I maintain a list[0] of solutions to this problem. Cloudflare Tunnel is what I currently recommend to most people. IMO it's the easiest way to expose services publicly on the internet. For example a website or shared Plex server.
Main downsides to Cloudflare Tunnel are no e2ee (Cloudflare decrypts all your traffic) and technically anything other than basic HTML websites (ie media streaming) is against their free ToS, though I haven't heard of that being enforced in practice.
If you're the only one ever using your services then I'd recommend Tailscale instead, which sets up a VPN using WireGuard along with slick auto p2p setup (NAT traversal, relays, etc).
Hi, I'm the author of the blog post being promoted here.
I love that list! I also use Tailscale for a lot of my personal private services as well as Cloudflare Tunnel, I think they're both really great :)
The concern about Cloudflare decrypting the traffic is valid, I just personally feel for a lot of public websites that's often fine especially if the hoster might have been using Cloudflare already anyway. If an individual doesn't want to use Cloudflare for their setup then that's fine and there are lots of cool pieces of tech they can consider!
> though I haven't heard of that being enforced in practice.
It happened here[0], and the reasoning for why they allow some free tier content is in their S-1[1]. Typically, even if you blatant file sharing or video streaming application in violation of 2.8, Cloudflare doesn't necessarily care as long as it's not too bandwidth intensive (eg. I wouldn't recommend having a dozen people streaming Plex from the outside internet).
Consider adding Tor onion services to that list. The idea is that you run a Tor daemon that starts an onion service which can expose any TCP-based service. Communication is facilitated via another node, which makes it possible to host onion services behind NAT.
What about Slack's Nebula? Tailscale is not fully open source. I believe there is also headscale which is attempting to replace the closed-source parts of Tailscale. But I am curious about Slack's Nebula. Has anyone used it for anything like this?
> But what if you could host a web service with no ports exposed? Well, you can! Cloudflare Tunnel makes a persistent outbound connection (a tunnel!) between your server and Cloudflare's nearest datacenter. All the traffic to your domain flows through this outgoing tunnel and connects to your server through the protection of Cloudflare. This also has the benefit of being seamlessly encrypted, so you don't have to worry about a thing when it comes to the security of your web service.
Well, a port is exposed, it's just exposed on Cloudflare's reverse proxies. And I think this is probably a dramatic overstatement of the security that Cloudflare provides...
The point is that it's connected via NAT, so you don't have to worry about port scanners hitting your origin IP and seeing any info about your web server (potentially exposing it to DDOS), and it's overall easier when you don't have to touch your inbound firewall.
Well their WAF and dos protection are pretty nice.
An easy secure setup would be to spin up a guest VM and isolate it in its own subnet.
Disable routing between your guest and the rest of your lan and you can sleep easy at night so long as your app doesn’t serve any crazy dynamic content.
If you have $3-5/month to spare on a VPS, a similar but self hosted solution can be achieved- Tunnel/VPN and reverse proxy- using Wireguard and Caddy.
Caddy in particular is extremely easy to configure, with the bonus that HTTPS/Lets Encrypt has never been free'er. Wireguard configuration is also gloriously minimal but admittedly, potentially tricky to get right the first time.
It's just good to consider alternatives to Cloudfare's network dominance, if you can afford it.
I recently used the same Cloudflare Tunnel project to put an internal hosted service behind Cloudflare access.
I chose this over Wireguard because it integrates with our SSO system and users don't have to configure a firewall client. In fact, most users don't know we even did anything special to secure the service.
Secondly, I can set up wireguard, but then I would be responsible for maintenance, keeping the instance up and patched etc. You may save money by using Wireguard, but you pay for it in time, which is the only thing you cannot buy.
Do you have any guides on the same level as simplicity as this one? It seems while we always bring up wireguard, its a big topic with few good places to get hand hold on.
The real beauty of cloudflared is that you can just throw it into a sidecar for your k8s pod / docker-compose container set and configure the entire thing in one place.
I've just done the same thing at work. I've got a little Dell Optiplex running bookstack here, and a AWS Graviton2 box running a wireguard server and reverse proxying web traffic over it.
ipv4 costs will keep increasing, so if you want cheap vpses ipv6 will be the only option and this will allow you to use cloudflare network to serve the v4 users.
I just set up a Cloudflare Tunnel this weekend to my homelab. I was able to connect it up with a container within minutes. I also was able to set up their zero trust offering and had route based RBAC against two domains w/ Google OAuth2 login. I have my reservations about CloudFlare with regard to centralizing the web, but this tunnel is fantastic and saved me quite a bit of trouble with messing with my RouterOs config and nginx.
It's unfortunate the only mature open source alternative[1] went on a path to seriously expensive subscriptions, 5x of a tailscale personal subscription.
A word of warning wrt hard-relying your service on Cloudflare. They have hidden undocumented limits. When we hit those, they dropped ~10% of our traffic without warning and they did not respond to our support requests with anything other than platitudes, despite us being on their business plan. After ghosting us for 2 weeks they tried to upsell us to the Enterprise plan for more leeway on said undocumented limits (all the while not providing any insights as to what limits we were hitting, nor how).
I don't think they were malicious, I suspect growing pains, but it very much didn't match their stellar reputation.
After that experience we made sure not to rely on them for anything that we couldn't instantly turn off or switch away from. I'd run a blog behind cloudflare without worries but not sure anymore about nontrivial high-traffic applications.
Cloudflare Tunnel will spin up a free tunnel for you even without a Cloudflare account. If you run `brew install cloudflare/cloudflare/cloudflared` and then `cloudflared tunnel --url http://localhost:8080` you will get a URL you can use to reach that local port from the Internet.
I use it to share in-progress work with co-workers, test webhooks, etc.
Thanks Kord! Founder of ngrok here, just a quick note of correction for others in this thread: ngrok is absolutely intended for production use cases. There are many customers both hobbyist and enterprise running thousands of production workloads over ngrok's service (including ourselves! we dogfood ngrok for our ingress). We're excited to be sharing more about that with the HN community really soon.
out of interest - why? They seem to be targeted at different use cases - ngrok for dev work (looking at pricing and the limits on the free tier), and argo tunnels for permanent services
Hi, I'm the author of the blog post being promoted here.
This is really cool too!! I use Tunnels with SSH a ton. I was considering making a follow-up post going through the SSH setup too, but I felt it was a bit redundant considering that docs page existed. My post was because of the lack of a clear guide for a simple HTTP webserver.
This is great, I've always found information about how to do this kind of thing to be pretty confusing and not well described. Thanks for adding some more helpful material to the web.
I wrote up a guide [0] for using Nginx on a standard digital ocean droplet, but had I known about cloudflared at the time I think I would have tried that (tailscale was also something I thought about).
There was another recent article about cloudflared I remember seeing (maybe not on HN?), there's not very much good stuff like this about self-hosting. A lot people online just say "use X" without explaining anything helpful.
Hi, I'm the author of the blog post being promoted here.
Thank you for your kind words!
> I've always found information about how to do this kind of thing to be pretty confusing and not well described.
This is the main reason I made this post, there is a lot of documentation but most of it is quite dense and doesn't walk through a simple use-case. When I've recommended Tunnel to my friends I usually have to baby them through the process because of the lack of clear information.
This post was made so I have something to point to when I recommend people to use Tunnel for their-usecase. I didn't expect it to blow up this much!
It's not obvious to me from the blogpost where TLS termination happens in this scenario.
I would want it to happen on my local machine, so that (a) Cloudflare can't read my plaintext traffic, and (b) I can manage subdomain certificates more easily via Caddy.
Is that possible with the cheapo free tunnels or does Cloudflare want to handle the domain and TLS certificates, too?
All this changes is how CF connects to the server. Like the rest of CF, outside of using Spectrum Enterprise (which enables TCP 443 tunneling), CF removes TLS at their servers and inspects the traffic so all of its caching/firewall/etc features can be applied. It does add it back when talking to a tunnel, so it’s non plaintext on the wire.
Cloudflare Tunnel doesn't offer an end-to-end encryption option. If this is a must for you, either my own boringproxy or remotemoe[0] both offer this. I'm sure at least a couple others on the list[1] do as well but you'd have to check them individually. If you find any that do please consider opening an issue so I can add that information to the list.
Quick word of warning: I found it striking that even Cloudflare's Teams product, which supports Tunnels as a feature, does not make Tunnels private (e.g., by enforcing authentication, or restricting who can reach an exposed tunnel to your organization) by default. Anyone on the Internet with the Cloudflare Warp client can reach a Tunnel configured with default settings, a quirk that is not called out in their official documentation.
You can also put authentication in front of cloudflare argo tunnels, so you can securely expose internally hosted applications to the internet. A zero trust or BeyondCorp model is usally way easier than VPNs etc. It is a really nice alternative to hosting Buzzfeed SSO or Pomerium too.
A little off topic, but does anyone know the best way to run software on an unused Android phone? For some reason this seems harder than it used to be. My goal is to run Home assistant on it, and I am struggling with issues on Termux right now. There must be a better way.
Good luck, it's a hot mess. I spent considerable time last year porting boringproxy to run on Android. There are countless hoops to jump through for running server software, including:
* You have to run it as a foreground service so the user knows it's running. Not a problem in theory but annoying to implement.
* DNS name resolution doesn't work by default (with Golang at least) because android doesn't use resolve.conf. I solved this by setting DNS servers manually to 1.1.1.1, 8.8.8.8, etc.
* You have to do weird hacks in order to run native applications such as Golang programs.
* Android has endless optimizations for battery life that are trying to shut down/throttle your program. One example I would see huge performance differences as soon as I turned the screen off.
Overall I consider Android to be a very hostile environment for native applications, and networked apps in particular. iOS is even worse from what I can tell. We need a mobile OS that respects the user's control over their device. I'm fine with sane defaults, but it should be easy to switch them off. I'm hopeful for the Pinephone, but we have a long way to go.
If only there was a straightforward way to manage the credentials used by cloudflared for tunnels, bind them to specific websites, and revoke them.
In principle, there is no reason at all to use TLS inside the tunnel — the tunnel itself is authenticated and encrypted. Unfortunately, cloudflare tunnels feel a bit like a cute 20% project that was never quite finished and is barely integrated with the rest of cloudflare’s offering.
Hey jgc et all, if you’re reading this, maybe the cloudflare console UI could have a pane for managing tunnels. And the pane for managing website origin servers could let you choose between the traditional cloudflare-initiated connection and a tunnel, and the tunnel mode could give some controls for how the origin server is protected, whether connections load balance across multiple tunnels, etc. And maybe even really open-source the tunnel client for real, because it would be quite nice to have the actual origin server connect via a plugin instead of a separate daemon.
In other words, the hard part of this offering is done. Do the boring bits so it can be even better than the primary offering.
One of the limitations that wasn't immediately obvious to me is that you're mapping a single domain with these tunnels. So you cannot easily make *.example.com available via a cloudflare tunnel. (and when I tried it it wasn't possible with ngrok either, perhaps that changed)
I ended up switching to a business connection with my ISP, so I could get an extra fixed IPv4 address at my house and not need any of these tunnels. Obviously that is not an option everywhere.
As a matter of fact, I have a 4-node kubernetes cluster running at home which is exposed through a CloudFlare tunnel on the internet. Works like a charm, and you don’t have issues with firewalls, NAT, and/or dynamic IPs.
Yup, and you can even have multiple tunnels that are load balanced, so that you don’t even have to fail over.
We have a single API service which is exposed to the internet, and put the CloudFlare tunnel as a sidecar inside the same pods. This way, it’s actually CloudFlare which handles the load balancing, which is surprisingly effective.
Could you elaborate on the setup a bit - for cluster fail over do you mean that since cloudflare is your frontend ingress you can easily point it to another cluster or is there more to it?
One place where this would shine is running compute intensive tasks (especially the ones that involve GPU) that are usually queued. Instead of throwing too much money to the cloud providers, setup this tunnel on your unused/even new machine and throw tasks at it.
Does anyone have experience with software you can self-host a dial-out tunnel to achieve the same? I'm looking into a similar setup (connecting from an internal site to a private cloud, rather than to the Internet) and would prefer not to write the software myself if I can avoid it: network programming is tricky; network programming with failover, doubly so.
It's a real system with various security and compliance concerns; Cloudflare and dev-focused services like Inlet or simple SSH forwarding are unfortunately not going to work.
I am keeping an eye on this offering. In a B2B setting, this is a compelling way to expose certain sensitive services to the public web without forcing our customers to make complex/problematic firewall changes. Not everyone is sitting on a fat stack of public IPv4s they can just point at their infra. Many of the businesses we work with can't even accurately describe their own technology circumstances.
Reducing the conversation to "Can that server ping google?" would make my life 1000% easier.
I've been running caddy (with the cloudflare addon) to serve local services on a https url.
I then set my local dns(Adguard home) to redirect my url to it's lan url. Additionally, I run cloudflare tunnel to expose these services on the internet.
This allows me to use the url for internal services both at home or through the internet while having proper auth through cloudflare access when accessed over the internet. It was been working great for me so far
I've just spent a few hours trying to use Cloudflare Tunnels to connect to my machine through SSH after reading this post. Unfortunately, I then found that SSH keys are not supported: https://github.com/cloudflare/cloudflared/issues/319 so I cannot disable Password authentication.
Yes, I use SSH keys, not password authentication, as well as PAM 2FA which is my normal SSH configuration. So the traffic is e2ee from my client to my server. Perhaps that issue refers to using personal SSH keys instead of the ~/.cloudflared/cert.pem which is used to encrypt the tunnel
> No port forward headache, no complex configuration.
That's on page 10 of 12 on the print preview... It has another service running though, I find that adds a lot of complexity to the setup, but as usual, this has pros and cons.
Don't get me wrong, it's a good tutorial but I'm not sure I find port forwarding more complex - but I would argue that that strengths of this setup are different.
There is no mention of prices on that page, does anyone know how much it costs? Is it included on their free tier, or it is a "free" added service for customers who already pay for other services? If so, I'm curious what would be the cost of the minimum package to get this working.
Hi, I'm the author of the blog post being promoted here.
As noted by other commenters, Cloudflare Tunnel is completely free forever and does not cost anything. This was not always the case in the past where it was previously tied with the Argo Smart Routing product that cost money. The announcement of it becoming free is here: https://blog.cloudflare.com/tunnel-for-everyone/
I didn't mention price in the post because it was free, however from the comments I am thinking perhaps that is an important point to make. I wiill keep this in mind if I make similar posts in the future :)
I used v2ray+nginx on a linode instance to expose NAT-ed port. I have tried cloudflared before but it seems to not able to proxy the cockpit GUI well.
And the credentials (for the whole domain) will have to stay with the device, that make me a little nervous.
This appears to be similar to Azure AD Application Proxy. If it is they're one step ahead of MS because their App Proxy Connector clobbers MSAL auth tokens and they can't be bothered to fix the issue a year later.
I do this for our services, it works great and we can easily put SSO in front of them with CF Access. I publish a Docker container that you can use as a sidecar for your Compose deployments:
I use this with Harbormaster (https://gitlab.com/stavros/harbormaster) so I can expose containerized stuff without ever forwarding any ports outside of Docker.
Hi, I'm the author of the blog post being promoted here.
I maintain my own Docker image too for personal use (https://github.com/Erisa/cloudflared-docker) but I've never ran into a situation where needing everything as an environment variable was required or even desired.
I really love the idea of that though, and I love that image!
An alternative to using cloudflared is using TLS client certificates to authenticate that requests to your origin server come from Cloudflare [1]. This is not quite as airtight as Cloudflare Tunnel because you expose a port for TLS but it comes close.
How does this compare to ngrok and can we combine them to host sites from our own servers behind a dynamic IP given by our ISP? Could be great for developers showing off their sites for instance.
Nice little write-up. Appreciate the hints on setting up a systemd service. That said, with the service being a system service, I'd probably prefer moving the credentials file:
Does anyone know if you can use a Cloudflare tunnel on a single subdomain without using Cloudflare on everything else?
It seemed like I had to run everything on the domain through Cloudflare when I looked into this in the past. That might be fine in the end, but I just wanted to try tunnels out first without committing to anything else.
Edit: thanks, everyone! This was just going to be a tiny web site for hobby purposes at first.
(I work at Cloudflare). You can sign up just a subdomain (sub.foo.xyz) as an enterprise customer and then add an NS records from your DNS provider to Cloudflare for that subdomain.
Tunnels also has a testing domain you can use. It should give you a subdomain like xxx-xxx-xxx.trycloudflare.com for basic "How do I get this thing working" testing.
Unless you want to pay for the business plan with a CNAME Setup[0], you do need to use their DNS offering, even if the rest of your site's DNS records are 'unproxied'. If you just want to try tunnels at all, with a non-descript hostname, Tunnel gives out subdomains that end in trycloudflare.com[1].
If you're referring to the TOS issue that is often discussed here, it depends on what that subdomain is, since Cloudflare doesn't just want to be pushing binary data for free. If the subdomain is some website that is primarily used in the browser, CF will generally be fine leaving it up even if you push TBs a day, but if it's just a file host CF has been known to flag that for abuse and disable proxying for the domain[2]. As for why they bother with a free plan with such cryptic rules, their S1 explains it[3].
You can have cloudflare handle your DNS, though nothing more. Each DNS record has an extra setting to Proxy. For the tunneled CNAME the proxy must be turned on. For anything else to be pass though traditional DNS then set the Proxy setting off.
*edit: Learned here in this discussion that moving NS servers to Cloudflare is not even required. I’ll need to test that.
I just started using Cloudflare Tunnel this weekend to expose a service hosted at home. I love that I don't have to open any ports up, that my home IP isn't exposed, and that I don't need to worry about maintaining my own reverse proxy to host multiple sites on the standard ports.
I know there's other ways to do this, but Tunnel made it extremely easy.
Hi, I'm the author of the blog post being promoted here.
No, this is not possible. Cloudflare Tunnel focuses mainly on HTTP traffic but also supports SSH, VNC and generic TCP only in situations where the client also uses the cloudflared client to proxy it back to their localhost. Hosting a mail server with these restrictions is not possible I'm afraid.
Debugging Cloudflare Tunnel is PITA. We are using it in production, and have most random outages that leave us guessing what triggered it. The errors are vague to say the least, and there is not much in terms of existing community. Otherwise, it is easy to setup and works great when it does.
Hi, I'm the author of the blog post being promoted here.
The `clouflared tunnel route dns` command creates thee DNS record mapping the tunnel to the domain. The tunnels config maps the hostname to the local service, and you can have multiple of those for each service. So for the example above, you would create a DNS record for each domain pointing to the same one tunnel, and that tunnel will route based on the ingress rules.
apitman|4 years ago
Main downsides to Cloudflare Tunnel are no e2ee (Cloudflare decrypts all your traffic) and technically anything other than basic HTML websites (ie media streaming) is against their free ToS, though I haven't heard of that being enforced in practice.
If you're the only one ever using your services then I'd recommend Tailscale instead, which sets up a VPN using WireGuard along with slick auto p2p setup (NAT traversal, relays, etc).
[0]: https://github.com/anderspitman/awesome-tunneling
ErisaDev|4 years ago
I love that list! I also use Tailscale for a lot of my personal private services as well as Cloudflare Tunnel, I think they're both really great :)
The concern about Cloudflare decrypting the traffic is valid, I just personally feel for a lot of public websites that's often fine especially if the hoster might have been using Cloudflare already anyway. If an individual doesn't want to use Cloudflare for their setup then that's fine and there are lots of cool pieces of tech they can consider!
judge2020|4 years ago
It happened here[0], and the reasoning for why they allow some free tier content is in their S-1[1]. Typically, even if you blatant file sharing or video streaming application in violation of 2.8, Cloudflare doesn't necessarily care as long as it's not too bandwidth intensive (eg. I wouldn't recommend having a dozen people streaming Plex from the outside internet).
0: https://community.cloudflare.com/t/the-way-you-handle-bandwi...
1: https://l.judge.sh/85EH
phw|4 years ago
ghostly_s|4 years ago
babagabooj|4 years ago
newman314|4 years ago
No affiliation but what I'm having to use at work.
[1] https://docs.microsoft.com/en-us/azure/active-directory/app-...
[2] https://www.zscaler.com/blogs/company-news/securing-third-pa...
newusertoday|4 years ago
freediver|4 years ago
An “easy” solution would be something that gets your local content online in one click or less.
qeternity|4 years ago
Well, a port is exposed, it's just exposed on Cloudflare's reverse proxies. And I think this is probably a dramatic overstatement of the security that Cloudflare provides...
judge2020|4 years ago
rank0|4 years ago
An easy secure setup would be to spin up a guest VM and isolate it in its own subnet.
Disable routing between your guest and the rest of your lan and you can sleep easy at night so long as your app doesn’t serve any crazy dynamic content.
unknown|4 years ago
[deleted]
username_my1|4 years ago
h4waii|4 years ago
* Broken auth? Doesn't matter, encrypted.
* IDOR? Encryption takes care of it!
* Blind SQL or something from the 90s? EEENNNNCCCRRYYPPPTTIIOOONN!
napkin|4 years ago
Caddy in particular is extremely easy to configure, with the bonus that HTTPS/Lets Encrypt has never been free'er. Wireguard configuration is also gloriously minimal but admittedly, potentially tricky to get right the first time.
It's just good to consider alternatives to Cloudfare's network dominance, if you can afford it.
gtsteve|4 years ago
I chose this over Wireguard because it integrates with our SSO system and users don't have to configure a firewall client. In fact, most users don't know we even did anything special to secure the service.
Secondly, I can set up wireguard, but then I would be responsible for maintenance, keeping the instance up and patched etc. You may save money by using Wireguard, but you pay for it in time, which is the only thing you cannot buy.
LibertyBeta|4 years ago
sascha_sl|4 years ago
LoveGracePeace|4 years ago
podge|4 years ago
amiga-workbench|4 years ago
xfer|4 years ago
reilly3000|4 years ago
api|4 years ago
Superior UI/UX offered by centralized systems is why everything is being centralized.
People will trade everything including privacy and security for ease of use. The market has shown this time and time again.
sascha_sl|4 years ago
[1]: https://inlets.dev/
skrebbel|4 years ago
I don't think they were malicious, I suspect growing pains, but it very much didn't match their stellar reputation.
After that experience we made sure not to rely on them for anything that we couldn't instantly turn off or switch away from. I'd run a blog behind cloudflare without worries but not sure anymore about nontrivial high-traffic applications.
jgrahamc|4 years ago
zackbloom|4 years ago
I use it to share in-progress work with co-workers, test webhooks, etc.
Edit: fixed command thanks to comment below :)
hoherd|4 years ago
FWIW the brew install command is `brew install cloudflare/cloudflare/cloudflared` (via https://developers.cloudflare.com/cloudflare-one/connections...)
kordlessagain|4 years ago
The reason why is because Alan is awesome.
inconshreveable|4 years ago
mugsie|4 years ago
deweller|4 years ago
TIPSIO|4 years ago
pedrogpimenta|4 years ago
carride|4 years ago
They explain towards the end of this tutorial https://developers.cloudflare.com/cloudflare-one/tutorials/s...
ErisaDev|4 years ago
This is really cool too!! I use Tunnels with SSH a ton. I was considering making a follow-up post going through the SSH setup too, but I felt it was a bit redundant considering that docs page existed. My post was because of the lack of a clear guide for a simple HTTP webserver.
gonehome|4 years ago
I wrote up a guide [0] for using Nginx on a standard digital ocean droplet, but had I known about cloudflared at the time I think I would have tried that (tailscale was also something I thought about).
There was another recent article about cloudflared I remember seeing (maybe not on HN?), there's not very much good stuff like this about self-hosting. A lot people online just say "use X" without explaining anything helpful.
[0]: https://zalberico.com/essay/2020/06/06/urbit-on-the-cloud.ht...
ErisaDev|4 years ago
Thank you for your kind words!
> I've always found information about how to do this kind of thing to be pretty confusing and not well described.
This is the main reason I made this post, there is a lot of documentation but most of it is quite dense and doesn't walk through a simple use-case. When I've recommended Tunnel to my friends I usually have to baby them through the process because of the lack of clear information. This post was made so I have something to point to when I recommend people to use Tunnel for their-usecase. I didn't expect it to blow up this much!
maxcan|4 years ago
piaste|4 years ago
I would want it to happen on my local machine, so that (a) Cloudflare can't read my plaintext traffic, and (b) I can manage subdomain certificates more easily via Caddy.
Is that possible with the cheapo free tunnels or does Cloudflare want to handle the domain and TLS certificates, too?
judge2020|4 years ago
anderspitman|4 years ago
[0]: https://github.com/fasmide/remotemoe
[1]: https://github.com/anderspitman/awesome-tunneling
pedrogpimenta|4 years ago
vngzs|4 years ago
willejs|4 years ago
lappet|4 years ago
anderspitman|4 years ago
* You have to run it as a foreground service so the user knows it's running. Not a problem in theory but annoying to implement.
* DNS name resolution doesn't work by default (with Golang at least) because android doesn't use resolve.conf. I solved this by setting DNS servers manually to 1.1.1.1, 8.8.8.8, etc.
* You have to do weird hacks in order to run native applications such as Golang programs.
* Android has endless optimizations for battery life that are trying to shut down/throttle your program. One example I would see huge performance differences as soon as I turned the screen off.
Overall I consider Android to be a very hostile environment for native applications, and networked apps in particular. iOS is even worse from what I can tell. We need a mobile OS that respects the user's control over their device. I'm fine with sane defaults, but it should be easy to switch them off. I'm hopeful for the Pinephone, but we have a long way to go.
amluto|4 years ago
In principle, there is no reason at all to use TLS inside the tunnel — the tunnel itself is authenticated and encrypted. Unfortunately, cloudflare tunnels feel a bit like a cute 20% project that was never quite finished and is barely integrated with the rest of cloudflare’s offering.
Hey jgc et all, if you’re reading this, maybe the cloudflare console UI could have a pane for managing tunnels. And the pane for managing website origin servers could let you choose between the traditional cloudflare-initiated connection and a tunnel, and the tunnel mode could give some controls for how the origin server is protected, whether connections load balance across multiple tunnels, etc. And maybe even really open-source the tunnel client for real, because it would be quite nice to have the actual origin server connect via a plugin instead of a separate daemon.
In other words, the hard part of this offering is done. Do the boring bits so it can be even better than the primary offering.
jgrahamc|4 years ago
The team that works on Tunnel just pinged me with the internal ticket where they are working on the management UI you are looking for. So... soon!
chrisweekly|4 years ago
warp|4 years ago
I ended up switching to a business connection with my ISP, so I could get an extra fixed IPv4 address at my house and not need any of these tunnels. Obviously that is not an option everywhere.
stingraycharles|4 years ago
cx0der|4 years ago
jgalt212|4 years ago
davewritescode|4 years ago
It makes a ton of things like cluster failover much simpler than they otherwise would be.
stingraycharles|4 years ago
We have a single API service which is exposed to the internet, and put the CloudFlare tunnel as a sidecar inside the same pods. This way, it’s actually CloudFlare which handles the load balancing, which is surprisingly effective.
blinkingled|4 years ago
allisdust|4 years ago
fennecfoxen|4 years ago
It's a real system with various security and compliance concerns; Cloudflare and dev-focused services like Inlet or simple SSH forwarding are unfortunately not going to work.
bob1029|4 years ago
Reducing the conversation to "Can that server ping google?" would make my life 1000% easier.
jck|4 years ago
I then set my local dns(Adguard home) to redirect my url to it's lan url. Additionally, I run cloudflare tunnel to expose these services on the internet.
This allows me to use the url for internal services both at home or through the internet while having proper auth through cloudflare access when accessed over the internet. It was been working great for me so far
throw14082020|4 years ago
Slix|4 years ago
carride|4 years ago
wink|4 years ago
That's on page 10 of 12 on the print preview... It has another service running though, I find that adds a lot of complexity to the setup, but as usual, this has pros and cons.
Don't get me wrong, it's a good tutorial but I'm not sure I find port forwarding more complex - but I would argue that that strengths of this setup are different.
SkeuomorphicBee|4 years ago
judge2020|4 years ago
ErisaDev|4 years ago
As noted by other commenters, Cloudflare Tunnel is completely free forever and does not cost anything. This was not always the case in the past where it was previously tied with the Argo Smart Routing product that cost money. The announcement of it becoming free is here: https://blog.cloudflare.com/tunnel-for-everyone/
I didn't mention price in the post because it was free, however from the comments I am thinking perhaps that is an important point to make. I wiill keep this in mind if I make similar posts in the future :)
c0npr|4 years ago
sbaildon|4 years ago
It's a wireguard based kubernetes network overlay. I use it to access private services in my homelab cluster from my laptop, phone, etc.
[1] https://kilo.squat.ai
qxmat|4 years ago
stavros|4 years ago
https://gitlab.com/stavros/docker-cloudflared
I use this with Harbormaster (https://gitlab.com/stavros/harbormaster) so I can expose containerized stuff without ever forwarding any ports outside of Docker.
ErisaDev|4 years ago
I maintain my own Docker image too for personal use (https://github.com/Erisa/cloudflared-docker) but I've never ran into a situation where needing everything as an environment variable was required or even desired. I really love the idea of that though, and I love that image!
divbzero|4 years ago
[1]: https://developers.cloudflare.com/ssl/origin-configuration/a... "Set up authenticate origin pulls"
EGreg|4 years ago
srhyne|4 years ago
I really wanted to love CF Teams but is lacking some polish IMO.
e12e|4 years ago
> credentials-file: /home/ubuntu/.cloudflared/ed5bfe1 (...)
To either /root, or (more likely) /etc/cloudflared/ and making it readable to root, or a system user especially for cloudflared.
I like to think that my services will run regardless of the state of my /home filesystem.
aborsy|4 years ago
Tajnymag|4 years ago
schemescape|4 years ago
It seemed like I had to run everything on the domain through Cloudflare when I looked into this in the past. That might be fine in the end, but I just wanted to try tunnels out first without committing to anything else.
Edit: thanks, everyone! This was just going to be a tiny web site for hobby purposes at first.
ejcx|4 years ago
Tunnels also has a testing domain you can use. It should give you a subdomain like xxx-xxx-xxx.trycloudflare.com for basic "How do I get this thing working" testing.
judge2020|4 years ago
If you're referring to the TOS issue that is often discussed here, it depends on what that subdomain is, since Cloudflare doesn't just want to be pushing binary data for free. If the subdomain is some website that is primarily used in the browser, CF will generally be fine leaving it up even if you push TBs a day, but if it's just a file host CF has been known to flag that for abuse and disable proxying for the domain[2]. As for why they bother with a free plan with such cryptic rules, their S1 explains it[3].
0: https://support.cloudflare.com/hc/en-us/articles/36002034883...
1: https://developers.cloudflare.com/cloudflare-one/connections...
2: https://community.cloudflare.com/t/the-way-you-handle-bandwi...
3: https://l.judge.sh/85EH
(I am not a CF employee nor your lawyer)
carride|4 years ago
*edit: Learned here in this discussion that moving NS servers to Cloudflare is not even required. I’ll need to test that.
unknown|4 years ago
[deleted]
ziml77|4 years ago
I know there's other ways to do this, but Tunnel made it extremely easy.
mlangenberg|4 years ago
jck|4 years ago
watchdogtimer|4 years ago
ErisaDev|4 years ago
No, this is not possible. Cloudflare Tunnel focuses mainly on HTTP traffic but also supports SSH, VNC and generic TCP only in situations where the client also uses the cloudflared client to proxy it back to their localhost. Hosting a mail server with these restrictions is not possible I'm afraid.
gajus|4 years ago
unknown|4 years ago
[deleted]
unknown|4 years ago
[deleted]
andrewnyr|4 years ago
twox2|4 years ago
mdoms|4 years ago
ErisaDev|4 years ago
The `clouflared tunnel route dns` command creates thee DNS record mapping the tunnel to the domain. The tunnels config maps the hostname to the local service, and you can have multiple of those for each service. So for the example above, you would create a DNS record for each domain pointing to the same one tunnel, and that tunnel will route based on the ingress rules.