one137

Theme: 

Cloudflared

Command-line daemon that creates secure tunnels between local services and Cloudflare’s edge network, allowing to expose local applications to the internet without opening inbound ports or managing complex firewall rules. It’s commonly used for creating zero-trust access to internal resources, DNS-over-HTTPS proxying, and making local development environments accessible via Cloudflare’s infrastructure.

Setup

Cloudflare

  • Account > Zero Trust > Networks > Tunnels
  • Create a tunnel > Cloudflared > Choose name > Docker > Copy & save token > Next
  • Add public hostname
    • hostname: e.g. transmission.one137.dev/transmission/web
    • Service: e.g. https://ct-transmission (docker container names ok)
    • TLS
      • Origin Server Name: transmission.one137.dev (probably)
      • HTTP2 connection: On

Connector (Docker)

Stack config: https://github.com/one137/dockerhost-stacks/blob/main/stacks/50-cloudflared.yml

Add ct-npm to 50-couldflared_default network

Cloudflared and Zero-Trust

Zero-trust access is a security model that operates on the principle “never trust, always verify” - meaning no user or device is automatically trusted, even if they’re inside the organization’s network.

Cloudflared helps implement zero-trust access by acting as a secure connector between your local resources and Cloudflare’s identity-aware access proxy. Here’s how it works:

  1. When you set up cloudflared, it creates an outbound-only tunnel to Cloudflare’s network. This means your internal resources don’t need to be directly exposed to the internet.
  2. Any request to access your internal resources must first go through Cloudflare’s network, where:
    • Users are authenticated using your chosen identity provider (like Google, Okta, etc.)
    • Access policies you’ve defined are checked (who can access what)
    • Device posture is verified (checking if the device meets security requirements)
  3. Only after passing all these checks does Cloudflare route the request through the cloudflared tunnel to your internal resource.

For example, if you have an internal HR system, instead of using a VPN:

  • The HR system stays completely private - no public IP or open ports
  • Employees access it through a Cloudflare URL
  • Cloudflare checks their identity, permissions, and device security
  • Only then does cloudflared tunnel the authorized request to your HR system

This is more secure than traditional VPNs because it provides granular access control and doesn’t require exposing your network to the internet.

Source: Claude.ai

Backlinks