Guide to Configuring Cloudflare Tunnel Reverse Proxy Using cloudflared in ServBay
Cloudflare Tunnel (formerly Argo Tunnel) is a zero-trust reverse proxy service provided by Cloudflare that securely exposes local services without the need to open public ports. This guide will walk you through the process of establishing a secure tunnel in the ServBay environment using cloudflared, enabling internet access to local services.
Technical Principles
Cloudflare Tunnel creates encrypted outbound connections (based on the QUIC protocol) to securely connect local services to Cloudflare's edge nodes. This approach completely bypasses NAT traversal and does not require firewall rules, while integrating Cloudflare's DDoS protection and Web Application Firewall (WAF) features.
Environment Preparation
1. Install the cloudflared Client
macOS System (ARM Architecture):
# Download the binary file
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-amd64.tgz | tar xz
sudo mv cloudflared /usr/local/bin/2
3
Verify Installation:
cloudflared --version
# cloudflared version 2024.5.0 (built 2024-05-01)2
2. Log into Your Cloudflare Account
cloudflared tunnel loginThis command will automatically open a browser for you to select the domain you wish to manage and complete the authorization.
Tunnel Configuration in Practice
Core Configuration Process
- Create a Tunnel
cloudflared tunnel create servbay-tunnel
# Example Output: Created tunnel servbay-tunnel with id xxxx-xxxx-xxxx2
- Configure DNS Records
cloudflared tunnel route dns servbay-tunnel servbay-tunnel.yourdomain.com- Create Configuration File
Create~/.cloudflared/config.yml:
tunnel: <TUNNEL_ID>
credentials-file: /path/to/credentials.json
ingress:
- hostname: servbay-tunnel.yourdomain.com
service: https://servbay.local
originRequest:
noTLSVerify: true # Enable if you want to bypass local certificate verification
- service: http_status:404 # Default fallback rule2
3
4
5
6
7
8
9
Start the Tunnel Service
cloudflared tunnel run servbay-tunnelService Verification
- Access the configured domain:
https://servbay-tunnel.yourdomain.com- Verification Points:
- Content should match the local service
- The browser's address bar should display a valid SSL certificate issued by Cloudflare
- Response headers should contain the
CF-RAYidentifier
Advanced Configuration Tips
Multi-Service Routing
ingress:
- hostname: api.yourdomain.com
service: https://api.local
- hostname: app.yourdomain.com
service: https://app.local2
3
4
5
Traffic Monitoring
# View real-time metrics
cloudflared tunnel info servbay-tunnel
# Get detailed logs
cloudflared tunnel logs servbay-tunnel2
3
4
5
Troubleshooting
| Issue | Solution |
|---|---|
| 502 Bad Gateway | Check if the local service is running and ensure the service address in tunnel configuration is correct. |
| DNS Resolution Error | Verify if the CNAME of the DNS record is correctly pointing (should be <UUID>.cfargotunnel.com) |
| Certificate Verification Failed | Ensure hostname in config.yml matches the certificate domain and check if the local certificate chain is complete. |
Advantages of the Solution
By using the Cloudflare Tunnel solution, ServBay users can benefit from:
- Enterprise-Level Security: Built-in DDoS mitigation and WAF protection
- No Port Exposure: No need to configure firewall or NAT rules
- Intelligent Routing: Optimized access speed via Cloudflare's global Anycast network
- Free Tier: Free plan includes 50 active tunnels per month
It is recommended to implement fine-grained access control using Access policies in production environments to ensure service security.