WildCat's Blog

Cloudflare Zero Trust for self-hosted services

CloudFlare is not only just a great CDN provider. In recent years, it started to provide more and more great features. Many of them are free for personal use. Today, I’d like to share exposing self-hosted services to the internet with CloudFlare Zero Trust (Tunnel).

Configure Tunnel on Zero Trust Dashboard of CloudFlare

  1. https://one.dash.cloudflare.com/
  2. On the sidebar, select Access > Tunnels
  3. Create a tunnel and follow the instructions on Name your tunnel step
  4. Choose Docker as the connector on the Install connector step
  5. Set up Public Hostnames, bind your domain name to an internal service. For example, your.domain.name.on.cloudflare to web:80 (the service name in defined docker-compose.yml)
  6. Save

Create docker-compose.yml (self-hosted GitLab as an example)

On your host machine, creating a docker-compose.yml file with the following content:

version: '3.6'
services:
  web:
    image: 'gitlab/gitlab-ee:latest'
    restart: always
    hostname: 'your.domain.name.on.cloudflare'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://your.domain.name.on.cloudflare'
        # Add any other gitlab.rb configuration here, each on its own line        
    ports:
      - 80
      - 443
      - 22
    volumes:
      - './data/config:/etc/gitlab'
      - './data/logs:/var/log/gitlab'
      - './data/data:/var/opt/gitlab'
    shm_size: '256m'
  cloudflared:
    image: cloudflare/cloudflared:latest
    command: tunnel --no-autoupdate run --token [generated token] # replace [generated token] with the token generated on the Zero Trust Dashboard

Start the service

docker-compose up # add -d to run in the background

#Server-Tech