Cloudflare Zero Trust Tunnel on Docker
Introduction
Cloudflare Zero Trust tunnels (also known as Argo Tunnels) provide a secure way to expose your web applications or services to the internet. By using this tunnel, you can avoid the complexities and risks of configuring firewall rules and VPN. When deployed using Docker, it becomes a flexible, portable solution for ensuring that your applications stay protected while being accessible.
This article aims to guide you through the process of installing and using the Cloudflare Zero Trust Tunnel on Docker.
Prerequisites
Before you start, ensure you have the following:
- Docker: Installed and running on your system. If not, you can download and install Docker from here.
- Cloudflare Account: A Cloudflare account with your domain added. You can sign up at Cloudflare.
- Cloudflare Token: A Cloudflare API token with appropriate permissions for managing tunnels.
Step-by-Step Guide
1. Create a Cloudflare API Token
- Log in to your Cloudflare account.
- Navigate to the “API Tokens” section in the profile settings.
- Click on “Create Token.”
- Choose the “Custom Token” template.
- Grant
Argo TunnelandZone Settingspermissions. - Specify the resources (domains) this token can access.
- Generate the token and copy it. You will need it later.
2. Prepare a Docker Configuration
Create a directory for your Cloudflare Zero Trust Tunnel configuration and Docker setup.
mkdir cloudflare-tunnel
cd cloudflare-tunnel
Create a docker-compose.yml file inside this directory:
version: '3.7'
services:
cloudflared:
image: cloudflare/cloudflared:latest
container_name: cloudflared
restart: unless-stopped
environment:
- TUNNEL_ORIGIN_CERT=/etc/cloudflared/cert.pem
- TUNNEL_URL=http://localhost:8080 # Change 8080 to your app’s port
- TUNNEL_NAME=your-tunnel-name
- TUNNEL_HOSTNAME=your-subdomain.example.com # The DNS name you want, e.g., app.example.com
volumes:
- ./config:/etc/cloudflared
command: tunnel --no-autoupdate run
3. Generate Configuration File and Tunnel Credentials
On your local machine, install the cloudflared CLI. You can download it from the official repository.
Authenticate with Cloudflare using your API Token:
cloudflared login
Once authenticated, create a new tunnel:
cloudflared tunnel create your-tunnel-name
This command will generate a tunnel certificate file that should be saved in the ./config directory you created earlier.
Configure the tunnel to route traffic:
cloudflared tunnel route dns your-tunnel-name your-subdomain.example.com
4. Create a Configuration File for the Tunnel
Inside the cloudflare-tunnel/config directory, create a config.yml file:
tunnel: your-tunnel-uuid # This UUID is generated after creating the tunnel
credentials-file: /etc/cloudflared/your-tunnel-uuid.json
ingress:
- hostname: your-subdomain.example.com
service: http://localhost:8080 # Change 8080 to your app’s port
- service: http_status:404
5. Start the Tunnel Using Docker
Now go back to the directory where you created the docker-compose.yml file and start the service.
docker-compose up -d
This command will start the Cloudflare Zero Trust Tunnel in a Docker container.
6. Verify and Test
- Open a browser and go to the given hostname (e.g.,
your-subdomain.example.com). Ensure your application is accessible. - Check the logs of the
cloudflaredcontainer for any issues:
docker logs cloudflared
Conclusion
Securing your web services with Cloudflare Zero Trust Tunnel on Docker helps you create a robust, portable, and secure access method. By following the steps outlined in this guide, you can successfully implement and run a Cloudflare Zero Trust Tunnel on Docker, ensuring your applications are securely accessible from the internet.