DEV Community: RealChaika

How to setup a Cloudflare tunnel (New - Using GUI Method)

RealChaika — Sat, 26 Mar 2022 13:58:13 +0000

Cloudflare recently announced the new ability to create tunnels in just three steps, right from the dashboard. This made making new tunnels go from a process that could take you ~15-30 minutes to fully configure and understand, to something that you could do in less than 5 minutes, and get a fully set up, running as a service, production ready tunnel.

What are Cloudflare Tunnels

Cloudflare Tunnels can be used to expose internal services using outbound only connections. Think Ngrok tunnels. Cloudflare Tunnels can be used to proxy normal http/https connections, ssh/vnc, as well as more advanced things like arbitrary TCP, with some more restrictions.

The advantage of using Cloudflare Tunnels is not having to open any ports on your web server, no need for anything like IP Restrictions, Origin Cert checking, etc. Cloudflare Tunnels also use http/2 to connect to Cloudflare's Edge (soon http3/quic), whereas normally Cloudflare will only connect to an origin over http/1.1 (except for gRPC).

This guide will focus on setting up a tunnel for a normal web server over http. It's important to remember that since the tunnel is acting as a proxy for traffic, the web server (or whatever you are exposing via the tunnel) will see all incoming traffic as localhost. You will need to grab the real user's IP from a header (CF-Connecting-IP - normal cdn things) but also not rely on restricting any resources to localhost.

Pricing / Limits of Cloudflare Tunnels

Cloudflare Tunnels are completely free. Cloudflare Tunnels used to be named Cloudflare Argo Tunnels, and required a Cloudflare Argo Subscription. Cloudflare Argo is a service Cloudflare offers where they will use "smarter routing" to route requests to your origin avoiding network congestion, charging per gigabyte transferred.

Now Cloudflare has completely separated the products, while you can still buy an Argo Subscription to try to speed up traffic to your origin. Tunnels are free for any traffic amount with only a few limits: 1000 Tunnels per account, and 100 Active Connections from each tunnel to Cloudflare's edge.

Requirements:

Cloudflare Account (free)
Domain added to Cloudflare (using CF nameservers, etc)
Linux server with a web server already configured on it
No ports need to be port forwarded or allowed through your firewall

How to setup a Cloudflare Tunnel

Installing the tunnel

Navigate to the Cloudflare Zero Trust / Teams Dashboard within your Cloudflare Dashboard

Click create a tunnel in the top right, and enter a name that will be useful for identifying later.

Select your OS and architecture. If you're not sure, check if you have either dpkg on your system (Debian) or yum (Red Hat).

Execute the command it gives you, and wait for your Connector to connect (scroll down to the Connectors section)

Configuring the tunnel

In the route section, you are given a ton of options on how traffic will be routed to and through your cloudflared connector.

If you are hosting your service on a subdomain, just type in the subdomain, select your domain, and leave the path blank. If you're hosting on your apex, just select your domain.

For the Service section, it is about the service you already have running on your machine, which cloudflared will connect locally to. If you have a simple nginx/apache/openlitespeed server running on port 80, select HTTP for the service and type localhost:80. It doesn't matter that this part is HTTP, since it is all local on your machine and never leaves it.

Note that if you already have a DNS Record created for the specified hostname, as of 3/28/2022, it will just silently fail when you click save tunnel. You need to manually delete the conflicting record first.

If you are aiming to use the tunnel for a domain on the apex of your site (not on a subdomain), you will need to create a duplicate public hostname, but with the www subdomain, or your www subdomain will not work and potentially confuse visitors or other sources that assume www will always work.

Your configuration should look something like this:

YOUR.DOMAIN <-> Cloudflare's Edge <-> Cloudflared Daemon (On your server) <-> Your Web Server (Over port 80, localhost, depending on your configuration)

Then click "Save tunnel".

Cloudflare should have taken care of creating the DNS Record for the domain you picked, and you should be able to visit your application now.

Further Configuration

From the tunnels page, you can click "Configure" on your tunnel, and then under "Public Hostname", you can add more routes for other services on your machine. The UI is mostly self-explanatory and works according to the steps before.

How the tunnel works

You may have noticed, your tunnel makes multiple connections, sometimes even to different data centers. Cloudflare says it connects to multiple machines in case one crashes/reboots, it can use the other connections.

Each individual connection to Cloudflare is not limited to one user request at a time. Cloudflare says each connection can handle hundreds or thousands of requests at one time.

Cloudflare for Teams/Cloudflare Access has a generous free plan you can use as well, for up to 50 people, using Google (or a ton of other sso options) for auth. You can very easily make an Application policy to protect your tunnel and limit it to only specific emails or other options.

{Tunnel-UUID}.cfargotunnel.com is a virtual/non-existent domain, that is only used internally when it makes CName's pointing to your tunnel and other references. Other Cloudflare Customers cannotpoint their domains at your tunnel and bypass your Cloudflare Access or other restrictions.

Closing Notes

You can still use the old way to configure your tunnels, manually setting the configuration file, but there's no real upside. Cloudflare says this new way is slightly more secure too, as before on the server it stored a token that could be used to communicate with CF's API to create new tunnels, modify DNS records, etc. Now all the server needs is an auth token to connect the tunnel.

Now that you have your tunnel setup and running, you could consider routing SSH or VNC through your tunnel as well, and using Cloudflare Zero Access to protect those, instead of relying on
legacy VPNs or IP Whitelists.

How to setup a Cloudflare tunnel on Linux

RealChaika — Mon, 27 Dec 2021 15:07:12 +0000

You can now use the GUI to set up Cloudflare Tunnels instead of the CLI, which is way more streamlined and easy to do.

How to setup a Cloudflare tunnel (New - Using GUI Method)

RealChaika ・ Mar 26 '22

#tutorial #devops

What are Cloudflare Tunnels

This guide will focus on setting up a tunnel for a normal web server over http. It's important to remember that since the tunnel is acting as a proxy for traffic, the web server (or whatever you are exposing via the tunnel) will see all incoming traffic as localhost. You will need to grab the real user's IP from a header (normal cdn things) but also not rely on restricting any resources to localhost.

Pricing / Limits of Cloudflare Tunnels

Requirements:

Cloudflare Account (free)
Domain added to Cloudflare (using CF nameservers, etc)
Linux server with a web server already configured on it
No ports need to be port forwarded or allowed through your firewall

How to setup a Cloudflare Tunnel

Installing Cloudflared

Cloudflare Tunnels use Cloudflared, a tunneling daemon to proxy the traffic from Cloudflare, and also to provide a CLI interface to make and manage tunnels.

.deb install (Ubuntu, Linux Mint, Debian, etc)

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && sudo dpkg -i cloudflared-linux-amd64.deb

.rpm install (Centos, Fedora, Rhel, OpenSusu, etc)

wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm && sudo rpm -i cloudflared-linux-x86_64.rpm

Login to Cloudflared

cloudflared tunnel login

This command should give you the link to sign into Cloudflare, and select a zone (website) to create tunnels on.

When done, it will download an account certificate (cert.pem file in the default cloudflared directory). This cert will be used to authorize future API Requests to create and manage tunnels. Once your tunnel is up and running, it will use its own credentials file, and you can safely delete this unless you want to keep managing/creating/deleting tunnels from this machine.

Create a tunnel

cloudflared tunnel create <name>

This command will create a named tunnel based on the name entered. It will generate a new tunnel, this includes generating a UUID for the tunnel, a tunnel credentials file in the default cloudflared directory, and a subdomain of .cfargotunnel.com that you can use to route requests to.

In this example, I'll be naming my tunnel "frontpage".

Create your tunnel configuration file

Throughout the past two steps, after logging in and creating the account cert, and making a tunnel, generating the tunnel cert, cloudflared has listed the path to your .cloudflared directory, which is most likely based off your home directory.
Something like "~/.cloudflared" or "/home/{username}/.cloudflared"

Navigate to that folder now. You should see cert.pem (your account cert) and a .json file named off the UUID of your tunnel.

Create a new file in the same directory, config.yml, and open it using your preferred text editor.

url: http://localhost:80
tunnel: <Tunnel-UUID>
credentials-file: /home/{username}/.cloudflared/<Tunnel-UUID>.json

The URL line corresponds to the internal service you wish to expose. It's not necessary to use https://, the connection between Cloudflare Tunnel and Cloudflare's datacenter is already encrypted. This is just the tunnel connecting locally to the web server.

The Tunnel UUID is a 36 character value that corresponds with your named tunnel. It was displayed when you made the tunnel. You can also find it by going to your .cloudflared directory and looking for the newly created json credentials file for the tunnel you made. It should be named {Tunnel-UUID}.json.

Route traffic to your tunnel

You just create a CNAME Record to route traffic to your tunnel. You can do so easily using the cloudflared cli

cloudflared tunnel route dns <Tunnel UUID or Name> <Hostname>

For example, my tunnel is named frontpage and I wanted it to be accessible via example.chaika.dev. So I did

cloudflared tunnel route dns frontpage example.chaika.dev

Run your tunnel

Finally, you can test out your tunnel.

cloudflared tunnel run <UUID or Name>

You can also specify a specific configuration file to run

cloudflared tunnel --config path/config.yaml run

Once your tunnel is live, try accessing it via the hostname you routed it to. It may take a few seconds for the tunnel to be fully live/accessible. If something is wrong, the tunnel running in the CLI should tell you more information about errors.

Run your tunnel as a service

Running your tunnel manually will work, but isn't the best. It won't automatically start if your machine reboots, have to ensure its open/running, etc.

Luckily, cloudflared supports installing itself as a service very easily.

sudo cloudflared service install

You may need to manually specify config location. In my case, I did have to specify it.

For example,

sudo cloudflared --config /home/{username}/.cloudflared/config.yml  service install

Note that you specify the config argument before the 'service install' command parameters.

The configuration will be copied over to /etc/cloudflared
I would recommend copying over the tunnel credentials file ({Tunnel-UUID}.json) over to there as well.

Then, just launch the service and set it to start on boot

sudo systemctl enable cloudflared
sudo systemctl start cloudflared

Ensure your tunnel started/is running fine:

sudo systemctl status cloudflared

Test out your tunnel by visting the hostname you routed it to.

With any luck, it all worked, and your Cloudflare Tunnel is now all set up, running as a service, automatically starting on reboots, and working well!

How the tunnel works

You may have noticed, when your tunnel starts up, it makes multiple connections. Cloudflare says it connections to multiple machines in case one crashes/reboots, it can use the other connections.

Each individual connection to Cloudflare is not limited to one user request at a time. Cloudflare says each connection can handled hundreds or thousands of requests at one time.

Each Tunnel supports up to 100 connections, you can launch more cloudflared replicas/instances for reliability. Cloudflare does not recommend doing this for load-balancing, and makes no guarantee about which connection is chosen. They recommend using their own load-balancing product along with tunnels for this.

You can use the Cloudflare Teams Dash under "Access", "Tunnels" to see a good view of each tunnel you have, what routes it has, uptime/connections it has, and all other relevant information.

{Tunnel-UUID}.cfargotunnel.com is a virtual/non-existent domain, that is only used internally when you make CName's pointing to your tunnel and other references. Other Cloudflare Customers cannot point their domains at your tunnel and bypass your Cloudflare Access or other restrictions.

Closing notes

Hopefully, this helped you understand and create Cloudflare Tunnels. I made this tutorial in part for myself, Cloudflare's Tunnel Documentation does exist, and covers mostly everything, but glosses over a lot of details, and can be really confusing to beginners.

Thanks for reading. If you have any questions, let me know. I've used Cloudflare Tunnels for quite some time, although mostly in smaller websites/forums.

DEV Community: RealChaika

How to setup a Cloudflare tunnel (New - Using GUI Method)

What are Cloudflare Tunnels

Pricing / Limits of Cloudflare Tunnels

Requirements:

How to setup a Cloudflare Tunnel

Installing the tunnel

Configuring the tunnel

Further Configuration

How the tunnel works

Closing Notes

How to setup a Cloudflare tunnel on Linux

How to setup a Cloudflare tunnel (New - Using GUI Method)

RealChaika ・ Mar 26 '22

What are Cloudflare Tunnels

Pricing / Limits of Cloudflare Tunnels

Requirements:

How to setup a Cloudflare Tunnel

Installing Cloudflared

.deb install (Ubuntu, Linux Mint, Debian, etc)

​ .rpm install (Centos, Fedora, Rhel, OpenSusu, etc)

Login to Cloudflared

Create a tunnel

Create your tunnel configuration file

Route traffic to your tunnel

Run your tunnel

Run your tunnel as a service

How the tunnel works

Closing notes

.rpm install (Centos, Fedora, Rhel, OpenSusu, etc)