How to Expose Your Docker App Securely with Cloudflare Tunnel and a Custom Domain

Mercy Chelangat — Fri, 15 May 2026 12:38:59 +0000

Every time you forward a port on your router, you crack open a door to the internet. Anyone scanning your IP can knock on it, and some will.

There is a better way.

Cloudflare Tunnel creates a secure, outbound-only connection between your local server and Cloudflare's edge network. No open ports. No static IP. No firewall rules. Your app becomes reachable at your custom domain, fully encrypted, completely free.

I recently migrated to a new domain and used this exact setup to get my Dockerized React + Django + Nginx stack live in under an hour. This guide walks you through every step.

By the end, your app will be live at your domain with zero exposed ports and zero cost.

Prerequisites

A Cloudflare account (free)
A domain added to Cloudflare (nameservers pointed to Cloudflare)
Your application running inside Docker
cloudflared service running in Docker
Basic terminal knowledge

Step 1: Add Your Domain to Cloudflare

Log in to Cloudflare and click Add domain
Enter your domain > select the Free plan > click Continue
Cloudflare scans for existing DNS records. Review, remove irrelevant ones, and continue

Update nameservers at your registrar:

Cloudflare gives you two nameservers, for example:

xyz.ns.cloudflare.com
abc.ns.cloudflare.com

Go to your domain registrar (wherever you bought your domain), find DNS/Nameserver settings, and replace the current nameservers with these two. Wait for Cloudflare to confirm the domain is Active.

Step 2: DNS Records

Since you are using Cloudflare Tunnel (cloudflared), you do NOT need A records pointing to your server IP. The tunnel handles all routing. CNAME records are created automatically in Step 7.

Step 3: Install `cloudflared`

# Add Cloudflare's package signing key
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null

# Add Cloudflare's apt repo
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main" | sudo tee /etc/apt/sources.list.d/cloudflared.list

# Update and install
sudo apt-get update && sudo apt-get install cloudflared

Step 4: Authenticate cloudflared

cloudflared tunnel login

This prints a URL. Open it in your browser, select your domain, and a cert.pem file is saved to ~/.cloudflared/cert.pem.

Note: This cert is your account-level credential. Keep it safe. It is only needed on the host for management commands, not inside your Docker container.

Step 5: Create the Tunnel

cloudflared tunnel create tunnel-name

Output:

Created tunnel tunnel-name with id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Tunnel credentials written to ~/.cloudflared/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json

Save the tunnel UUID, you need it in the next step.

Copy the credentials to your project:

cp ~/.cloudflared/*.json .cloudflared/

Step 6: Create the Configuration File

Inside your .cloudflared directory, create a config.yml file. This file tells the tunnel which local service to route traffic to for each hostname.

tunnel: <YOUR-TUNNEL-UUID>
credentials-file: /etc/cloudflared/<YOUR-TUNNEL-UUID>.json

ingress:
  # Route your primary domain to Nginx on port 443
  - hostname: example.com
    service: https://nginx:443

  # Route www subdomain to the same service
  - hostname: www.example.com
    service: https://nginx:443

  # Catch-all rule. required, must be last
  - service: http_status:404

For a full list of configuration options, type this command in your terminal:

cloudflared tunnel help

Note: Not using Nginx? Replace https://nginx:443 with http://localhost:8000 (or your app's port). The catch-all rule is required, cloudflared throws an error without it.

Validate your rules:

cloudflared tunnel --config .cloudflared/config.yml ingress validate
# Expected: OK

Step 7: Route Traffic to Your Domain

# Point root domain to the tunnel (auto-creates CNAME in Cloudflare DNS)
cloudflared tunnel route dns tunnel-name example.com

# Point www subdomain
cloudflared tunnel route dns tunnel-name www.example.com

Confirm in the Cloudflare dashboard under DNS > Records:

Type    Name    Content                          Proxy
CNAME   @       <tunnel-uuid>.cfargotunnel.com   Proxied
CNAME   www     <tunnel-uuid>.cfargotunnel.com   Proxied

Test routing:

cloudflared tunnel --config .cloudflared/config.yml ingress rule https://example.com
# Expected: Matched rule #0

Step 8: Add `cloudflared` to docker-compose.yml

cloudflared:
  image: cloudflare/cloudflared
  restart: unless-stopped
  command: tunnel --config /etc/cloudflared/config.yml run
  user: "nonroot"
  dns:
    - 1.1.1.1
    - 1.0.0.1
  volumes:
    - ./.cloudflared:/etc/cloudflared

Step 9: Set File Permissions

The nonroot user inside the container needs read access to the credentials:

chmod 600 .cloudflared/*.json
chmod 644 .cloudflared/config.yml

Tip: If the container still can't read the JSON file after 600, try 644. This is a common issue depending on how Docker volume mounts are configured on your system.

Step 10: Start and Verify

# Start the container
docker compose up cloudflared -d

# Watch the logs
docker compose logs cloudflared -f

A healthy connection looks like:

INF Registered tunnel connection connIndex=0 ...
INF Registered tunnel connection connIndex=1 ...

Check tunnel health in the Cloudflare dashboard under Access > Networks > Connectors. Your tunnel should show a green Healthy status.

Common Issues and How to Fix Them

1. Tunnel shows "Degraded" or "Offline"

The cloudflared container cannot read the credentials file.

ls -la .cloudflared/
chmod 644 .cloudflared/*.json
docker compose restart cloudflared
docker compose logs cloudflared -f

2. ingress validate passes but traffic returns 404

Your catch-all rule is missing or misplaced. It must be last with no hostname:

ingress:
  - hostname: example.com
    service: https://nginx:443
  - service: http_status:404   # must be last, no hostname

3. cert.pem errors after a long period

The cert expires after inactivity. Re-run this to refresh it without affecting your tunnel or DNS:

cloudflared tunnel login

Conclusion

You now have a production-ready, zero-cost tunnel connecting your custom domain to a locally running Docker stack, no open ports, no exposed IPs, no monthly bill.

This setup scales further than you might think. You can add more hostname entries to expose multiple services through the same tunnel, set up Cloudflare Access policies to password-protect specific routes, or layer on Cloudflare's WAF and DDoS protection, all from the same free account.

If something broke along the way, drop your error in the comments. And if everything worked, what are you running behind your tunnel? I'd love to see what you're building.

DEV Community: Mercy Chelangat

How to Expose Your Docker App Securely with Cloudflare Tunnel and a Custom Domain

Prerequisites

Step 1: Add Your Domain to Cloudflare

Step 2: DNS Records

Step 3: Install `cloudflared`

Step 4: Authenticate cloudflared

Step 5: Create the Tunnel

Step 6: Create the Configuration File

Step 7: Route Traffic to Your Domain

Step 8: Add `cloudflared` to docker-compose.yml

Step 9: Set File Permissions

Step 10: Start and Verify

Common Issues and How to Fix Them

Conclusion

References

DEV Community: Mercy Chelangat

How to Expose Your Docker App Securely with Cloudflare Tunnel and a Custom Domain

Prerequisites

Step 1: Add Your Domain to Cloudflare

Step 2: DNS Records

Step 3: Install cloudflared

Step 4: Authenticate cloudflared

Step 5: Create the Tunnel

Step 6: Create the Configuration File

Step 7: Route Traffic to Your Domain

Step 8: Add cloudflared to docker-compose.yml

Step 9: Set File Permissions

Step 10: Start and Verify

Common Issues and How to Fix Them

Conclusion

References

Step 3: Install `cloudflared`

Step 8: Add `cloudflared` to docker-compose.yml