Practical Cloudflare Tunnel Guide: Deploy a Blog Commenting Service

TLDR:

Cloudflare Tunnel is a great tool to help us deploy backend services on the cloud. This post would use a tiny example to demonstrate how to leverage Cloudflare Tunnel with Docker. With CF Tunnel, we don’t need to configure Nginx or its alternatives. Futhermore, we don’t need a public IP address to host a website.

Background

Since my blog was migrated to Hugo from Jelly, I disabled Disqus becuase it has user tracking code. There are many great community alternatives to Disqus, Remark42 is a great one. I chose it because:

• Backend is pretty light-weighted, only about 6MB for runtime:

  $ docker stats | grep remark

  [hash] remark42 0.00% 6.191MiB / 7.776GiB 0.08% 1.14kB / 0B 0B / 24.1MB

• It supports multiple SSO providers.
• No databased required.

It is like a small service so I don’t want to set up a tranditional reserve proxy for it. Instead, I would like to practice Cloudflare Tunnel via cloudflared.

Create docker-compose.yml for Remark42

It is quite straight-forward by following their documentation:

version: "2"

services:
  remark:
    build: .
    image: umputun/remark42:latest
    container_name: "remark42"
    restart: always
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"
    environment:
      - REMARK_URL
      - SECRET
      # - DEBUG=true
      - AUTH_GOOGLE_CID
      - AUTH_GOOGLE_CSEC
      - AUTH_GITHUB_CID
      - AUTH_GITHUB_CSEC
      - AUTH_FACEBOOK_CID
      - AUTH_FACEBOOK_CSEC
      - AUTH_DISQUS_CID
      - AUTH_DISQUS_CSEC
      # - ADMIN_PASSWD
    volumes:
      - ./var:/srv/var

We also need to create .env file to set up those environment variables.

Set up cloudflared

A prerequisite of this step is to have an active Cloudflare account. After that, we can download cloudflared and log into it:

wget https://github.com/cloudflare/cloudflared/releases/download/2022.5.1/cloudflared-linux-amd64
chmod +x cloudflared-linux-amd64
./cloudflared-linux-amd64 login

After that, we can create a new tunnel:

./cloudflared-linux-amd64 tunnel create cat-comment

After that, we will see the UUID of this tunnel. Please take a note of it. If you forget to do that, please run this command to view all tunnels:

./cloudflared-linux-amd64 tunnel list

After that, we need to have a yaml file for cloudflared to run this tunnel:

# config.yml
credentials-file: /etc/cloudflared/[tunnel-uuid].json

ingress:
  - hostname: [tunnel-uuid].cfargotunnel.com
    service: http://remark:8080
  - hostname: remark.[your-domain].com
    service: http://remark:8080
  - service: http_status:404

This file would be consumed later in Docker.

Dockerize cloudflared

We can set up cloudflared services on our host machine but it is not a sustainable solution. Instead, we can use Docker to run cloudflared on the host. First, we can append the following section to docker-compose.yml:

  cloudflared:
    image: cloudflare/cloudflared:latest
    volumes:
      - ./config.yml:/home/nonroot/.cloudflared/config.yml
      - /home/[host-username]/.cloudflared:/etc/cloudflared
    environment:
      - TUNNEL_ORIGIN_CERT=/etc/cloudflared/cert.pem
      # sudo chmod -R 755 ~/.cloudflared/cert.pem
      # We need the command above because nonroot user (used in Dockerfile) cannot access this cert.
    restart: always
    command: tunnel run [tunnel-uuid]

Now we finished all the coding part. We can run docker-compose up to start the Docker containers.

Configure DNS for cloudflared

The next step is to go to the DNS management page of the domain hosted on Cloudflare.com. Then, we need to create a new CNAME record and point it to [tunnel-uuid].cfargotunnel.com.

As of now, everything is ready!

You can see the comment block below to add new comments. It is powered by CloudFlare Tunnel and Remark42.