WildCat's Blog

Cloudflare Zero Trust / Tunnels for self-hosted services

CloudFlare is not only just a great CDN provider. In recent years, it started to provide more and more great features. Many of them are free for personal use. Today, I’d like to share exposing self-hosted services to the internet with CloudFlare Zero Trust (Tunnel).

Configure Tunnel on Zero Trust Dashboard of CloudFlare

  1. https://one.dash.cloudflare.com/
  2. On the sidebar, select Access > Tunnels
  3. Create a tunnel and follow the instructions on Name your tunnel step
  4. Choose Docker as the connector on the Install connector step
  5. Set up Public Hostnames, bind your domain name to an internal service. For example, your.domain.name.on.cloudflare to web:443 (the service name in defined docker-compose.yml), using HTTPS protocol. Then in Additional application settings, under TLS section, check No TLS Verify and enbale HTTP2 connection.
  6. Save

Create docker-compose.yml (self-hosted GitLab as an example)

On your host machine, creating a docker-compose.yml file with the following content:

version: '3.6' # this is not required anymore
    image: 'gitlab/gitlab-ee:latest'
    restart: always
    hostname: 'your.domain.name.on.cloudflare'
        external_url 'https://your.domain.name.on.cloudflare'
        # Add any other gitlab.rb configuration here, each on its own line        
    # ports:
    #   - 80
    #   - 443
    #   - 22
      - './data/config:/etc/gitlab'
      - './data/logs:/var/log/gitlab'
      - './data/data:/var/opt/gitlab'
    shm_size: '256m'
    image: cloudflare/cloudflared:latest
    command: tunnel --no-autoupdate run --token [generated token] # replace [generated token] with the token generated on the Zero Trust Dashboard

Start the service

docker-compose up # add -d to run in the background