresses used with Google that we wish to authorise. With this setup, only these Google email addresses will be able to access this application; all others will be refused access.
Once setup you can select Next and save your configuration.
Visiting your application URL should now prompt you to log in before granting access to the site.
Conclusion
Cloudflare Zero Trust is a great and easy-to-use alternative to Traefik and Authelia with a much easier out‑of‑the‑box set-up. Both have their strengths and weaknesses, but which one you use depends on what you want to achieve.