Protect your web servers from direct attack
From the moment an application is deployed, developers and IT spend time locking it down — configuring ACLs, rotating IP addresses, and using clunky solutions like GRE tunnels.
There’s a simpler and more secure way to protect your applications and web servers from direct attacks: Cloudflare Tunnel.
Ensure your server is safe, no matter where it’s running: public cloud, private cloud, Kubernetes cluster, or even a Mac mini under your TV.
I do everthing in the cli
Lets install the cloudflare tunnel service. in my case i will do the install on een ubuntu machine.
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && sudo dpkg -i cloudflared-linux-amd64.deb
When you run the flowing command you get a url. login to cloudflare
cloudflared tunnel login
when cloudflare is connected you get a cert.pem. make a note of the location ;)
Lets make the tunnel by name fill the name that you want for the tunnel.
cloudflared tunnel create <NAME> Take a note of the output, we need the .json file later.
Now we will create a configuration file in the
.cloudflared directory (the same one that our cert.pem file was written to)
there is an emty file. Add the following lines.
tunnel: # tunnel id credentials-file: /home/$USER/.cloudflared/1d4537b6-67b9-4c75-a022-ce805acd5c0a.json # the location of your credentials file from the previous step
add your first site example.com
cloudflared tunnel route dns <name of the tunnel> <example.com>
Now lets create the ingress. past it in your config.yml file
ingress: - hostname: example.com service: http://internalip:80 - hostname: sub.example.com service: http://internalip:88 - service: http_status:404 # this is required as a 'catch-all'
Lets start the tunnel
cloudflared tunnel run <name of your tunnel>
Make a service to run automatic
cloudflared service install
start en enable the service
systemctl enable --now cloudflared