Cloudflare Tunnel with Docker

Cloudflare Tunnel with Docker

There’s been a few times where I needed to setup access to an internal web application but I couldn’t put it on 443 or 80 because something else was using those ports and a reverse proxy would break one of the applications. A solution to this is Cloudflare Tunnel.

Cloudflare Tunnel used to be called Warp when it was in beta and was eventually renamed to Argo Tunnel. When Cloudflare made Argo Tunnel free they renamed it to Cloudflare Tunnel. The magic of Cloudflare Tunnel is handled by a small but powerful client that is known as cloudflared.

What makes a Cloudflare Tunnel awesome is the fact that you can use it to host an application externally without opening any ports on your firewall. It does this by creating an outbound only tunnel directly to Cloudflare.

For my situation I needed to setup access to an internal web application but I didn’t want to do another port forward to make it work. My solution was Cloudflare Tunnel with Docker.

The way I set it up is slight different than what Cloudflare’s documentation says as I wanted to use the Zero Trust dashboard and Docker but also have it in a Docker Compose file, as cloudflared seems to get updated at least once a month and I wanted it to be easy enough to recreate. Here’s how I did it and how everything works.

Tunnel Setup

Cloudflare Zero Trust Access Tunnels
Create a Tunnel in Cloudflare Zero Trust Access
Naming the Cloudflare Tunnel

Base64

After saving your tunnel you are presented with the install command for cloudflared which contains a Base64 encoded string that has a lot of useful info in it that we will need.

cloudflared install command

Note: I altered the Base64 encoding to better show how it works.

This is the Base64 encoded string in my example

eyJhIjoiTXlBY2NvdW50VGFnMTIzIiwidCI6Ik15VHVubmVsSUQxMjMiLCJzIjoiTXlUdW5uZWxTZWNyZXQxMjMifQ==

Once you decode the Base64 you will get an output that looks similar to this

{"a":"MyAccountTag123","t":"MyTunnelID123","s":"MyTunnelSecret123"}

Here is the same input and output directly on CyberChef

URLs

Now we need to create what the external URL will be for the web application.

External URL for Cloudflare Tunnel
Internal URL for the web application

You should now see your tunnels summary page.

Cloudflare Tunnels Summary Page

Docker Compose Setup

This is how I like to build my Docker Compose setups feel free to do it whichever way to prefer.

Credentials File

We need to create a credentials file for cloudflared to use, we will do this by using the Base64 info we decoded earlier from the cloudflared install command.

This is what my MyTunnelID123.json file looks like

{"AccountTag":"MyAccountTag123","TunnelSecret":"MyTunnelSecret123","TunnelID":"MyTunnelID123"}

We have just created the cloudflared credentials file.

Config File

This is what my config.yml file looks like

tunnel: MyTunnelID123 
credentials-file: /root/.cloudflared/MyTunnelID123.json

ingress:
   - hostname: blogexample.thedxt.ca
     service: http://192.168.3.41:3343
   - service: http_status:404Code language: YAML (yaml)

Docker Compose File

Now we need to create the docker-compose.yml file in the folder named cloudflared-blog-example

This is what mine looks like

---
version: "3.2"
services:
  cloudflared-example:
    image: cloudflare/cloudflared:2022.10.0-amd64
    container_name: cloudflared-example
    volumes:
      - ./cloudflared-example-data:/root/.cloudflared/
    command: 'tunnel --config /root/.cloudflared/config.yml run'
    user: root
    restart: unless-stoppedCode language: YAML (yaml)

If everything is configured correctly your tunnel should now be up and showing as active in your tunnels list in your Cloudflare Zero Trust dashboard.

Active Tunnel on Cloudflare Tunnels Summary Page

If you check your DNS entries in Cloudflare you will see a new CNAME record pointing to yourTunnelID.cfargotunnel.com

Cloudflare Tunnel CNAME DNS Record

Here is my internal web application running internally.

The web application running internally

Now that the Cloudflare Tunnel is up and running I can reach it externally via blogexample.thedxt.ca

The web application running external via a Cloudflare Tunnel

You have now just created a web application that can run without any port forwards. I think this will keep working even if you have a dynamic WAN IP, however I haven’t tested it. I suspect that if you have a dynamic WAN IP you could just stop and start your Docker container to reestablish your tunnel with your new WAN IP.

When you are ready to update your cloudflared Docker image just make sure you update the cloudflared tag as in my example I version locked it. Here is the list of Docker tags.

If you want to take this a step further you can also put Cloudflare Access in front of it too. If you want to know how to do that read my post Setting Up Cloudflare Access or my post Cloudflare Access IdP with Entra ID.

An Easier Way

I figured out an easier way after I figured out the method that I outlined above. I decided to show both methods as the first way shows in much more detail how everything works together and if you understand how to do it the more complicated way you can make your own decision on which method works best for your setup.

We don’t need the no auto update part as it will assume no auto update.

Your Docker Compose file should look similar to this

---
version: "3.2"
services:
   cloudflared-example:
     image: cloudflare/cloudflared
     container_name: Cloudflared-token
     command: tunnel run
     user: root
     restart: unless-stopped
     environment:
      - TUNNEL_TOKEN=eyJhIjoiTXlBY2NvdW50VGFnMTIzIiwidCI6Ik15VHVubmVsSUQxMjMiLCJzIjoiTXlUdW5uZWxTZWNyZXQxMjMifQ==Code language: YAML (yaml)

If you want to read more about Cloudflare Tunnel or read Cloudflare’s documentation about all of this you can do so here.

Exit mobile version